TechSpot

Search engine results are redirecting, IE/Firefox keeps crashing

Solved
By satnamj
Dec 17, 2011
  1. Greetings All,

    I am a friend of Dalego , who recommended TechSpot.

    Basically problem issue is on my sons laptop (Acer, Aspire 3500, running XP).

    Following a internet search (google, bing, Yhoo), when we would click on a search result link, we would get redirected to a random site (i.e. search of BBC sport football, would redirect us to www.bet365.com).

    Also IE would crash with a "send report to microsoft".

    1) I performed a system restore from "system recovery cd", which reinstalled XP.
    2) However the redirect problem continued to occur.
    3) I then ran your "5 step virus removal instructions".
    4) When the MALWARE-bytes step was run, it detected ROOTKIT and deleted it and LAPTOP.was rebooted.
    5) Step 4, GMER ran OK.
    6) However, step 5, DDS, hangs/freezes the laptop, after 50 hashes are printed on screen.
    7) However the REDIRECT problem now appears to have gone away, BUT internet is very slow displaying pages

    Q1) Could the removal of ROOTKIT in task "4" above have resolved "REDIRECT" issue.
    Q2) How can I get DDS to run so that i can generate all my logs.

    Hope someone can advise,

    May you be Healthy, Happy, Holy !
    Love, Light, Peace !
    Satnam
     
  2. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
    Complete as many steps as you can.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. satnamj

    satnamj TS Rookie Topic Starter

    step 5, DDS, hangs/freezes the laptop

    heh friend,

    please read point 6, in my initial post.......

    6) However, step 5, DDS, hangs/freezes the laptop, after 50 hashes are printed on screen.
    also the bit about redirecting has stopped following removal of ROOTKIT !

    peace
    satnam
     
  4. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Read my reply carefully.

     
  5. satnamj

    satnamj TS Rookie Topic Starter

    result logs - 20december

    Summary:
    ========
    MalwareBytes ran OK (log further below)
    (This is the second run of MalwareBytes. On the initial run it detected "ROOTKIT" and prompted to delete it, i then restarted laptop.
    Following this the redirect error appears to have stopped ?

    GMER ran OK (log further below)

    DDS freezes laptop after 53 horizontal "#" printed on screen, pc has to be powercycled.



    MALWAREBYTES log <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
    =================
    Malwarebytes' Anti-Malware 1.51.2.1300
    www.malwarebytes.org

    Database version: 8405

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    20/12/2011 21:07:54
    mbam-log-2011-12-20 (21-07-54).txt

    Scan type: Quick scan
    Objects scanned: 178275
    Time elapsed: 4 minute(s), 23 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER log <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
    ==============
    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-12-20 21:19:29
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400UE-00HCT0 rev.09.07D09
    Running: ut93j901.exe; Driver: C:\DOCUME~1\satnam\LOCALS~1\Temp\ufnirpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xAC417FC4]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xAC47C510]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xAC43B6A9]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xAC41A456]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xAC41A4AE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xAC41A5C4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xAC43B05D]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xAC41A3AC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xAC41A4FE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xAC41A400]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xAC41A572]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xAC417FE8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xAC43BD6F]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xAC43C025]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xAC41A848]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAC43BBDA]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAC43BA45]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xAC47C5C0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xAC417DB2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xAC41800C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xAC41A9BC]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xAC418AA4]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xAC41A486]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xAC41A4D6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xAC41A5EE]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xAC43B3B9]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xAC41A3D8]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xAC41A680]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xAC41A53E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xAC41A42E]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xAC41A764]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xAC41A59C]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xAC47C658]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xAC43B8C0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xAC41896A]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xAC43B712]
    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xAC4849E6]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xAC43A6D0]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xAC418030]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xAC418054]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xAC417E0C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xAC417F48]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xAC43BE76]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xAC417F24]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xAC417F6C]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xAC418078]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xAC4907A2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwCallbackReturn + 2478 80501CB0 4 Bytes CALL ACFC5E34
    PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 8059B8EC 4 Bytes CALL AC41900F \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1DB4 5 Bytes JMP AC48D69C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ObInsertObject 805B8C2C 5 Bytes JMP AC48F15C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C74CC 7 Bytes JMP AC4907A6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software)
    .text win32k.sys!EngSetLastError + 79A8 BF8242D4 4 Bytes JMP AC41AB9A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!FONTOBJ_pxoGetXform + C2CF BF85198B 5 Bytes JMP AC41AAD6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!XLATEOBJ_iXlate + 3581 BF85E514 4 Bytes JMP AC41ADE6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!XLATEOBJ_iXlate + 360C BF85E59F 5 Bytes JMP AC41AFBC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreatePalette + 88 BF85F812 4 Bytes JMP AC41AABE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngGetCurrentCodePage + 4128 BF873F30 4 Bytes JMP AC41AF76 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCopyBits + 4DEC BF89DBA0 4 Bytes JMP AC41AC0A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngEraseSurface + A9F7 BF8C2130 5 Bytes JMP AC41ACA4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngFillPath + 1517 BF8CA592 4 Bytes JMP AC41AD14 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngFillPath + 1797 BF8CA812 5 Bytes JMP AC41AD4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngDeleteSemaphore + 3B3E BF8EC297 4 Bytes JMP AC41A9F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 19DF BF91348A 5 Bytes JMP AC41AB56 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 25B3 BF91405E 4 Bytes JMP AC41AC6E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    .text win32k.sys!EngCreateClip + 4F2C BF9169D7 5 Bytes JMP AC41B0D6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software)
    ? System32\Drivers\hiber_WMILIB.SYS The system cannot find the path specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\wscntfy.exe[108] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\wscntfy.exe[108] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Acer\eManager\anbmServ.exe[156] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Acer\eManager\anbmServ.exe[156] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[232] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[232] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\smss.exe[424] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\csrss.exe[468] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\csrss.exe[468] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\csrss.exe[480] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\csrss.exe[480] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[504] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[504] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\services.exe[548] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\services.exe[548] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\lsass.exe[560] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\lsass.exe[560] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[712] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\alg.exe[744] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\System32\alg.exe[744] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[772] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[772] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[780] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[780] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\sistray.exe[804] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\sistray.exe[804] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[848] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\System32\svchost.exe[848] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[908] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[908] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[936] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[936] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\Explorer.EXE[1028] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\Explorer.EXE[1028] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1048] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1128] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1128] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1164] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1164] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
    .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1164] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\avastUI.exe[1396] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\avastUI.exe[1396] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\spoolsv.exe[1528] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\spoolsv.exe[1528] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\SOUNDMAN.EXE[1768] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\SOUNDMAN.EXE[1768] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\SOUNDMAN.EXE[1788] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\SOUNDMAN.EXE[1788] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\sistray.exe[2000] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\sistray.exe[2000] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[2044] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[2184] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[2184] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2448] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2448] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Arcade\PCMService.exe[2564] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Arcade\PCMService.exe[2564] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[2752] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[2752] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[2824] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\winlogon.exe[2824] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Documents and Settings\satnam\Desktop\__ANTI-VIRUS\ut93j901.exe[2920] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Documents and Settings\satnam\Desktop\__ANTI-VIRUS\ut93j901.exe[2920] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\avastUI.exe[3420] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\AVAST Software\Avast\avastUI.exe[3420] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\csrss.exe[3468] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\csrss.exe[3468] KERNEL32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Documents and Settings\sunny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe[3540] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Documents and Settings\sunny\Local Settings\Application Data\Google\Update\GoogleUpdate.exe[3540] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Arcade\PCMService.exe[3548] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Arcade\PCMService.exe[3548] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3556] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3556] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\keyhook.exe[3572] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\keyhook.exe[3572] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\wscntfy.exe[3628] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\wscntfy.exe[3628] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3696] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[3696] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\system32\keyhook.exe[3712] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\system32\keyhook.exe[3712] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]
    .text C:\WINDOWS\Explorer.EXE[3736] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62]
    .text C:\WINDOWS\Explorer.EXE[3736] kernel32.dll!GetBinaryTypeW + 80 7C868D8C 1 Byte [62]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\services.exe[548] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 005B0002
    IAT C:\WINDOWS\system32\services.exe[548] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 005B0000

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

    ---- EOF - GMER 1.0.15 ----


    DDS <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
    ====
    DDS freezes laptop after 53 horizontal "#" printed on screen, pc has to be powercycled.
     
