Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

HTTPS Tidserv request 2

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 6th, 2010, 9:39 am

Please see Post above with regards CD Emulators

I deleted TDSKiller.txt and on Start Run and pasted the Code. Pressed OK , that opened up a Black Screen but I don't think it did a scan and disinfection ? It Did say that any infections would be removed on re-boot, but have not Re-booted as it asked me the following.
It Did ask me to press any key. Having the did this the screen Closed.
There was a new TDSKILLER Log on my desktop.
Contents as Follows. I Will not go onto the next stage you have suggested mbr.exe-t until I receive your next instructions. Thanks for all your patience with this.
Here is the log from TDSKiller

14:30:59:328 0252 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
14:30:59:328 0252 ================================================================================
14:30:59:328 0252 SystemInfo:

14:30:59:328 0252 OS Version: 5.1.2600 ServicePack: 3.0
14:30:59:328 0252 Product type: Workstation
14:30:59:328 0252 ComputerName: SELECT-09
14:30:59:328 0252 UserName: Lee
14:30:59:328 0252 Windows directory: C:\WINDOWS
14:30:59:328 0252 Processor architecture: Intel x86
14:30:59:328 0252 Number of processors: 2
14:30:59:328 0252 Page size: 0x1000
14:30:59:328 0252 Boot type: Normal boot
14:30:59:328 0252 ================================================================================
14:30:59:343 0252 UnloadDriverW: NtUnloadDriver error 1
14:30:59:343 0252 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1
14:30:59:437 0252 LoadDriverW: Driver already loaded
14:30:59:437 0252 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
14:30:59:437 0252 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:30:59:437 0252 wfopen_ex: Trying to KLMD file open
14:30:59:437 0252 wfopen_ex: File opened ok (Flags 2)
14:30:59:437 0252 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
14:30:59:437 0252 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
14:30:59:437 0252 wfopen_ex: Trying to KLMD file open
14:30:59:437 0252 wfopen_ex: File opened ok (Flags 2)
14:30:59:437 0252 Initialize success
14:30:59:437 0252
14:30:59:437 0252 Scanning Services ...
14:30:59:765 0252 Raw services enum returned 352 services
14:30:59:781 0252
14:30:59:781 0252 Scanning Kernel memory ...
14:30:59:781 0252 Devices to scan: 2
14:30:59:781 0252
14:30:59:781 0252 Driver Name: Disk
14:30:59:781 0252 IRP_MJ_CREATE : F75DABB0
14:30:59:781 0252 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
14:30:59:781 0252 IRP_MJ_CLOSE : F75DABB0
14:30:59:781 0252 IRP_MJ_READ : F75D4D1F
14:30:59:781 0252 IRP_MJ_WRITE : F75D4D1F
14:30:59:781 0252 IRP_MJ_QUERY_INFORMATION : 804F4562
14:30:59:781 0252 IRP_MJ_SET_INFORMATION : 804F4562
14:30:59:781 0252 IRP_MJ_QUERY_EA : 804F4562
14:30:59:781 0252 IRP_MJ_SET_EA : 804F4562
14:30:59:781 0252 IRP_MJ_FLUSH_BUFFERS : F75D52E2
14:30:59:781 0252 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
14:30:59:781 0252 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
14:30:59:781 0252 IRP_MJ_DIRECTORY_CONTROL : 804F4562
14:30:59:781 0252 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
14:30:59:781 0252 IRP_MJ_DEVICE_CONTROL : F75D53BB
14:30:59:781 0252 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75D8F28
14:30:59:781 0252 IRP_MJ_SHUTDOWN : F75D52E2
14:30:59:781 0252 IRP_MJ_LOCK_CONTROL : 804F4562
14:30:59:781 0252 IRP_MJ_CLEANUP : 804F4562
14:30:59:781 0252 IRP_MJ_CREATE_MAILSLOT : 804F4562
14:30:59:781 0252 IRP_MJ_QUERY_SECURITY : 804F4562
14:30:59:781 0252 IRP_MJ_SET_SECURITY : 804F4562
14:30:59:781 0252 IRP_MJ_POWER : F75D6C82
14:30:59:781 0252 IRP_MJ_SYSTEM_CONTROL : F75DB99E
14:30:59:781 0252 IRP_MJ_DEVICE_CHANGE : 804F4562
14:30:59:781 0252 IRP_MJ_QUERY_QUOTA : 804F4562
14:30:59:781 0252 IRP_MJ_SET_QUOTA : 804F4562
14:30:59:796 0252 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
14:30:59:796 0252
14:30:59:796 0252 Driver Name: atapi
14:30:59:796 0252 IRP_MJ_CREATE : 868D2EE4
14:30:59:796 0252 IRP_MJ_CREATE_NAMED_PIPE : 868D2EE4
14:30:59:796 0252 IRP_MJ_CLOSE : 868D2EE4
14:30:59:796 0252 IRP_MJ_READ : 868D2EE4
14:30:59:796 0252 IRP_MJ_WRITE : 868D2EE4
14:30:59:796 0252 IRP_MJ_QUERY_INFORMATION : 868D2EE4
14:30:59:796 0252 IRP_MJ_SET_INFORMATION : 868D2EE4
14:30:59:796 0252 IRP_MJ_QUERY_EA : 868D2EE4
14:30:59:796 0252 IRP_MJ_SET_EA : 868D2EE4
14:30:59:796 0252 IRP_MJ_FLUSH_BUFFERS : 868D2EE4
14:30:59:796 0252 IRP_MJ_QUERY_VOLUME_INFORMATION : 868D2EE4
14:30:59:796 0252 IRP_MJ_SET_VOLUME_INFORMATION : 868D2EE4
14:30:59:796 0252 IRP_MJ_DIRECTORY_CONTROL : 868D2EE4
14:30:59:796 0252 IRP_MJ_FILE_SYSTEM_CONTROL : 868D2EE4
14:30:59:812 0252 IRP_MJ_DEVICE_CONTROL : 868D2EE4
14:30:59:812 0252 IRP_MJ_INTERNAL_DEVICE_CONTROL : 868D2EE4
14:30:59:812 0252 IRP_MJ_SHUTDOWN : 868D2EE4
14:30:59:812 0252 IRP_MJ_LOCK_CONTROL : 868D2EE4
14:30:59:812 0252 IRP_MJ_CLEANUP : 868D2EE4
14:30:59:812 0252 IRP_MJ_CREATE_MAILSLOT : 868D2EE4
14:30:59:812 0252 IRP_MJ_QUERY_SECURITY : 868D2EE4
14:30:59:812 0252 IRP_MJ_SET_SECURITY : 868D2EE4
14:30:59:812 0252 IRP_MJ_POWER : 868D2EE4
14:30:59:812 0252 IRP_MJ_SYSTEM_CONTROL : 868D2EE4
14:30:59:812 0252 IRP_MJ_DEVICE_CHANGE : 868D2EE4
14:30:59:812 0252 IRP_MJ_QUERY_QUOTA : 868D2EE4
14:30:59:812 0252 IRP_MJ_SET_QUOTA : 868D2EE4
14:30:59:812 0252 Driver "atapi" infected by TDSS rootkit!
14:30:59:812 0252 C:\WINDOWS\system32\drivers\tsk5.tmp - Verdict: 3
14:30:59:812 0252
14:30:59:812 0252 Completed
14:30:59:812 0252
14:30:59:812 0252 Results:
14:30:59:812 0252 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
14:30:59:812 0252 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
14:30:59:812 0252 File objects infected / cured / cured on reboot: 0 / 0 / 0
14:30:59:812 0252
14:30:59:812 0252 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
14:30:59:812 0252 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
14:30:59:812 0252 UnloadDriverW: NtUnloadDriver error 1
14:30:59:859 0252 KLMD(ARK) unloaded successfully
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm
Top
Advertisement
Register to Remove

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 6th, 2010, 10:41 am

You do have a CD emulator (Pinnacle).
Please go ahead with the rest of the sequence.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 6th, 2010, 12:05 pm

I Went and loaded mbr.exe It opened up a box extremely Quickly and closed just as Quickly
I went to Start Run and typed in C:\Documents and Settings\Lee\mber.log
and this is the result.


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x868D2EE4]<<
kernel: MBR read successfully
user & kernel MBR OK
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm
Top

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 6th, 2010, 2:20 pm

kemsing,
---------------------------------------------
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
-----------------------------------------------------------
Gmer

Download GMER Rootkit Scanner from here.

  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    See image below
    Image
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file
  • Save it where you can easily find it, such as your desktop, and post it in your next reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 7th, 2010, 3:43 am

Here is the log from System look:
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 08:38 on 07/05/2010 by Lee (Administrator - Elevation successful)

========== filefind ==========

Searching for "eventlog.dll"
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [11:01 31/05/2008] [12:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ERDNT\cache\eventlog.dll --a--- 56320 bytes [13:11 05/05/2010] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll ------ 56320 bytes [10:54 31/05/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll --a--- 56320 bytes [17:07 20/08/2004] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656

Searching for "scecli.dll"
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [11:01 31/05/2008] [12:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ERDNT\cache\scecli.dll --a--- 181248 bytes [13:11 05/05/2010] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\ServicePackFiles\i386\scecli.dll ------ 181248 bytes [10:55 31/05/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 181248 bytes [17:08 20/08/2004] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [11:01 31/05/2008] [12:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ERDNT\cache\netlogon.dll --a--- 407040 bytes [13:11 05/05/2010] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll ------ 407040 bytes [10:55 31/05/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [17:08 20/08/2004] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "cngaudit.dll"
No files found.

Searching for "sceclt.dll"
No files found.

Searching for "ntelogon.dll"
No files found.

Searching for "logevent.dll"
No files found.

Searching for "iaStor.sys"
C:\OEMDRV\41\iaStor.sys --a--- 247808 bytes [02:52 25/08/2006] [09:30 11/05/2006] 294110966CEDD127629C5BE48367C8CF
C:\WINDOWS\system32\drivers\iaStor.sys --a--- 247808 bytes [02:52 25/08/2006] [09:30 11/05/2006] 294110966CEDD127629C5BE48367C8CF

Searching for "nvstor.sys"
No files found.

Searching for "atapi.sys"
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [11:01 31/05/2008] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [13:11 05/05/2010] [15:10 04/05/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [10:54 31/05/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [22:59 03/08/2004] [07:19 07/05/2010] 9F3A2F5AA6875C72BF062C712CFA2674

Searching for "IdeChnDr.sys"
No files found.

Searching for "viasraid.sys"
No files found.