  6. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  7. satnamj

    satnamj TS Rookie Topic Starter

    TDSS rootkit removing tool - OUTPUT REPORT

    Heh Broni.... Thanks for replying so swiftly... report output is as below:




    21:02:02.0625 3356 TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31
    21:02:03.0031 3356 ============================================================
    21:02:03.0031 3356 Current date / time: 2011/12/21 21:02:03.0031
    21:02:03.0031 3356 SystemInfo:
    21:02:03.0031 3356
    21:02:03.0031 3356 OS Version: 5.1.2600 ServicePack: 3.0
    21:02:03.0031 3356 Product type: Workstation
    21:02:03.0031 3356 ComputerName: ACER-B0474DC4D4
    21:02:03.0046 3356 UserName: satnam
    21:02:03.0046 3356 Windows directory: C:\WINDOWS
    21:02:03.0046 3356 System windows directory: C:\WINDOWS
    21:02:03.0046 3356 Processor architecture: Intel x86
    21:02:03.0046 3356 Number of processors: 1
    21:02:03.0046 3356 Page size: 0x1000
    21:02:03.0046 3356 Boot type: Normal boot
    21:02:03.0046 3356 ============================================================
    21:02:05.0375 3356 Initialize success
    21:03:15.0078 1932 ============================================================
    21:03:15.0078 1932 Scan started
    21:03:15.0078 1932 Mode: Manual;
    21:03:15.0078 1932 ============================================================
    21:03:15.0734 1932 Aavmker4 (b6de0336f9f4b687b4ff57939f7b657a) C:\WINDOWS\system32\drivers\Aavmker4.sys
    21:03:15.0750 1932 Aavmker4 - ok
    21:03:15.0921 1932 Abiosdsk - ok
    21:03:16.0062 1932 abp480n5 - ok
    21:03:16.0187 1932 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    21:03:16.0187 1932 ACPI - ok
    21:03:16.0250 1932 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    21:03:16.0250 1932 ACPIEC - ok
    21:03:16.0406 1932 adpu160m - ok
    21:03:16.0515 1932 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    21:03:16.0515 1932 aec - ok
    21:03:16.0656 1932 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    21:03:16.0656 1932 AFD - ok
    21:03:16.0812 1932 Aha154x - ok
    21:03:16.0968 1932 aic78u2 - ok
    21:03:17.0125 1932 aic78xx - ok
    21:03:17.0375 1932 ALCXWDM (5dae13401e4d3b8f132bf5867447d661) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
    21:03:17.0390 1932 ALCXWDM - ok
    21:03:17.0625 1932 AliIde - ok
    21:03:17.0812 1932 amsint - ok
    21:03:17.0968 1932 AR5211 (67f7d2c3a9265ee0534e36fe952f2ac4) C:\WINDOWS\system32\DRIVERS\ar5211.sys
    21:03:18.0000 1932 AR5211 - ok
    21:03:18.0218 1932 asc - ok
    21:03:18.0375 1932 asc3350p - ok
    21:03:18.0546 1932 asc3550 - ok
    21:03:18.0687 1932 aswFsBlk (054df24c92b55427e0757cfff160e4f2) C:\WINDOWS\system32\drivers\aswFsBlk.sys
    21:03:18.0687 1932 aswFsBlk - ok
    21:03:18.0843 1932 aswMon2 (ef0e9ad83380724bd6fbbb51d2d0f5b8) C:\WINDOWS\system32\drivers\aswMon2.sys
    21:03:18.0843 1932 aswMon2 - ok
    21:03:19.0000 1932 aswRdr (352d5a48ebab35a7693b048679304831) C:\WINDOWS\system32\drivers\aswRdr.sys
    21:03:19.0000 1932 aswRdr - ok
    21:03:19.0156 1932 aswSnx (8d34d2b24297e27d93e847319abfdec4) C:\WINDOWS\system32\drivers\aswSnx.sys
    21:03:19.0171 1932 aswSnx - ok
    21:03:19.0390 1932 aswSP (010012597333da1f46c3243f33f8409e) C:\WINDOWS\system32\drivers\aswSP.sys
    21:03:19.0421 1932 aswSP - ok
    21:03:19.0671 1932 aswTdi (f9f84364416658e9786235904d448d37) C:\WINDOWS\system32\drivers\aswTdi.sys
    21:03:19.0687 1932 aswTdi - ok
    21:03:19.0812 1932 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    21:03:19.0812 1932 AsyncMac - ok
    21:03:19.0921 1932 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    21:03:19.0937 1932 atapi - ok
    21:03:20.0109 1932 Atdisk - ok
    21:03:20.0218 1932 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    21:03:20.0218 1932 Atmarpc - ok
    21:03:20.0406 1932 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    21:03:20.0406 1932 audstub - ok
    21:03:20.0515 1932 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    21:03:20.0531 1932 Beep - ok
    21:03:20.0656 1932 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    21:03:20.0671 1932 cbidf2k - ok
    21:03:20.0843 1932 cd20xrnt - ok
    21:03:20.0906 1932 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    21:03:20.0906 1932 Cdaudio - ok
    21:03:21.0046 1932 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    21:03:21.0062 1932 Cdfs - ok
    21:03:21.0171 1932 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    21:03:21.0171 1932 Cdrom - ok
    21:03:21.0359 1932 Changer - ok
    21:03:21.0484 1932 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    21:03:21.0484 1932 CmBatt - ok
    21:03:21.0718 1932 CmdIde - ok
    21:03:21.0828 1932 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    21:03:21.0828 1932 Compbatt - ok
    21:03:22.0015 1932 Cpqarray - ok
    21:03:22.0187 1932 dac2w2k - ok
    21:03:22.0328 1932 dac960nt - ok
    21:03:22.0421 1932 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    21:03:22.0437 1932 Disk - ok
    21:03:22.0609 1932 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    21:03:22.0656 1932 dmboot - ok
    21:03:22.0812 1932 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    21:03:22.0828 1932 dmio - ok
    21:03:22.0906 1932 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    21:03:22.0906 1932 dmload - ok
    21:03:23.0031 1932 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    21:03:23.0031 1932 DMusic - ok
    21:03:23.0203 1932 dpti2o - ok
    21:03:23.0296 1932 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    21:03:23.0296 1932 drmkaud - ok
    21:03:23.0500 1932 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    21:03:23.0515 1932 Fastfat - ok
    21:03:23.0625 1932 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    21:03:23.0625 1932 Fdc - ok
    21:03:23.0718 1932 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    21:03:23.0718 1932 Fips - ok
    21:03:23.0796 1932 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    21:03:23.0796 1932 Flpydisk - ok
    21:03:23.0921 1932 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    21:03:23.0921 1932 FltMgr - ok
    21:03:24.0031 1932 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    21:03:24.0031 1932 Fs_Rec - ok
    21:03:24.0125 1932 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    21:03:24.0125 1932 Ftdisk - ok
    21:03:24.0203 1932 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    21:03:24.0218 1932 Gpc - ok
    21:03:24.0343 1932 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    21:03:24.0343 1932 HidUsb - ok
    21:03:24.0609 1932 hpn - ok
    21:03:24.0765 1932 HSFHWSIS (5d2cc68ab58ef663af5803d0faa42d28) C:\WINDOWS\system32\DRIVERS\HSFHWSIS.sys
    21:03:24.0781 1932 HSFHWSIS - ok
    21:03:24.0953 1932 HSF_DP (dfa8f86c0dbca7db948043aa3be6793b) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
    21:03:25.0031 1932 HSF_DP - ok
    21:03:25.0250 1932 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    21:03:25.0281 1932 HTTP - ok
    21:03:25.0421 1932 i2omgmt - ok
    21:03:25.0640 1932 i2omp - ok
    21:03:25.0781 1932 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    21:03:25.0781 1932 i8042prt - ok
    21:03:25.0875 1932 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    21:03:25.0875 1932 Imapi - ok
    21:03:26.0046 1932 ini910u - ok
    21:03:26.0218 1932 IntelIde - ok
    21:03:26.0312 1932 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    21:03:26.0343 1932 intelppm - ok
    21:03:26.0500 1932 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    21:03:26.0500 1932 Ip6Fw - ok
    21:03:26.0625 1932 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    21:03:26.0625 1932 IpFilterDriver - ok
    21:03:26.0750 1932 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    21:03:26.0750 1932 IpInIp - ok
    21:03:26.0859 1932 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    21:03:26.0890 1932 IpNat - ok
    21:03:27.0031 1932 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    21:03:27.0031 1932 IPSec - ok
    21:03:27.0125 1932 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    21:03:27.0125 1932 IRENUM - ok
    21:03:27.0250 1932 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    21:03:27.0265 1932 isapnp - ok
    21:03:27.0390 1932 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    21:03:27.0390 1932 Kbdclass - ok
    21:03:27.0500 1932 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    21:03:27.0500 1932 kmixer - ok
    21:03:27.0687 1932 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    21:03:27.0703 1932 KSecDD - ok
    21:03:27.0890 1932 lbrtfdc - ok
    21:03:28.0046 1932 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
    21:03:28.0046 1932 MBAMProtector - ok
    21:03:28.0187 1932 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    21:03:28.0187 1932 mdmxsdk - ok
    21:03:28.0296 1932 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    21:03:28.0296 1932 mnmdd - ok
    21:03:28.0421 1932 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    21:03:28.0421 1932 Modem - ok
    21:03:28.0546 1932 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    21:03:28.0546 1932 Mouclass - ok
    21:03:28.0703 1932 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    21:03:28.0703 1932 mouhid - ok
    21:03:28.0781 1932 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    21:03:28.0781 1932 MountMgr - ok
    21:03:28.0953 1932 mraid35x - ok
    21:03:29.0046 1932 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    21:03:29.0046 1932 MRxDAV - ok
    21:03:29.0296 1932 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    21:03:29.0343 1932 MRxSmb - ok