Searching for "AGP440.sys"
C:\WINDOWS\$NtServicePackUninstall$\agp440.sys -----c 42368 bytes [11:02 31/05/2008] [22:07 03/08/2004] 2C428FA0C3E3A01ED93C9B2A27D8D4BB
C:\WINDOWS\ERDNT\cache\agp440.sys --a--- 42368 bytes [13:11 05/05/2010] [18:36 13/04/2008] 08FD04AA961BDC77FB983F328334E3D7
C:\WINDOWS\ServicePackFiles\i386\agp440.sys ------ 42368 bytes [10:54 31/05/2008] [18:36 13/04/2008] 08FD04AA961BDC77FB983F328334E3D7
C:\WINDOWS\system32\drivers\agp440.sys --a--- 42368 bytes [19:25 20/08/2004] [18:36 13/04/2008] 08FD04AA961BDC77FB983F328334E3D7

Searching for "vaxscsi.sys"
No files found.

Searching for "nvatabus.sys"
No files found.

Searching for "viamraid.sys"
No files found.

Searching for "nvata.sys"
No files found.

Searching for "nvgts.sys"
No files found.

Searching for "iastorv.sys"
No files found.

Searching for "ViPrt.sys"
No files found.

-=End Of File=-
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm
Top

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 7th, 2010, 4:34 am

Please See Post above for System look log.

I have downloaded GMER Rootkit Scanner, as you haven't said save to Desktop, I,ve Downloaded and then Run, The IAT /EAT Box was checked so unchecked it, Only the C:\ box was showing so left that checked. There was no box marked D:\
Show all was not checked. I then minimised the box to look at your notes, but could not then maximise the Screens.
I Am now typing on my other Computer as The Infected Computer seems to have locked up.
I Can't open Internet Explorer or Mozilla Firefox.
I Have tried Control and Alt and Delete but this hasn't helped either. I Can't use the Start to shutdown normally. I Have re-booted using the shutdown on the computer. It is Very slow at Re-starting but at least it hasn't locked up. I have been able to open up Internet Explorer.
I Will not try Gmer Rootscan again until you have given me further instructions to try again or to do somethinng else.
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm
Top

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 7th, 2010, 7:35 am

kemsing,
This is the newest, most difficult variant of the Tidserv infection.
---------------------------------------------
Please download OTL.exe by OldTimer and save it to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed to let it run uninterrupted.
  • Under Output, ensure that Minimal Output is selected
  • Copy the text in the code box below and paste it into the Custom Scans/Fixes box (under the cyan line at the bottom of the window)
    Code: Select all
    netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90
  • Click Run Scan in upper left of window.
  • When the scan is finished, two logs will open:
    OTL.Txt <-- Will be opened
    Extras.Txt <-- Will be minimized
  • Please post the contents of these two logs in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 7th, 2010, 10:19 am

Here is OTL LOG FILE : And the Extras posted at the end
OTL logfile created on: 07/05/2010 14:14:16 - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Lee\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

991.00 Mb Total Physical Memory | 484.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 2.39 Gb Free Space | 3.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Z: | 232.88 Gb Total Space | 213.88 Gb Free Space | 91.84% Space Free | Partition Type: NTFS

Computer Name: SELECT-09
Current User Name: Lee
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Lee\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
PRC - C:\Program Files\Norton 360\Norton 360\Engine\4.1.0.32\ccSvcHst.exe (Symantec Corporation)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE (Microsoft Corporation)
PRC - C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\sistray.exe (Silicon Integrated Systems Corporation)
PRC - C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
PRC - C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe (Pinnacle Systems GmbH.)
PRC - C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
PRC - C:\WINDOWS\system32\hpzipm12.exe (HP)
PRC - C:\Program Files\Microsoft ActiveSync\wcescomm.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe ()


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Lee\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\Program Files\Real\RealPlayer\rpchromebrowserrecordhelper.dll ()
MOD - C:\WINDOWS\system32\msvcr71.dll (Microsoft Corporation)
MOD - C:\Program Files\Norton 360\Norton 360\Engine\4.1.0.32\asOEHook.dll (Symantec Corporation)
MOD - C:\Program Files\Norton 360\Norton 360\Engine\4.1.0.32\Microsoft.VC90.CRT\msvcr90.dll (Microsoft Corporation)
MOD - C:\Program Files\Norton 360\Norton 360\Engine\4.1.0.32\Microsoft.VC90.CRT\msvcp90.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (N360) -- C:\Program Files\Norton 360\Norton 360\Engine\4.1.0.32\ccSvcHst.exe (Symantec Corporation)
SRV - (GoToAssist) -- C:\Program Files\Citrix\GoToAssist\508\g2aservice.exe (Citrix Online, a division of Citrix Systems, Inc.)
SRV - (CCALib8) -- C:\Program Files\Canon\CAL\CALMAIN.exe (Canon Inc.)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\hpzipm12.exe (HP)
SRV - (EpsonBidirectionalService) -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe ()


========== Driver Services (SafeList) ==========

DRV - (BHDrvx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\BASHDefs\20100429.001\BHDrvx86.sys (Symantec Corporation)
DRV - (SymEvent) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS (Symantec Corporation)
DRV - (NAVEX15) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100506.025\NAVEX15.SYS (Symantec Corporation)
DRV - (eeCtrl) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation)
DRV - (EraserUtilRebootDrv) -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation)
DRV - (NAVENG) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\VirusDefs\20100506.025\NAVENG.SYS (Symantec Corporation)
DRV - (SymIRON) -- C:\WINDOWS\system32\drivers\N360\0401000.020\Ironx86.SYS (Symantec Corporation)
DRV - (SRTSP) -- C:\WINDOWS\system32\drivers\N360\0401000.020\SRTSP.SYS (Symantec Corporation)
DRV - (SRTSPX) Symantec Real Time Storage Protection (PEL) -- C:\WINDOWS\system32\drivers\N360\0401000.020\SRTSPX.SYS (Symantec Corporation)
DRV - (ccHP) -- C:\WINDOWS\system32\drivers\N360\0401000.020\ccHPx86.sys (Symantec Corporation)
DRV - (SYMTDI) -- C:\WINDOWS\system32\drivers\N360\0401000.020\SYMTDI.SYS (Symantec Corporation)
DRV - (SymEFA) -- C:\WINDOWS\system32\drivers\N360\0401000.020\SYMEFA.SYS (Symantec Corporation)
DRV - (SymDS) -- C:\WINDOWS\system32\drivers\N360\0401000.020\SYMDS.SYS (Symantec Corporation)
DRV - (IDSxpx86) -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\Definitions\IPSDefs\20100429.001\IDSXpx86.sys (Symantec Corporation)
DRV - (61883) -- C:\WINDOWS\system32\drivers\61883.sys (Microsoft Corporation)
DRV - (Avc) -- C:\WINDOWS\system32\drivers\avc.sys (Microsoft Corporation)
DRV - (MSDV) -- C:\WINDOWS\system32\drivers\msdv.sys (Microsoft Corporation)
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (amdagp) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (iaStor) -- C:\WINDOWS\system32\DRIVERS\iaStor.sys (Intel Corporation)
DRV - (SiSkp) -- C:\WINDOWS\system32\drivers\srvkp.sys (Silicon Integrated Systems Corporation)
DRV - (SiS315) -- C:\WINDOWS\system32\drivers\sisgrp.sys (Silicon Integrated Systems Corporation)
DRV - (Aspi32) -- C:\WINDOWS\system32\drivers\aspi32.sys (Adaptec)
DRV - (ALCXWDM) Service for Realtek AC97 Audio (WDM) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Realtek Semiconductor Corp.)
DRV - (MarvinBus) -- C:\WINDOWS\system32\drivers\MarvinBus.sys (Pinnacle Systems GmbH)
DRV - (cdrdrv) -- C:\WINDOWS\system32\drivers\Cdrdrv.sys (Pinnacle Systems GmbH)
DRV - (PCLEPCI) -- C:\WINDOWS\system32\drivers\Pclepci.sys (Pinnacle Systems GmbH)
DRV - (vobiw) -- C:\WINDOWS\system32\drivers\vobIW.sys (Pinnacle Systems GmbH)
DRV - (adpu320) -- C:\WINDOWS\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (ASAPIW2K) -- C:\WINDOWS\system32\drivers\asapiW2k.sys (Pinnacle Systems GmbH)
DRV - (AN983) -- C:\WINDOWS\system32\drivers\an983.sys (ADMtek Incorporated.)
DRV - (Sparrow) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ultra) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (ql12160) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1080) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql1280) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (dac2w2k) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (mraid35x) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (asc) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (AliIde) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (CmdIde) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.endeavour.co.uk/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {1A5CF3E8-DDB2-4E9F-BDFF-3585E2905B12}:1.9.1
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6

FF - HKLM\software\mozilla\Firefox\Extensions\\{1A5CF3E8-DDB2-4E9F-BDFF-3585E2905B12}: C:\Documents and Settings\Lee\Local Settings\Application Data\{1A5CF3E8-DDB2-4E9F-BDFF-3585E2905B12} [2009/12/12 15:20:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2010/04/23 15:07:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\IPSFFPlgn\ [2010/04/29 16:31:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.1.0.32\coFFPlgn\ [2010/04/29 13:46:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Flock\Extensions\\Plugins: C:\Program Files\Flock\flock\plugins [2010/04/23 15:07:38 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Flock\Extensions\\Components: C:\Program Files\Flock\flock\components [2010/04/23 15:07:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/03 10:19:15 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/27 08:45:53 | 000,000,000 | ---D | M]

[2008/07/28 17:35:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lee\Application Data\Mozilla\Extensions
[2010/05/05 10:06:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\jryr85ce.default\extensions
[2010/05/01 15:54:20 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Lee\Application Data\Mozilla\Firefox\Profiles\jryr85ce.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/05/05 10:06:50 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/01 17:56:49 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/04/01 17:56:50 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2010/04/01 17:56:50 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/04/01 17:56:50 | 000,001,135 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/05/05 13:57:33 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Norton 360\Engine\4.1.0.32\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Norton 360\Engine\4.1.0.32\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Norton 360\Engine\4.1.0.32\CoIEPlg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Norton 360\Engine\4.1.0.32\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\\PSDrvCheck.exe ()
O4 - HKLM..\Run: [SiSPower] C:\WINDOWS\System32\SiSPower.dll (Silicon Integrated Systems Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [H/PC Connection Agent] C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE (Microsoft Corporation)
O4 - HKCU..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe (Pinnacle Systems GmbH.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE (SEIKO EPSON CORPORATION)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe (Silicon Integrated Systems Corporation)
O4 - Startup: C:\Documents and Settings\Lee\Start Menu\Programs\Startup\MailWasherPro.lnk = C:\Program Files\FireTrust\MailWasher Pro\MailWasher.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll (Microsoft Corporation)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/200 ... oader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} http://picasaweb.google.com/s/v/25.18/uploader2.cab (UploadListView Class)
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} https://webdl.symantec.com/activex/symdlmgr.cab (Symantec Download Manager)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microso ... 2229050421 (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/200 ... ader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://dl8-cdn-01.sun.com/s/ESD44/JSCDL ... 586-jc.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shoc ... wflash.cab (Shockwave Flash Object)
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} http://gfx2.hotmail.com/mail/w4/pr01/ph ... NPUpld.cab (Windows Live Hotmail Photo Upload Tool)
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} http://selectworld.squarespace.com/univ ... Upload.ocx (Persits Software XUpload)
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} http://ps.itv.mop.com/dn/files/pCastCtl ... signed.cab (pCastPanel Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\mctp {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\aatp.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\508\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\508\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Lee\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Lee\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/10/18 12:15:05 | 000,000,095 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/10/26 19:58:09 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17465059307421696)