    21:03:29.0453 1932 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    21:03:29.0453 1932 Msfs - ok
    21:03:29.0640 1932 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    21:03:29.0640 1932 MSKSSRV - ok
    21:03:29.0703 1932 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    21:03:29.0703 1932 MSPCLOCK - ok
    21:03:29.0765 1932 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    21:03:29.0765 1932 MSPQM - ok
    21:03:29.0921 1932 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    21:03:29.0921 1932 mssmbios - ok
    21:03:30.0093 1932 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    21:03:30.0093 1932 Mup - ok
    21:03:30.0171 1932 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    21:03:30.0203 1932 NDIS - ok
    21:03:30.0281 1932 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    21:03:30.0281 1932 NdisTapi - ok
    21:03:30.0421 1932 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    21:03:30.0421 1932 Ndisuio - ok
    21:03:30.0484 1932 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    21:03:30.0500 1932 NdisWan - ok
    21:03:30.0703 1932 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    21:03:30.0718 1932 NDProxy - ok
    21:03:30.0796 1932 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    21:03:30.0796 1932 NetBIOS - ok
    21:03:30.0906 1932 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    21:03:30.0921 1932 NetBT - ok
    21:03:31.0062 1932 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    21:03:31.0062 1932 Npfs - ok
    21:03:31.0156 1932 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    21:03:31.0203 1932 Ntfs - ok
    21:03:31.0375 1932 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
    21:03:31.0390 1932 NTIDrvr - ok
    21:03:31.0500 1932 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    21:03:31.0515 1932 Null - ok
    21:03:31.0640 1932 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    21:03:31.0640 1932 NwlnkFlt - ok
    21:03:31.0718 1932 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    21:03:31.0734 1932 NwlnkFwd - ok
    21:03:31.0953 1932 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    21:03:31.0953 1932 Parport - ok
    21:03:32.0125 1932 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    21:03:32.0125 1932 PartMgr - ok
    21:03:32.0218 1932 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    21:03:32.0234 1932 ParVdm - ok
    21:03:32.0406 1932 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    21:03:32.0406 1932 PCI - ok
    21:03:32.0734 1932 PCIDump - ok
    21:03:32.0843 1932 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    21:03:32.0843 1932 PCIIde - ok
    21:03:33.0015 1932 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    21:03:33.0031 1932 Pcmcia - ok
    21:03:33.0218 1932 PDCOMP - ok
    21:03:33.0375 1932 PDFRAME - ok
    21:03:33.0531 1932 PDRELI - ok
    21:03:33.0687 1932 PDRFRAME - ok
    21:03:33.0828 1932 perc2 - ok
    21:03:34.0000 1932 perc2hib - ok
    21:03:34.0156 1932 pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
    21:03:34.0156 1932 pfc - ok
    21:03:34.0359 1932 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    21:03:34.0359 1932 PptpMiniport - ok
    21:03:34.0593 1932 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    21:03:34.0593 1932 PSched - ok
    21:03:34.0718 1932 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    21:03:34.0718 1932 Ptilink - ok
    21:03:34.0890 1932 ql1080 - ok
    21:03:35.0109 1932 Ql10wnt - ok
    21:03:35.0296 1932 ql12160 - ok
    21:03:35.0437 1932 ql1240 - ok
    21:03:35.0625 1932 ql1280 - ok
    21:03:35.0734 1932 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    21:03:35.0734 1932 RasAcd - ok
    21:03:35.0937 1932 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    21:03:35.0953 1932 Rasl2tp - ok
    21:03:36.0140 1932 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    21:03:36.0140 1932 RasPppoe - ok
    21:03:36.0203 1932 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    21:03:36.0203 1932 Raspti - ok
    21:03:36.0390 1932 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    21:03:36.0390 1932 Rdbss - ok
    21:03:36.0515 1932 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    21:03:36.0531 1932 RDPCDD - ok
    21:03:36.0671 1932 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    21:03:36.0671 1932 RDPWD - ok
    21:03:36.0890 1932 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    21:03:36.0906 1932 redbook - ok
    21:03:37.0187 1932 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    21:03:37.0203 1932 Secdrv - ok
    21:03:37.0421 1932 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    21:03:37.0437 1932 Serial - ok
    21:03:37.0656 1932 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    21:03:37.0656 1932 Sfloppy - ok
    21:03:37.0843 1932 Simbad - ok
    21:03:37.0921 1932 SiS315 (8b3cdb4b1453b3a2e6e7300aabe50d0e) C:\WINDOWS\system32\DRIVERS\sisgrp.sys
    21:03:37.0953 1932 SiS315 - ok
    21:03:38.0125 1932 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys
    21:03:38.0125 1932 SISAGP - ok
    21:03:38.0265 1932 SiSkp (87a5176a3762b1341619ce63152c1da9) C:\WINDOWS\system32\DRIVERS\srvkp.sys
    21:03:38.0265 1932 SiSkp - ok
    21:03:38.0406 1932 SISNICXP (47f39481bc8941e0d51601a85691448d) C:\WINDOWS\system32\DRIVERS\sisnicxp.sys
    21:03:38.0406 1932 SISNICXP - ok
    21:03:38.0562 1932 Sparrow - ok
    21:03:38.0734 1932 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    21:03:38.0734 1932 splitter - ok
    21:03:38.0953 1932 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    21:03:38.0968 1932 sr - ok
    21:03:39.0093 1932 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    21:03:39.0125 1932 Srv - ok
    21:03:39.0359 1932 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    21:03:39.0375 1932 swenum - ok
    21:03:39.0546 1932 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    21:03:39.0546 1932 swmidi - ok
    21:03:39.0750 1932 symc810 - ok
    21:03:39.0906 1932 symc8xx - ok
    21:03:40.0062 1932 sym_hi - ok
    21:03:40.0218 1932 sym_u3 - ok
    21:03:40.0343 1932 SynTP (eb363ddfbe8b6d51003ccab29d93d744) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    21:03:40.0359 1932 SynTP - ok
    21:03:40.0578 1932 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    21:03:40.0578 1932 sysaudio - ok
    21:03:40.0812 1932 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    21:03:40.0828 1932 Tcpip - ok
    21:03:41.0031 1932 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    21:03:41.0031 1932 TDPIPE - ok
    21:03:41.0187 1932 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    21:03:41.0203 1932 TDTCP - ok
    21:03:41.0359 1932 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    21:03:41.0359 1932 TermDD - ok
    21:03:41.0578 1932 TosIde - ok
    21:03:41.0718 1932 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
    21:03:41.0718 1932 uagp35 - ok
    21:03:41.0828 1932 UBHelper (e0c67be430c6de490d6ccaecfa071f9e) C:\WINDOWS\system32\drivers\UBHelper.sys
    21:03:41.0828 1932 UBHelper - ok
    21:03:42.0062 1932 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    21:03:42.0078 1932 Udfs - ok
    21:03:42.0250 1932 ultra - ok
    21:03:42.0406 1932 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    21:03:42.0437 1932 Update - ok
    21:03:42.0609 1932 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    21:03:42.0609 1932 usbccgp - ok
    21:03:42.0875 1932 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    21:03:42.0875 1932 usbehci - ok
    21:03:43.0062 1932 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    21:03:43.0078 1932 usbhub - ok
    21:03:43.0234 1932 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    21:03:43.0234 1932 usbohci - ok
    21:03:43.0421 1932 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    21:03:43.0437 1932 usbprint - ok
    21:03:43.0625 1932 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    21:03:43.0640 1932 USBSTOR - ok
    21:03:43.0828 1932 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    21:03:43.0828 1932 VgaSave - ok
    21:03:44.0000 1932 ViaIde - ok
    21:03:44.0156 1932 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    21:03:44.0156 1932 VolSnap - ok
    21:03:44.0359 1932 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    21:03:44.0359 1932 Wanarp - ok
    21:03:44.0531 1932 WDICA - ok
    21:03:44.0703 1932 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    21:03:44.0703 1932 wdmaud - ok
    21:03:44.0906 1932 winachsf (473ee64c368ce2eed110376c11960259) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    21:03:44.0937 1932 winachsf - ok
    21:03:45.0281 1932 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    21:03:45.0296 1932 WudfPf - ok
    21:03:45.0484 1932 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    21:03:45.0484 1932 WudfRd - ok
    21:03:45.0578 1932 MBR (0x1B8) (99852d5c3a78447c3d6d82b6155fe848) \Device\Harddisk0\DR0
    21:03:46.0812 1932 \Device\Harddisk0\DR0 - ok
    21:03:46.0843 1932 Boot (0x1200) (d503977b2e8fc5bbc4b186d766dcc5db) \Device\Harddisk0\DR0\Partition0
    21:03:46.0843 1932 \Device\Harddisk0\DR0\Partition0 - ok
    21:03:46.0875 1932 Boot (0x1200) (9ffef2d4a28cd8685f42f66e73a3ce39) \Device\Harddisk0\DR0\Partition1
    21:03:46.0875 1932 \Device\Harddisk0\DR0\Partition1 - ok
    21:03:46.0875 1932 ============================================================
    21:03:46.0875 1932 Scan finished
    21:03:46.0875 1932 ============================================================
    21:03:46.0937 3196 Detected object count: 0
    21:03:46.0937 3196 Actual detected object count: 0
     
  8. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    =============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.