========== Files/Folders - Created Within 30 Days ==========

[2010/05/07 14:09:08 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lee\Desktop\OTL.exe
[2010/05/06 14:07:51 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/05 16:12:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lee\Desktop\New Folder
[2010/05/05 13:25:37 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/05 13:21:51 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/05 13:21:51 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/05 13:21:51 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/05 13:21:51 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/05 13:21:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/05 13:17:40 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/04 15:18:31 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Lee\Desktop\TDSSKiller.exe
[2010/05/01 08:55:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lee\My Documents\Hijack this log
[2010/05/01 08:54:25 | 000,000,000 | ---D | C] -- C:\Program Files\Hijack this log
[2010/04/30 17:59:23 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/30 17:56:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lee\Application Data\Malwarebytes
[2010/04/30 17:55:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/30 17:55:30 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/29 13:45:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
[2010/04/29 13:44:58 | 000,124,976 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/04/29 13:44:58 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/04/29 13:44:48 | 000,362,032 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\symtdi.sys
[2010/04/29 13:44:48 | 000,362,032 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0401000.020\symtdi.sys
[2010/04/29 13:44:48 | 000,340,016 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0401000.020\symtdiv.sys
[2010/04/29 13:44:47 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymDS.sys
[2010/04/29 13:44:47 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0401000.020\SymDS.sys
[2010/04/29 13:44:47 | 000,325,680 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0401000.020\srtsp.sys
[2010/04/29 13:44:47 | 000,172,592 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SymEFA.sys
[2010/04/29 13:44:47 | 000,172,592 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0401000.020\SymEFA.sys
[2010/04/29 13:44:47 | 000,116,784 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0401000.020\Ironx86.sys
[2010/04/29 13:44:47 | 000,116,784 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\Ironx86.sys
[2010/04/29 13:44:47 | 000,043,696 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\srtspx.sys
[2010/04/29 13:44:47 | 000,043,696 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0401000.020\srtspx.sys
[2010/04/29 13:44:46 | 000,501,888 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\N360\0401000.020\cchpx86.sys
[2010/04/29 13:44:46 | 000,501,888 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\cchpx86.sys
[2010/04/29 13:44:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360
[2010/04/29 13:44:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\N360\0401000.020
[2010/04/29 13:44:22 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2010/04/29 13:44:09 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2010/04/29 13:44:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2010/04/29 13:11:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\Norton
[2010/04/29 13:11:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2010/04/29 09:20:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/29 09:20:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/23 15:08:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lee\Local Settings\Application Data\Real
[2010/04/23 15:07:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2010/04/13 17:46:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lee\My Documents\Paytons Ledbury Dilapidation Claim
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[15 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/07 14:13:00 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/07 14:09:08 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lee\Desktop\OTL.exe
[2010/05/07 10:19:17 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{898C5654-CDAC-482F-B8DF-430F31E4F8DA}.job
[2010/05/07 09:15:49 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/07 09:15:47 | 000,000,874 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/07 09:15:13 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/07 09:15:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/07 08:37:07 | 000,100,908 | ---- | M] () -- C:\Documents and Settings\Lee\Desktop\SystemLook.exe
[2010/05/06 17:37:40 | 007,602,176 | -H-- | M] () -- C:\Documents and Settings\Lee\NTUSER.DAT
[2010/05/06 17:37:40 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Lee\ntuser.ini
[2010/05/06 17:10:41 | 000,000,349 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\PCLECHAL.INI
[2010/05/06 14:10:50 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Lee\defogger_reenable
[2010/05/06 14:09:19 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Lee\Desktop\Defogger.exe
[2010/05/06 08:22:58 | 000,096,256 | ---- | M] () -- C:\Documents and Settings\Lee\My Documents\Jotti 1.doc
[2010/05/05 14:34:47 | 000,076,288 | ---- | M] () -- C:\Documents and Settings\Lee\My Documents\ComboFix 10.doc
[2010/05/05 14:00:38 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/05 13:57:33 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/05 13:25:47 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/05/05 13:17:01 | 003,946,364 | R--- | M] () -- C:\Documents and Settings\Lee\Desktop\zzz.exe
[2010/05/04 15:17:39 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Lee\Desktop\TDSSKiller.exe
[2010/05/04 14:08:05 | 000,003,601 | ---- | M] () -- C:\WINDOWS\Wm98.INI
[2010/05/01 08:53:13 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\Lee\Desktop\HiJackThis.lnk
[2010/04/30 17:29:00 | 000,038,912 | ---- | M] () -- C:\Documents and Settings\Lee\My Documents\malware.doc
[2010/04/29 13:55:10 | 000,441,124 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/29 13:55:10 | 000,071,060 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/29 13:55:09 | 000,521,766 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/04/29 13:50:25 | 000,669,798 | ---- | M] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\Cat.DB
[2010/04/29 13:44:58 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/04/29 13:44:58 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/04/29 13:44:58 | 000,007,443 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/04/29 13:44:58 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/04/29 13:44:51 | 000,002,051 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton 360.LNK
[2010/04/29 13:11:12 | 000,000,811 | ---- | M] () -- C:\Documents and Settings\Lee\Desktop\Norton Installation Files.lnk
[2010/04/29 12:28:03 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Edulikovuviy.dat
[2010/04/29 08:26:54 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Dtihigokimakigej.bin
[2010/04/28 18:13:41 | 000,001,819 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/04/27 08:45:57 | 000,001,608 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/23 15:09:27 | 000,000,681 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2010/04/23 15:07:31 | 000,000,903 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer.lnk
[2010/04/23 15:07:17 | 000,185,920 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2010/04/23 15:07:00 | 000,006,656 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll
[2010/04/23 15:07:00 | 000,005,632 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll
[2010/04/23 15:06:56 | 000,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr71.dll
[2010/04/23 15:06:56 | 000,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/04/16 17:39:19 | 000,282,619 | ---- | M] () -- C:\Documents and Settings\Lee\My Documents\Wright Hassall response 13 apr 2010.jpg
[2010/04/16 17:06:15 | 000,282,619 | ---- | M] () -- C:\Documents and Settings\Lee\My Documents\Letterhead.jpg
[2010/04/15 08:39:56 | 000,001,735 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/15 08:34:05 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/14 17:26:40 | 014,562,902 | ---- | M] () -- C:\Documents and Settings\Lee\My Documents\Solus Piece - Cover SELECT WORLD.pdf
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
[15 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/07 08:37:06 | 000,100,908 | ---- | C] () -- C:\Documents and Settings\Lee\Desktop\SystemLook.exe
[2010/05/06 15:52:26 | 000,000,290 | ---- | C] () -- C:\Documents and Settings\Lee\mbr.log
[2010/05/06 14:10:50 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Lee\defogger_reenable
[2010/05/06 14:09:19 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Lee\Desktop\Defogger.exe
[2010/05/06 08:22:57 | 000,096,256 | ---- | C] () -- C:\Documents and Settings\Lee\My Documents\Jotti 1.doc
[2010/05/05 14:34:47 | 000,076,288 | ---- | C] () -- C:\Documents and Settings\Lee\My Documents\ComboFix 10.doc
[2010/05/05 13:25:47 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/05/05 13:25:40 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/05 13:21:51 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/05 13:21:51 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/05 13:21:51 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/05 13:21:51 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/05 13:21:51 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/05 13:16:10 | 003,946,364 | R--- | C] () -- C:\Documents and Settings\Lee\Desktop\zzz.exe
[2010/04/30 17:59:23 | 000,002,443 | ---- | C] () -- C:\Documents and Settings\Lee\Desktop\HiJackThis.lnk
[2010/04/30 17:28:59 | 000,038,912 | ---- | C] () -- C:\Documents and Settings\Lee\My Documents\malware.doc
[2010/04/29 13:45:06 | 000,669,798 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\Cat.DB
[2010/04/29 13:44:58 | 000,007,443 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/04/29 13:44:58 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/04/29 13:44:51 | 000,002,051 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton 360.LNK
[2010/04/29 13:44:26 | 000,003,374 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\SymEFA.inf
[2010/04/29 13:44:26 | 000,002,793 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\SymDS.inf
[2010/04/29 13:44:26 | 000,001,473 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\SymNetV.inf
[2010/04/29 13:44:26 | 000,001,445 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\SymNet.inf
[2010/04/29 13:44:25 | 000,007,787 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\symnetv.cat
[2010/04/29 13:44:25 | 000,007,444 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\SymEFA.cat
[2010/04/29 13:44:25 | 000,007,442 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\srtspx.cat
[2010/04/29 13:44:25 | 000,007,438 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\srtsp.cat
[2010/04/29 13:44:25 | 000,007,438 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\iron.cat
[2010/04/29 13:44:25 | 000,007,425 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\SymDS.cat
[2010/04/29 13:44:25 | 000,007,396 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\cchpx86.cat
[2010/04/29 13:44:25 | 000,007,368 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\SymNet.cat
[2010/04/29 13:44:25 | 000,001,754 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\ccHPx86.inf
[2010/04/29 13:44:25 | 000,001,388 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\srtspx.inf
[2010/04/29 13:44:25 | 000,001,382 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\srtsp.inf
[2010/04/29 13:44:25 | 000,000,741 | R--- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\Iron.inf
[2010/04/29 13:44:25 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\N360\0401000.020\isolate.ini
[2010/04/29 13:11:11 | 000,000,811 | ---- | C] () -- C:\Documents and Settings\Lee\Desktop\Norton Installation Files.lnk
[2010/04/27 08:45:57 | 000,001,608 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2010/04/23 15:07:54 | 000,001,819 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2010/04/23 15:07:31 | 000,000,903 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer.lnk
[2010/04/16 17:39:19 | 000,282,619 | ---- | C] () -- C:\Documents and Settings\Lee\My Documents\Wright Hassall response 13 apr 2010.jpg
[2010/04/16 17:06:14 | 000,282,619 | ---- | C] () -- C:\Documents and Settings\Lee\My Documents\Letterhead.jpg
[2010/04/15 08:38:52 | 000,001,735 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/14 17:26:14 | 014,562,902 | ---- | C] () -- C:\Documents and Settings\Lee\My Documents\Solus Piece - Cover SELECT WORLD.pdf
[2010/03/13 14:54:09 | 000,131,072 | ---- | C] () -- C:\WINDOWS\System32\ZipDll.dll
[2010/03/13 14:54:09 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\UnzDLL.dll
[2010/01/14 09:43:13 | 000,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/04/21 17:35:53 | 000,000,147 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2009/04/21 17:35:11 | 000,000,011 | ---- | C] () -- C:\WINDOWS\hpclj3600g.ini
[2009/04/21 17:32:40 | 000,000,011 | ---- | C] () -- C:\WINDOWS\hpclj3600m.ini
[2007/04/18 11:52:06 | 000,018,764 | ---- | C] () -- C:\WINDOWS\System32\ddmon.dll
[2007/03/29 14:16:13 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2007/01/23 09:40:03 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\WCp64log.dll
[2006/12/11 21:11:41 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2006/12/05 18:28:03 | 000,000,681 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2006/10/18 16:03:44 | 000,000,017 | ---- | C] () -- C:\WINDOWS\MovingPicture.ini
[2006/10/18 12:30:03 | 000,194,248 | ---- | C] () -- C:\WINDOWS\System32\LTRFD13n.DLL
[2006/10/18 12:15:05 | 000,001,289 | ---- | C] () -- C:\WINDOWS\VFO.INI
[2006/10/18 12:15:00 | 000,196,096 | ---- | C] () -- C:\WINDOWS\System32\macd32.dll
[2006/10/18 12:15:00 | 000,138,752 | ---- | C] () -- C:\WINDOWS\System32\mase32.dll
[2006/10/18 12:15:00 | 000,136,192 | ---- | C] () -- C:\WINDOWS\System32\mamc32.dll
[2006/10/18 12:15:00 | 000,057,856 | ---- | C] () -- C:\WINDOWS\System32\masd32.dll
[2006/10/18 12:14:59 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\ma32.dll
[2006/10/17 12:20:53 | 000,003,601 | ---- | C] () -- C:\WINDOWS\Wm98.INI
[2006/10/17 10:46:24 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/10/17 09:41:40 | 000,000,502 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/10/17 09:40:57 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\EEBAPI.dll
[2006/10/17 09:40:57 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\EEBDSCVR.dll
[2006/10/17 09:40:57 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\EBAPI.dll
[2006/10/16 16:19:42 | 000,076,990 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
[2006/10/16 16:19:28 | 000,117,132 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
[2006/08/25 03:51:35 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2006/05/02 23:38:24 | 000,000,748 | ---- | C] () -- C:\WINDOWS\SetBrowser.ini
[2006/02/24 15:54:42 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\deskMenu2.dll
[2005/10/26 11:06:30 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/07/29 19:38:24 | 003,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2005/04/28 13:32:27 | 000,001,038 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/04/27 13:40:30 | 000,002,572 | ---- | C] () -- C:\WINDOWS\WINDVDBOOTRECDOE.sys
[2004/12/20 18:24:03 | 001,663,068 | ---- | C] () -- C:\WINDOWS\System32\libmmd.dll
[2004/08/20 19:44:19 | 000,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2003/11/25 12:15:46 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\MemCompress.dll
[2003/06/12 12:00:56 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll
[2003/06/04 16:10:48 | 000,000,332 | ---- | C] () -- C:\WINDOWS\ActiveSkin.ini
[2001/07/06 16:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2006/10/18 15:20:56 | 000,413,867 | ---- | M] () -- C:\adorage-protocol.txt
[2006/10/18 12:15:05 | 000,000,095 | ---- | M] () -- C:\AUTOEXEC.BAT
[2006/10/16 16:17:28 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/05/05 13:25:47 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/05/05 14:15:01 | 000,025,167 | ---- | M] () -- C:\ComboFix.txt
[2004/08/20 19:33:47 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/07/14 14:56:10 | 000,000,123 | ---- | M] () -- C:\Defaults.ppr
[2004/08/20 19:33:47 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/05/07 09:16:07 | 000,000,000 | ---- | M] () -- C:\iwctrllog.txt
[2006/10/16 16:20:50 | 000,001,476 | ---- | M] () -- C:\lang.txt
[2002/01/05 04:48:16 | 000,974,848 | ---- | M] (Microsoft Corporation) -- C:\mfc70.dll
[2002/01/05 04:36:38 | 000,964,608 | ---- | M] (Microsoft Corporation) -- C:\mfc70u.dll
[2004/08/20 19:33:47 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 13:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/05/31 12:04:47 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2006/10/17 12:45:56 | 661,012,480 | ---- | M] () -- C:\Outlook.pst
[2010/05/07 09:14:25 | 754,974,720 | -HS- | M] () -- C:\pagefile.sys
[2010/03/23 14:38:06 | 000,013,030 | ---- | M] () -- C:\PDOXUSRS.NET
[2010/05/04 15:15:28 | 000,043,498 | ---- | M] () -- C:\TDSSKiller.2.2.8.1_04.05.2010_15.15.21_log.txt
[2010/05/06 14:27:51 | 000,013,352 | ---- | M] () -- C:\TDSSKiller.2.2.8.1_06.05.2010_14.27.44_log.txt