    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  9. satnamj

    satnamj TS Rookie Topic Starter

    Results of aswMBR and ComboFix

    a) aswMBR runs and log appended below.

    b) ComboFix runs initially and then freezes/hangs the pc.
    It starts up, performs a backup restorepoint and then opens window , displays message "this will take 10mins to run or longer for heavily infected systems" and then freezes. Laptop then has to be powercycled.
    I followed your instructions to the letter (ensured antivirus/anti-malware were switched off, no programs were running, internet browser was not running).

    I also repeated this step 3 times (after restarting laptop) , same issue each time.

    Hence No ComboFix Log.

    DETAIL
    ======
    aswMBR LOG

    aswMBR version 0.9.9.1116 Copyright(c) 2011 AVAST Software
    Run date: 2011-12-23 21:53:47
    -----------------------------
    21:53:47.203 OS Version: Windows 5.1.2600 Service Pack 3
    21:53:47.203 Number of processors: 1 586 0xD08
    21:53:47.203 ComputerName: ACER-B0474DC4D4 UserName: satnam
    21:53:49.515 Initialize success
    21:53:49.609 AVAST engine defs: 11122301
    21:54:41.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    21:54:41.687 Disk 0 Vendor: WDC_WD400UE-00HCT0 09.07D09 Size: 38154MB BusType: 3
    21:54:43.718 Disk 0 MBR read successfully
    21:54:43.718 Disk 0 MBR scan
    21:54:44.046 Disk 0 unknown MBR code
    21:54:44.046 Disk 0 Partition 1 00 12 Compaq diag MSWIN4.1 3004 MB offset 63
    21:54:44.093 Disk 0 Partition 2 80 (A) 0C FAT32 LBA MSWIN4.1 17484 MB offset 6152895
    21:54:44.093 Disk 0 Partition - 00 0F Extended LBA 17665 MB offset 41961780
    21:54:44.109 Disk 0 Partition 3 00 0B FAT32 MSWIN4.1 17665 MB offset 41961843
    21:54:44.140 Disk 0 scanning sectors +78140160
    21:54:44.140 Disk 0 scanning C:\WINDOWS\system32\drivers
    21:54:52.312 Service scanning
    21:54:53.453 Modules scanning
    21:55:01.750 Disk 0 trace - called modules:
    21:55:02.000 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    21:55:02.000 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89791ab8]
    21:55:02.015 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000068[0x897c73b8]
    21:55:02.015 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8972bd98]
    21:55:02.328 AVAST engine scan C:\WINDOWS
    21:55:09.765 AVAST engine scan C:\WINDOWS\system32
    21:56:31.453 AVAST engine scan C:\WINDOWS\system32\drivers
    21:56:44.687 AVAST engine scan C:\Documents and Settings\satnam
    21:58:35.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\satnam\Desktop\__ANTI-VIRUS\LOGS\MBR.dat"
    21:58:35.687 The log file has been saved successfully to "C:\Documents and Settings\satnam\Desktop\__ANTI-VIRUS\LOGS\aswMBR-23dec2011.txt"
     
  10. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Try to run Combofix from safe mode.
     
  11. satnamj

    satnamj TS Rookie Topic Starter

    Attempt to run Rkill and ComboFix

    Hi Broni

    Thanks again for your super fast updates/responses to each of my previous posts. much appreciated.

    I still can not get ComboFix to complete... following run of RKILL , I get an additional line printed in the ComboFix window (see "c.)", below., but it still hangs laptop.

    Here is an overview of each of my runs:

    A.) I ran ComboFix in SAFE mode and it also HUNG the laptop. I noticed that the clock display would freeze after about 3 mins of the ComboFix being started (following unzipping step, saving registry, and then after after message
    ******** "Scanning for infected files will take 10mins to run or longer for heavily infected systems)"********,
    the Laptop then has to be powercycled.


    B.) I then power cycled laptop and performed step "2" (Rkill/ComboFix).
    Downloaded Rkill.com.
    Downloaded and Renamed <MyNAme.Combofix>
    Ran RKILL.com (this completed successfully).
    However when I then ran the <MyNAme.Combofix> it now prints an additional message:
    ********"Scanning for infected files will take 10mins to run or longer for heavily infected systems.********
    ********"PevFind by Billy ONeal version 1.5.6, combofix edition syntax error 25:20:28 ********
    ********" Pass legal for license info until SAt Jun 25:23*)" ********

    BUT again FROZE laptop and CLOCK in system tray after 3 mins, as before.

    C.) I then power cycled laptop and performed step "2" (Rkill/ComboFix) in SAFE mode.
    Ran RKILL.com (this completed successfully).
    However when I then ran the <MyNAme.Combofix>, the CLOCK did not freeze, it continued to update the time.
    It printed an additional line/message in window:
    ********"Scanning for infected files will take 10mins to run or longer for heavily infected systems.********
    ********PevFind by Billy ONeal version 1.5.6, combofix edition syntax error 25:20:28 ********
    ********Pass legal for license info until SAt Jun 25:23*)" ********,

    However after 2 hours the ComboFix page had not refreshed (I did not click the ComboFix window).
    When I then click the "Windows/Start" button I realised the laptop had FROZEN, even though CLOCK was still updating time. Laptop had to be restarted.

    D.) I also noticed that if RKILL is run consecutively , It always generates the same message on the screen
    *****"Terminating known Malware process , please be patient"*****

    Surely if the process is killed in the initial run of RKILL, why is the message repeated on second run of RKILL (surely process would have been removed by initial run of RKILL) !!!!

    However on second or successive run of RKILL there is no reference to the following message which only appeared in initial log : >>>>>>>>"C:\WINDOWS\system32\grpconv.exe "<<<<<<<<<<<<<<


    RKILL log file a
    ================================================================================================
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 25/12/2011 at 10:20:14.
    Operating System: Microsoft Windows XP

    Processes terminated by Rkill or while it was running:

    C:\WINDOWS\system32\grpconv.exe

    Rkill completed on 25/12/2011 at 10:20:24.


    RKILL LOg file "b", ran immediately after previous RKILL
    ====================================================================================================
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 25/12/2011 at 10:21:00.
    Operating System: Microsoft Windows XP

    Processes terminated by Rkill or while it was running:

    Rkill completed on 25/12/2011 at 10:21:08.
     
     
  12. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  13. satnamj

    satnamj TS Rookie Topic Starter

    Bootkit Remover - Output Log

    Hi Broni,

    Bootkit Remover output as below,

    cheers and Happy xmas
    Satnam



    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`bbc57e00
    Boot sector MD5 is: 7c47d39b31ef9830828d5f8aa4780dfd

    Size Device Name MBR Status
    --------------------------------------------
    37 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
     
  14. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  15. satnamj

    satnamj TS Rookie Topic Starter

    OTL.txt LOG file (part 1 of 2 , as >50000 chars)

    Hi Broni,
    This is the first of 3 posts OLT.txt (part 1 of 2) , OLT.txt (part 2 of 2) , OLT.extras.