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[15 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/08/20 20:21:01 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/20 20:21:01 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/20 20:21:01 | 000,868,352 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/05/07 08:19:50 | 000,096,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\atapi.sys
[2010/02/26 00:22:57 | 000,501,888 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\cchpx86.sys
[2010/02/27 03:23:54 | 000,116,784 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\Ironx86.sys
[2010/02/24 14:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/02/27 03:23:21 | 000,043,696 | R--- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\srtspx.sys
[2010/04/29 13:44:58 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS
[2010/02/11 13:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys
< End of report >


Here Is The Extras.txt.
OTL Extras logfile created on: 07/05/2010 14:14:16 - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\Lee\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

991.00 Mb Total Physical Memory | 484.00 Mb Available Physical Memory | 49.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): C:\pagefile.sys 720 1440 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 2.39 Gb Free Space | 3.21% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive Z: | 232.88 Gb Total Space | 213.88 Gb Free Space | 91.84% Space Free | Partition Type: NTFS

Computer Name: SELECT-09
Current User Name: Lee
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm
Top

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 7th, 2010, 11:25 am

The machine is crippled by not having enough free space on drive C:
Drive C: needs about 10Gb free to function properly. (My Computer, right click C:, Properties)
You should find some files and/or folders (photos, sounds, and videos tend to be space hogs) you can transfer to DVDs or to drive Z: (whatever that is).