    OTL logfile created on: 26/12/2011 19:57:03 - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\satnam\Desktop\__ANTI-VIRUS
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.5512)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    1.19 Gb Total Physical Memory | 0.67 Gb Available Physical Memory | 56.53% Memory free
    2.83 Gb Paging File | 2.44 Gb Available in Paging File | 86.28% Paging File free
    Paging file location(s): C:\pagefile.sys 1824 3648 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 17.07 Gb Total Space | 5.14 Gb Free Space | 30.11% Space Free | Partition Type: FAT32
    Drive D: | 17.24 Gb Total Space | 5.76 Gb Free Space | 33.38% Space Free | Partition Type: FAT32

    Computer Name: ACER-B0474DC4D4 | User Name: satnam | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/12/26 19:52:02 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\satnam\Desktop\__ANTI-VIRUS\OTL.exe
    PRC - [2011/11/28 18:01:24 | 003,744,552 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
    PRC - [2011/11/28 18:01:24 | 000,044,768 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    PRC - [2011/08/31 17:00:48 | 000,449,608 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    PRC - [2009/03/05 16:07:20 | 002,260,480 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    PRC - [2005/03/09 18:59:26 | 000,049,152 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Arcade\PCMService.exe
    PRC - [2005/03/04 13:13:04 | 000,032,768 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\Keyhook.exe
    PRC - [2005/02/23 18:13:10 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
    PRC - [2005/02/02 04:00:00 | 000,098,304 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIADE.EXE
    PRC - [2005/01/04 16:52:52 | 000,331,776 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\sistray.exe
    PRC - [2004/10/07 23:44:24 | 000,098,394 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    PRC - [2004/08/16 15:17:20 | 001,287,168 | ---- | M] (OSA Technologies Inc.) -- C:\Acer\eManager\anbmServ.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/12/26 10:13:20 | 001,656,832 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\11122600\algo.dll
    MOD - [2011/12/19 23:49:56 | 000,241,528 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\11122600\aswRep.dll


    ========== Win32 Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- -- (PEVSystemStart)
    SRV - File not found [Disabled | Stopped] -- -- (HidServ)
    SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
    SRV - [2011/11/28 18:01:24 | 000,044,768 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2004/08/16 15:17:20 | 001,287,168 | ---- | M] (OSA Technologies Inc.) [Auto | Running] -- C:\Acer\eManager\anbmServ.exe -- (anbmService)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/11/28 17:53:54 | 000,435,032 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2011/11/28 17:53:36 | 000,314,456 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2011/11/28 17:52:20 | 000,034,392 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2011/11/28 17:52:16 | 000,052,952 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2011/11/28 17:52:02 | 000,111,320 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
    DRV - [2011/11/28 17:51:50 | 000,020,568 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2011/11/28 17:48:50 | 000,030,808 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
    DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2005/03/02 00:09:02 | 000,240,640 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisgrp.sys -- (SiS315)
    DRV - [2005/02/25 19:45:32 | 000,013,312 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srvkp.sys -- (SiSkp)
    DRV - [2005/02/24 14:20:22 | 002,311,680 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
    DRV - [2005/01/10 00:47:14 | 000,449,888 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
    DRV - [2004/12/15 00:18:34 | 000,200,576 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWSIS.sys -- (HSFHWSIS)
    DRV - [2004/12/15 00:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
    DRV - [2004/12/15 00:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
    DRV - [2004/11/05 01:43:58 | 000,032,768 | ---- | M] (SiS Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sisnicxp.sys -- (SISNICXP)
    DRV - [2003/12/05 18:46:36 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
    DRV - [2003/07/18 09:58:20 | 000,036,992 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\SISAGPX.sys -- (SISAGP)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\S-1-5-21-2811424395-234779374-2166534779-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
    IE - HKU\S-1-5-21-2811424395-234779374-2166534779-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..network.proxy.type: 0

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2011/12/18 06:38:20 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/12/19 03:53:48 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

    [2011/12/18 15:41:10 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\satnam\Application Data\Mozilla\Extensions
    [2011/12/19 03:53:48 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2011/12/18 06:38:20 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
    [2011/11/21 04:04:52 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2011/11/21 01:04:06 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2011/11/21 01:04:06 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
    O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [EPSON Stylus DX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADE.EXE (SEIKO EPSON CORPORATION)
    O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
    O4 - HKLM..\Run: [LaunchApp] C:\WINDOWS\Alaunch.exe (Acer Inc.)
    O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
    O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
    O4 - HKLM..\Run: [PCMService] C:\Program Files\Arcade\PCMService.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
    O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
    O4 - HKLM..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\Keyhook.exe (Silicon Integrated Systems Corporation)
    O4 - HKLM..\Run: [SiSPower] C:\WINDOWS\System32\SiSPower.dll (Silicon Integrated Systems Corporation)
    O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
    O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
    O4 - HKU\S-1-5-21-2811424395-234779374-2166534779-1005..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe (Silicon Integrated Systems Corporation)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\S-1-5-21-2811424395-234779374-2166534779-1005\Software\Policies\Microsoft\Internet Explorer\Recovery present
    O7 - HKU\S-1-5-21-2811424395-234779374-2166534779-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\S-1-5-21-2811424395-234779374-2166534779-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1324256661234 (MUWebControl Class)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{9DE2ABCC-B931-42F1-A16A-A1B18F9A4340}: DhcpNameServer = 192.168.1.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Acer.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Acer.bmp
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2005/03/14 00:10:54 | 000,000,100 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: 6to4 - File not found
    NetSvcs: AppMgmt - File not found
    NetSvcs: HidServ - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Iprip - File not found
    NetSvcs: Irmon - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: WmdmPmSp - File not found

    Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
    Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
    Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
    Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
    Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
    Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2011/12/26 19:01:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\EPSON Creativity Suite
    [2011/12/26 18:59:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\EPSON Scan
    [2011/12/26 18:58:32 | 000,000,000 | ---D | C] -- C:\EPSON
    [2011/12/26 18:58:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\satnam\Application Data\InstallShield
    [2011/12/26 18:57:46 | 000,000,000 | ---D | C] -- C:\Program Files\EPSON
    [2011/12/26 18:57:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\EPSON
    [2011/12/26 18:56:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
    [2011/12/26 18:56:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\DRVSTORE
    [2011/12/26 18:55:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\EPSON
    [2011/12/25 11:10:39 | 000,000,000 | --SD | C] -- C:\satnamCF
    [2011/12/25 10:28:56 | 000,000,000 | -HSD | C] -- C:\FOUND.000
    [2011/12/25 10:12:51 | 004,351,768 | R--- | C] (Swearware) -- C:\Documents and Settings\satnam\Desktop\satnamCF.exe
    [2011/12/22 23:07:26 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2011/12/22 23:04:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2011/12/22 23:03:09 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/12/21 21:17:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}
    [2011/12/21 21:17:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iLivid
    [2011/12/21 21:17:40 | 000,000,000 | ---D | C] -- C:\Program Files\iLivid
    [2011/12/21 21:15:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\satnam\Local Settings\Application Data\PackageAware
    [2011/12/21 20:46:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\satnam\Local Settings\Application Data\Identities
    [2011/12/21 12:30:08 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Media Connect 2
    [2011/12/21 12:27:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
    [2011/12/21 12:27:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
    [2011/12/19 03:53:46 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
    [2011/12/19 02:12:41 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 4.0
    [2011/12/19 00:57:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak
    [2011/12/18 17:48:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\satnam\Application Data\Macromedia
    [2011/12/18 17:44:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\satnam\My Documents\Downloads
    [2011/12/18 15:40:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\satnam\Local Settings\Application Data\Mozilla
    [2011/12/18 15:40:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\satnam\Application Data\Mozilla
    [2011/12/18 15:34:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
    [2011/12/18 15:29:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
    [2011/12/18 15:29:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
    [2011/12/18 15:29:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en-us
    [2011/12/18 15:29:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\en
    [2011/12/18 15:29:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
    [2011/12/18 15:28:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
    [2011/12/18 15:26:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\network diagnostic
    [2011/12/18 15:22:28 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
    [2011/12/18 15:22:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\EHome
    [2011/12/18 13:57:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
    [2011/12/18 12:40:17 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$MSI31Uninstall_KB893803v2$
    [2011/12/18 12:40:05 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\PreInstall
    [2011/12/18 12:40:03 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$hf_mig$
    [2011/12/18 12:33:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\SoftwareDistribution
    [2011/12/18 10:52:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
    [2011/12/18 10:52:49 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
    [2011/12/18 10:52:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    [2011/12/18 07:42:58 | 000,000,000 | R--D | C] -- C:\Documents and Settings\satnam\My Documents\My Videos
    [2011/12/18 07:42:58 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users\Documents\My Videos
    [2011/12/18 07:42:58 | 000,000,000 | R--D | C] -- C:\Documents and Settings\satnam\Start Menu\Programs\Administrative Tools
    [2011/12/18 06:47:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\satnam\Application Data\Malwarebytes
    [2011/12/18 06:46:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/12/18 06:46:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    [2011/12/18 06:46:32 | 000,022,216 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/12/18 06:46:31 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/12/18 06:38:39 | 000,020,568 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2011/12/18 06:38:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
    [2011/12/18 06:38:38 | 000,314,456 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2011/12/18 06:38:37 | 000,435,032 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
    [2011/12/18 06:38:37 | 000,052,952 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2011/12/18 06:38:37 | 000,034,392 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2011/12/18 06:38:36 | 000,111,320 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2011/12/18 06:38:36 | 000,105,176 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2011/12/18 06:38:36 | 000,030,808 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [2011/12/18 06:38:19 | 000,199,816 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
    [2011/12/18 06:38:19 | 000,041,184 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [2011/12/18 06:38:00 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
    [2011/12/18 06:38:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
    [2011/12/18 06:34:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\satnam\Application Data\AdobeUM
    [2011/12/18 06:34:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\satnam\Local Settings\Application Data\Adobe
    [2011/12/18 06:33:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\satnam\My Documents\My eBooks
    [2011/12/18 06:33:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\satnam\Application Data\Adobe
    [2011/12/18 06:33:31 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
    [2011/12/18 06:24:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\satnam\Desktop\__ANTI-VIRUS
    [2011/12/14 13:06:10 | 000,000,000 | --SD | C] -- C:\Documents and Settings\satnam\UserData
    [2011/12/14 13:02:26 | 000,000,000 | --SD | C] -- C:\Documents and Settings\satnam\Application Data\Microsoft
    [2011/12/14 13:02:26 | 000,000,000 | --SD | C] -- C:\Documents and Settings\satnam\Cookies
    [2011/12/14 13:02:26 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\satnam\SendTo
    [2011/12/14 13:02:26 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\satnam\Recent
    [2011/12/14 13:02:26 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\satnam\Application Data
    [2011/12/14 13:02:26 | 000,000,000 | R--D | C] -- C:\Documents and Settings\satnam\Start Menu\Programs\Startup
    [2011/12/14 13:02:26 | 000,000,000 | R--D | C] -- C:\Documents and Settings\satnam\Start Menu
    [2011/12/14 13:02:26 | 000,000,000 | R--D | C] -- C:\Documents and Settings\satnam\My Documents\My Pictures
    [2011/12/14 13:02:26 | 000,000,000 | R--D | C] -- C:\Documents and Settings\satnam\My Documents\My Music
    [2011/12/14 13:02:26 | 000,000,000 | R--D | C] -- C:\Documents and Settings\satnam\My Documents
    [2011/12/14 13:02:26 | 000,000,000 | R--D | C] -- C:\Documents and Settings\satnam\Favorites
    [2011/12/14 13:02:26 | 000,000,000 | R--D | C] -- C:\Documents and Settings\satnam\Start Menu\Programs\Accessories
    [2011/12/14 13:02:26 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\satnam\Templates
    [2011/12/14 13:02:26 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\satnam\PrintHood
    [2011/12/14 13:02:26 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\satnam\NetHood
    [2011/12/14 13:02:26 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\satnam\Local Settings
    [2011/12/14 13:02:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\satnam\Local Settings\Application Data\Microsoft
    [2011/12/14 13:02:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\satnam\Application Data\Identities
    [2011/12/14 13:02:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\satnam\Desktop
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2011/12/26 19:04:44 | 000,009,662 | ---- | M] () -- C:\WINDOWS\EPISME00.SWB
    [2011/12/26 18:59:56 | 000,000,573 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\EPSON Scan.lnk
    [2011/12/26 13:16:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2011/12/26 13:16:00 | 1272,500,224 | -HS- | M] () -- C:\hiberfil.sys
    [2011/12/25 10:15:46 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\satnam\Desktop\rkill.com
    [2011/12/25 10:13:20 | 004,351,768 | R--- | M] (Swearware) -- C:\Documents and Settings\satnam\Desktop\satnamCF.exe
    [2011/12/22 23:07:34 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2011/12/22 16:21:02 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2811424395-234779374-2166534779-1006Core.job
    [2011/12/21 21:17:58 | 000,000,610 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iLivid Download Manager.lnk
    [2011/12/21 12:31:16 | 000,000,708 | ---- | M] () -- C:\Documents and Settings\satnam\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
    [2011/12/21 12:30:40 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
    [2011/12/21 12:30:34 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
    [2011/12/21 12:30:34 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
    [2011/12/21 12:27:06 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
    [2011/12/21 12:26:10 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2011/12/19 03:53:50 | 000,000,632 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
    [2011/12/19 02:42:46 | 000,000,006 | ---- | M] () -- C:\ISACER.ID
    [2011/12/19 02:38:10 | 000,000,687 | ---- | M] () -- C:\Documents and Settings\satnam\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/12/19 02:17:46 | 000,001,411 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
    [2011/12/19 02:17:24 | 000,160,344 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/12/18 16:14:58 | 000,313,514 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2011/12/18 16:14:58 | 000,041,066 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2011/12/18 15:47:20 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
    [2011/12/18 15:32:28 | 000,008,840 | ---- | M] () -- C:\WINDOWS\SEC139D.PNF
    [2011/12/18 15:25:52 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2011/12/18 15:25:06 | 000,002,948 | ---- | M] () -- C:\WINDOWS\SEC9.PNF
    [2011/12/18 14:11:24 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\satnam\Desktop\WindowsXP-KB936929-SP3-x86-ENU.exe
    [2011/12/18 12:28:40 | 000,000,859 | ---- | M] () -- C:\Documents and Settings\satnam\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
    [2011/12/18 12:28:40 | 000,000,841 | ---- | M] () -- C:\Documents and Settings\satnam\Desktop\Spybot - Search & Destroy.lnk
    [2011/12/18 06:46:40 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/12/18 06:38:40 | 000,001,597 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
    [2011/12/18 06:38:38 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
    [2011/12/14 13:03:34 | 000,000,083 | ---- | M] () -- C:\WINDOWS\ALaunch.ini
    [2011/12/14 13:01:18 | 000,000,795 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
    [2011/12/14 13:01:14 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2011/12/14 04:16:44 | 000,008,192 | ---- | M] () -- C:\WINDOWS\REGLOCS.OLD
    [2011/11/28 18:01:26 | 000,041,184 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [2011/11/28 18:01:24 | 000,199,816 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
    [2011/11/28 17:53:54 | 000,435,032 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
    [2011/11/28 17:53:36 | 000,314,456 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
    [2011/11/28 17:52:20 | 000,034,392 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
    [2011/11/28 17:52:16 | 000,052,952 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
    [2011/11/28 17:52:02 | 000,111,320 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
    [2011/11/28 17:52:00 | 000,105,176 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
    [2011/11/28 17:51:50 | 000,020,568 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
    [2011/11/28 17:48:50 | 000,030,808 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2011/12/26 19:04:39 | 000,009,662 | ---- | C] () -- C:\WINDOWS\EPISME00.SWB
    [2011/12/26 18:59:55 | 000,000,573 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\EPSON Scan.lnk
    [2011/12/26 18:58:12 | 000,111,932 | ---- | C] () -- C:\WINDOWS\System32\EPPICPrinterDB.dat
    [2011/12/26 18:58:12 | 000,031,053 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern131.dat
    [2011/12/26 18:58:12 | 000,027,417 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern121.dat
    [2011/12/26 18:58:12 | 000,026,154 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern1.dat
    [2011/12/26 18:58:12 | 000,024,903 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern3.dat
    [2011/12/26 18:58:12 | 000,021,390 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern5.dat
    [2011/12/26 18:58:12 | 000,020,148 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern2.dat
    [2011/12/26 18:58:12 | 000,011,811 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern4.dat
    [2011/12/26 18:58:12 | 000,004,943 | ---- | C] () -- C:\WINDOWS\System32\EPPICPattern6.dat
    [2011/12/26 18:58:12 | 000,001,146 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_DU.dat
    [2011/12/26 18:58:12 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_PT.dat
    [2011/12/26 18:58:12 | 000,001,139 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_BP.dat
    [2011/12/26 18:58:12 | 000,001,136 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_ES.dat
    [2011/12/26 18:58:12 | 000,001,129 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_FR.dat
    [2011/12/26 18:58:12 | 000,001,129 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_CF.dat
    [2011/12/26 18:58:12 | 000,001,120 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_IT.dat
    [2011/12/26 18:58:12 | 000,001,107 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_GE.dat
    [2011/12/26 18:58:12 | 000,001,104 | ---- | C] () -- C:\WINDOWS\System32\EPPICPresetData_EN.dat
    [2011/12/26 18:58:12 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
    [2011/12/26 18:58:11 | 000,013,732 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_EN.cfg
    [2011/12/26 18:58:11 | 000,006,442 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_IT.cfg
    [2011/12/26 18:58:11 | 000,006,347 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_PT.cfg
    [2011/12/26 18:58:11 | 000,006,347 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_BP.cfg
    [2011/12/26 18:58:11 | 000,006,335 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_GE.cfg