The crew is consulting about the next step on the infection, but some space needs to be freed or we can't do anything.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 7th, 2010, 1:34 pm

Thanks Askey
We Do have a lot of Photographs we use for our business ,which I will download onto an external Hard Drive that we have, that should free up a lot of space.
The Z Drive is our back office system so we would never download to that.
As It is 18.35 now here, I will make sure we have copied all of the photograph files to the External drive and then Delete them all from the infected Computer in the Morning.
Thanks again for all your work,lets hope we are near a permanent solution of Exterminating this Virus.
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm
Top

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 7th, 2010, 2:59 pm

kemsing,
Since we are dealing with a rootkit infection, you should offload all critical files, since we can never be absolutely certain what the outcome will be.
With this kind of infection, a possible outcome is always to Reformat the Drive and Re-install Windows. We are trying to prevent that.

I hope you don't run a business from this machine, since we don't fix business machines.
http://malwareremoval.com/forum/viewtop ... 98#p491398

After you get the files moved,
----------------------------------------------
Run Temp File Cleaner
Download Temp File Cleaner and save it to your desktop.
Double click to run it. (Right click and Run as Administrator in Vista)
If it asks to Reboot, choose to do so. This will remove files that could not be removed while Windows was running.
After Restart, log back in to your usual account.
Let me know how it went, how much free space you have, and we will move on.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 9th, 2010, 4:49 am

Have Run temp file cleaner , it said temp internet files folder emptied 32902 bytes and temp folder emptied 15103725 bytes, after running i think it said something like total files cleared 220mb.
Originally from 74.5GB and having used 72.1GB and only free space of 2.33gb
Now The Computer is showing 57.4 GB with 17.1 GB free space.
I Have taken copies of all Files onto a portable Harddrive, Do I have to be careful that this infection could have been on one of those files and could be now on the portable Harddrive?
Thanks again, and I hope we are nearly there. I await your next instructions.
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm
Top

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 9th, 2010, 7:53 am

kemsing,
It's not very likely that the pictures, etc. you offloaded are infected, but it's possible.
Before you copy anything back from the portable Hard Drive, connect it to the machine and run a full scan with Norton.
Norton should detect any contaminated files and tell you when/if the external drive is clean. Do it after we get this machine cleaned up.
-----------------------
This infection uses a rootkit to hide driver files that keep the infection going and prevent removal.
We are attempting to locate the hidden culprit. After we find it, the solution should be straightforward.
-----------------------
Print this out first, since you will not have internet access in safe mode
Safe Mode Boot
* Shut down Windows, and then turn off the power
* Wait 30 seconds, and then turn the computer on.
* Start tapping the F8 key until the Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message.
To resolve this, restart the computer and try again.
* Select the Safe mode option. Do not select "Safe Mode with Networking"
* Press Enter. The computer will start in Safe mode.

After the machine finishes SAFE MODE startup,
  • Double click GMER. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
  • In the right panel, you will see boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Make sure there IS a CHECK on the Sections box
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in Gmer.txt or it will save as a .log file
  • Save it where you can easily find it, such as your desktop

If all this completes so far, fine. If it hangs up or errors out, OK also. Just let me know later.
In any case, next step is this:
-----------------------------------------------------------
REBOOT(RESTART) Your Machine and let it start in Normal Mode
-------------------------------------------------------------
Scan With RKUnHooker
Go to Start, Run
Type the following into the box and hit <Enter>
net stop gmer
(There should be a space between net and stop, and a space between stop and gmer)

Regardless of any messages, proceed:
Download Rootkit Unhooker from here: http://www.rootkit.com/vault/DiabloNova/RKUnhookerLE.EXE
Save it to your desktop.
Now double-click to run RootkitUnhooker.
Click the Report tab, then click Scan.
Select the pages Drivers, Stealth, Files, Code Hooks. Uncheck the rest. Click OK.
Wait till the scanner has finished and then click File, Save Report.
Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Also copy the contents of the gmer.txt report (if it finished in SAFE MODE) and paste that here.
Use separate posts if it's more convenient.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top

Re: HTTPS Tidserv request 2

Unread postby kemsing » May 9th, 2010, 10:03 am

In Safe Mode, it is asking for two options?Please select the operating system to start: Load using Microsoft windows Recovery console or Microsoft windows XP professional.
I Am presuming I should select the recovery console? Would this then take me to the next step to find GMER?
kemsing
Regular Member
 
Posts: 56
Joined: April 30th, 2010, 12:28 pm
Top

Re: HTTPS Tidserv request 2

Unread postby askey127 » May 9th, 2010, 10:25 am

You should select "Microsoft windows XP professional"
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Top
Advertisement
Register to Remove
PreviousNext
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 248 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index