    [2011/12/26 18:58:11 | 000,006,195 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_FR.cfg
    [2011/12/26 18:58:11 | 000,006,195 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_CF.cfg
    [2011/12/26 18:58:11 | 000,006,122 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_DU.cfg
    [2011/12/26 18:58:11 | 000,006,103 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_ES.cfg
    [2011/12/26 18:58:11 | 000,005,817 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_KO.cfg
    [2011/12/26 18:58:11 | 000,005,436 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_SC.cfg
    [2011/12/26 18:58:11 | 000,002,889 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_RU.cfg
    [2011/12/26 18:58:11 | 000,002,426 | ---- | C] () -- C:\WINDOWS\System32\EPPICLocal_TC.cfg
    [2011/12/25 19:39:14 | 1272,500,224 | -HS- | C] () -- C:\hiberfil.sys
    [2011/12/25 10:17:40 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\satnam\Desktop\rkill.com
    [2011/12/22 23:07:33 | 000,000,211 | ---- | C] () -- C:\Boot.bak
    [2011/12/22 23:07:29 | 000,260,272 | RHS- | C] () -- C:\cmldr
    [2011/12/22 23:04:30 | 000,518,144 | ---- | C] () -- C:\WINDOWS\SWREG.exe
    [2011/12/22 23:04:30 | 000,406,528 | ---- | C] () -- C:\WINDOWS\SWSC.exe
    [2011/12/22 23:04:30 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2011/12/22 23:04:30 | 000,212,480 | ---- | C] () -- C:\WINDOWS\SWXCACLS.exe
    [2011/12/22 23:04:30 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2011/12/22 23:04:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2011/12/22 23:04:30 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2011/12/22 23:04:30 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2011/12/22 23:04:30 | 000,060,416 | ---- | C] () -- C:\WINDOWS\NIRCMD.exe
    [2011/12/21 21:17:57 | 000,000,610 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iLivid Download Manager.lnk
    [2011/12/21 12:27:05 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
    [2011/12/19 03:53:49 | 000,000,638 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
    [2011/12/19 03:53:49 | 000,000,632 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
    [2011/12/19 02:17:45 | 000,001,411 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
    [2011/12/18 16:16:01 | 000,000,926 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2811424395-234779374-2166534779-1006Core.job
    [2011/12/18 15:32:27 | 000,008,840 | ---- | C] () -- C:\WINDOWS\SEC139D.PNF
    [2011/12/18 15:29:38 | 000,613,334 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.chm
    [2011/12/18 15:29:38 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud7.wav
    [2011/12/18 15:29:38 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud9.wav
    [2011/12/18 15:29:38 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud8.wav
    [2011/12/18 15:29:38 | 000,069,612 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplayer.adm
    [2011/12/18 15:29:38 | 000,023,195 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmplay.chm
    [2011/12/18 15:29:38 | 000,010,457 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.hta
    [2011/12/18 15:29:38 | 000,001,771 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmptour.css
    [2011/12/18 15:29:38 | 000,000,855 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpocm.inf
    [2011/12/18 15:29:38 | 000,000,420 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmploc.js
    [2011/12/18 15:29:37 | 000,354,468 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud1.wav
    [2011/12/18 15:29:37 | 000,343,204 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud6.wav
    [2011/12/18 15:29:37 | 000,172,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud3.wav
    [2011/12/18 15:29:37 | 000,086,196 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud5.wav
    [2011/12/18 15:29:37 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud4.wav
    [2011/12/18 15:29:37 | 000,086,180 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmpaud2.wav
    [2011/12/18 15:29:37 | 000,029,070 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmp.inf
    [2011/12/18 15:29:37 | 000,017,272 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmdm.inf
    [2011/12/18 15:29:37 | 000,006,769 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wmfsdk.inf
    [2011/12/18 15:29:36 | 000,572,557 | ---- | C] () -- C:\WINDOWS\System32\dllcache\rtuner.wmv
    [2011/12/18 15:29:36 | 000,300,969 | ---- | C] () -- C:\WINDOWS\System32\dllcache\viz.wmv
    [2011/12/18 15:29:36 | 000,077,307 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plyr_err.chm
    [2011/12/18 15:29:36 | 000,066,725 | ---- | C] () -- C:\WINDOWS\System32\dllcache\revert.wmz
    [2011/12/18 15:29:36 | 000,023,829 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tourbg.gif
    [2011/12/18 15:29:36 | 000,017,489 | ---- | C] () -- C:\WINDOWS\System32\dllcache\videobg.gif
    [2011/12/18 15:29:36 | 000,008,677 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm7.gif
    [2011/12/18 15:29:36 | 000,007,892 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm9.gif
    [2011/12/18 15:29:36 | 000,007,636 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm2.gif
    [2011/12/18 15:29:36 | 000,007,369 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm4.gif
    [2011/12/18 15:29:36 | 000,006,241 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm3.gif
    [2011/12/18 15:29:36 | 000,006,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm6.gif
    [2011/12/18 15:29:36 | 000,005,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm1.gif
    [2011/12/18 15:29:36 | 000,005,290 | ---- | C] () -- C:\WINDOWS\System32\dllcache\vidsamp.gif
    [2011/12/18 15:29:36 | 000,004,193 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm8.gif
    [2011/12/18 15:29:36 | 000,003,187 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tour.js
    [2011/12/18 15:29:36 | 000,002,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\wm5.gif
    [2011/12/18 15:29:36 | 000,002,469 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplay.gif
    [2011/12/18 15:29:36 | 000,002,450 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpause.gif
    [2011/12/18 15:29:36 | 000,002,375 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tplayh.gif
    [2011/12/18 15:29:36 | 000,002,371 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tpauseh.gif
    [2011/12/18 15:29:36 | 000,001,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst6.wpl
    [2011/12/18 15:29:36 | 000,001,477 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst5.wpl
    [2011/12/18 15:29:36 | 000,001,474 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst3.wpl
    [2011/12/18 15:29:36 | 000,001,451 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst12.wpl
    [2011/12/18 15:29:36 | 000,001,448 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst4.wpl
    [2011/12/18 15:29:36 | 000,001,398 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taon.gif
    [2011/12/18 15:29:36 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taonh.gif
    [2011/12/18 15:29:36 | 000,001,380 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoff.gif
    [2011/12/18 15:29:36 | 000,001,367 | ---- | C] () -- C:\WINDOWS\System32\dllcache\taoffh.gif
    [2011/12/18 15:29:36 | 000,001,250 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst1.wpl
    [2011/12/18 15:29:36 | 000,001,148 | ---- | C] () -- C:\WINDOWS\System32\dllcache\snd.htm
    [2011/12/18 15:29:36 | 000,001,049 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst2.wpl
    [2011/12/18 15:29:36 | 000,001,046 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst7.wpl
    [2011/12/18 15:29:36 | 000,001,036 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst8.wpl
    [2011/12/18 15:29:36 | 000,000,908 | ---- | C] () -- C:\WINDOWS\System32\dllcache\skins.inf
    [2011/12/18 15:29:36 | 000,000,789 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst11.wpl
    [2011/12/18 15:29:36 | 000,000,787 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst10.wpl
    [2011/12/18 15:29:36 | 000,000,784 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst9.wpl
    [2011/12/18 15:29:36 | 000,000,783 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst13.wpl
    [2011/12/18 15:29:36 | 000,000,775 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst14.wpl
    [2011/12/18 15:29:36 | 000,000,733 | ---- | C] () -- C:\WINDOWS\System32\dllcache\plylst15.wpl
    [2011/12/18 15:29:35 | 000,375,519 | ---- | C] () -- C:\WINDOWS\System32\dllcache\nuskin.wmv
    [2011/12/18 15:29:35 | 000,022,060 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npds.zip
    [2011/12/18 15:29:35 | 000,018,286 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplayer2.inf
    [2011/12/18 15:29:35 | 000,002,778 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogoh.gif
    [2011/12/18 15:29:35 | 000,002,545 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mplogo.gif
    [2011/12/18 15:29:35 | 000,000,403 | ---- | C] () -- C:\WINDOWS\System32\dllcache\npdrmv2.zip
    [2011/12/18 15:29:34 | 000,457,607 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mdlib.wmv
    [2011/12/18 15:29:34 | 000,381,425 | ---- | C] () -- C:\WINDOWS\System32\dllcache\copycd.wmv
    [2011/12/18 15:29:34 | 000,184,959 | ---- | C] () -- C:\WINDOWS\System32\dllcache\compact.wmz
    [2011/12/18 15:29:34 | 000,009,585 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.css
    [2011/12/18 15:29:34 | 000,008,298 | ---- | C] () -- C:\WINDOWS\System32\dllcache\contents.htm
    [2011/12/18 15:29:34 | 000,006,878 | ---- | C] () -- C:\WINDOWS\System32\dllcache\controls.js
    [2011/12/18 15:29:34 | 000,005,971 | ---- | C] () -- C:\WINDOWS\System32\dllcache\events.js
    [2011/12/18 15:29:34 | 000,000,999 | ---- | C] () -- C:\WINDOWS\System32\dllcache\bktrh.gif
    [2011/12/18 15:29:34 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnth.gif
    [2011/12/18 15:29:34 | 000,000,773 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cnt.gif
    [2011/12/18 15:29:34 | 000,000,772 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cntd.gif
    [2011/12/18 15:29:34 | 000,000,760 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapph.gif
    [2011/12/18 15:29:34 | 000,000,717 | ---- | C] () -- C:\WINDOWS\System32\dllcache\cloapp.gif
    [2011/12/18 15:26:05 | 000,129,045 | ---- | C] () -- C:\WINDOWS\System32\drivers\cxthsfs2.cty
    [2011/12/18 15:26:05 | 000,064,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\ativmc20.cod
    [2011/12/18 15:26:04 | 000,067,866 | ---- | C] () -- C:\WINDOWS\System32\drivers\netwlan5.img
    [2011/12/18 15:25:05 | 000,002,948 | ---- | C] () -- C:\WINDOWS\SEC9.PNF
    [2011/12/18 14:11:28 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\satnam\Desktop\WindowsXP-KB936929-SP3-x86-ENU.exe
    [2011/12/18 10:52:56 | 000,000,859 | ---- | C] () -- C:\Documents and Settings\satnam\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
    [2011/12/18 10:52:56 | 000,000,841 | ---- | C] () -- C:\Documents and Settings\satnam\Desktop\Spybot - Search & Destroy.lnk
    [2011/12/18 06:57:57 | 000,000,708 | ---- | C] () -- C:\Documents and Settings\satnam\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
    [2011/12/18 06:46:39 | 000,000,692 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
    [2011/12/18 06:38:39 | 000,001,597 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
    [2011/12/14 13:02:27 | 000,001,507 | ---- | C] () -- C:\Documents and Settings\satnam\Start Menu\Programs\Remote Assistance.lnk
    [2011/12/14 13:02:27 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\satnam\Start Menu\Programs\Windows Media Player.lnk
    [2011/12/14 13:02:27 | 000,000,687 | ---- | C] () -- C:\Documents and Settings\satnam\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    [2011/12/14 13:02:27 | 000,000,675 | ---- | C] () -- C:\Documents and Settings\satnam\Start Menu\Programs\Internet Explorer.lnk
    [2011/12/14 13:02:27 | 000,000,646 | ---- | C] () -- C:\Documents and Settings\satnam\Start Menu\Programs\Outlook Express.lnk
    [2011/12/14 13:02:27 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\satnam\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
    [2011/12/14 04:16:43 | 000,008,192 | ---- | C] () -- C:\WINDOWS\REGLOCS.OLD
    [2005/03/14 00:13:32 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2005/03/14 00:06:00 | 000,000,033 | ---- | C] () -- C:\WINDOWS\Acer.ini
    [2005/03/14 00:05:59 | 000,000,313 | ---- | C] () -- C:\WINDOWS\uninstall.ini
    [2005/03/14 00:05:59 | 000,000,222 | ---- | C] () -- C:\WINDOWS\FlashSaver.dat
    [2005/03/13 23:21:25 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
    [2005/03/13 23:20:34 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
    [2005/03/13 23:20:34 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
    [2005/03/13 23:20:34 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
    [2005/03/13 23:20:34 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
    [2005/03/13 23:12:09 | 000,083,997 | ---- | C] () -- C:\WINDOWS\VGAsetup.ini
    [2005/03/13 23:12:07 | 000,032,768 | ---- | C] () -- C:\WINDOWS\InstFunc.exe
    [2005/03/13 23:11:55 | 000,100,871 | ---- | C] () -- C:\WINDOWS\System32\VGAunistlog.ini
    [2005/03/13 23:07:04 | 000,000,164 | ---- | C] () -- C:\WINDOWS\avrack.ini
    [2005/03/13 23:07:01 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
    [2005/03/13 23:07:01 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ChCfg.exe
    [2005/03/13 23:06:58 | 000,001,240 | ---- | C] () -- C:\WINDOWS\System32\drivers\alcxinit.dat
    [2005/03/13 23:01:55 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\sis760.bin
    [2005/03/13 23:01:55 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\sis741.bin
    [2005/03/13 23:01:55 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\sis660.bin
    [2005/03/13 23:00:08 | 000,037,776 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
    [2005/03/13 23:00:08 | 000,032,768 | ---- | C] () -- C:\WINDOWS\AMOVE.EXE
    [2005/03/13 22:58:50 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2005/03/13 22:52:37 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2005/03/13 22:51:20 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
    [2005/03/13 22:46:52 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2005/03/13 22:45:59 | 000,160,344 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2004/12/17 17:14:44 | 000,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys
    [2001/12/26 16:12:30 | 000,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
    [2001/09/03 23:46:38 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
    [2001/07/30 16:33:56 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
    [2001/07/23 22:04:36 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
    [1980/01/01 00:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [1980/01/01 00:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [1980/01/01 00:00:00 | 000,313,514 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [1980/01/01 00:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [1980/01/01 00:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [1980/01/01 00:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [1980/01/01 00:00:00 | 000,041,066 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [1980/01/01 00:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [1980/01/01 00:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [1980/01/01 00:00:00 | 000,004,524 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [1980/01/01 00:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [1980/01/01 00:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [1980/01/01 00:00:00 | 000,000,083 | ---- | C] () -- C:\WINDOWS\ALaunch.ini
     
  16. satnamj

    satnamj TS Rookie Topic Starter

    OTL.txt (2 of 2\0

    ========== LOP Check ==========

    [2011/12/18 06:38:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
    [2011/12/21 21:18:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{B49A644A-1076-4A3D-B124-DAA7862F2318}
    [2011/12/26 18:55:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EPSON

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2005/03/14 00:15:24 | 000,000,076 | RHS- | M] () -- C:\PRELOAD.AAA
    [2005/03/13 22:35:04 | 000,000,512 | -HS- | M] () -- C:\BOOTSECT.DOS
    [2011/12/18 15:25:52 | 000,250,048 | RHS- | M] () -- C:\ntldr
    [2004/08/04 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
    [2011/12/22 23:07:34 | 000,000,327 | RHS- | M] () -- C:\boot.ini
    [2005/03/13 22:55:02 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
    [2005/03/14 00:10:54 | 000,000,100 | ---- | M] () -- C:\AUTOEXEC.BAT
    [2005/03/13 22:55:02 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2005/03/13 22:55:02 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2011/12/19 02:42:46 | 000,000,006 | ---- | M] () -- C:\ISACER.ID
    [2011/12/26 13:16:00 | 1912,602,624 | -HS- | M] () -- C:\pagefile.sys
    [2011/12/21 21:14:30 | 000,045,608 | ---- | M] () -- C:\TDSSKiller.2.6.23.0_21.12.2011_21.02.02_log.txt
    [2004/08/03 23:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
    [2011/12/14 13:01:14 | 000,000,211 | ---- | M] () -- C:\Boot.bak
    [2011/12/25 21:42:04 | 000,000,359 | ---- | M] () -- C:\rkill.log
    [2011/12/26 13:16:00 | 1272,500,224 | -HS- | M] () -- C:\hiberfil.sys

    < %systemroot%\Fonts\*.com >

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2005/03/13 22:54:26 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2004/07/01 11:09:46 | 000,187,392 | ---- | M] () -- C:\WINDOWS\Acer.scr
    [2011/11/28 18:01:26 | 000,041,184 | ---- | M] (AVAST Software) -- C:\WINDOWS\avastSS.scr
    [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2005/03/13 22:45:18 | 000,868,352 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav
    [2005/03/13 22:45:18 | 000,634,880 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
    [2005/03/13 22:45:18 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
    [2011/12/18 15:30:12 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2011/12/19 02:38:16 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\satnam\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
    [2005/03/13 23:01:42 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\satnam\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

    < %USERPROFILE%\Desktop\*.exe >
    [2011/12/18 13:45:10 | 204,472,320 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\satnam\Desktop\sj1WindowsXP-KB936929-SP3-x86-ENU.sj1.exe
    [2011/12/18 14:11:24 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\satnam\Desktop\WindowsXP-KB936929-SP3-x86-ENU.exe
    [2011/12/25 10:13:20 | 004,351,768 | R--- | M] (Swearware) -- C:\Documents and Settings\satnam\Desktop\satnamCF.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2004/08/04 05:00:00 | 000,000,791 | ---- | M] () -- C:\WINDOWS\ADDINS\fxsext.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2011/12/19 02:38:16 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\satnam\Favorites\Desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >
    [2011/12/26 19:23:38 | 000,065,536 | ---- | M] () -- C:\Documents and Settings\satnam\Cookies\index.dat

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [2009/01/30 17:40:22 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >
    [2004/08/04 01:06:34 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
    [2004/08/04 01:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
    [2004/08/04 01:06:36 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
    [2004/08/04 01:06:36 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
    [2004/08/04 01:06:36 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
    [2004/08/04 01:06:36 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
    [2004/08/04 01:06:36 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm
    [2008/04/14 05:42:30 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
    [2008/04/13 23:00:30 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
    [2008/04/14 05:41:52 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
    [2008/05/02 14:01:50 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >
    [1998/12/24 17:15:38 | 000,345,983 | ---- | M] () -- C:\WINDOWS\system\RCDSETUP.EXE

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
    "NoAutoUpdate" = 0

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    < End of report >
     
  17. satnamj

    satnamj TS Rookie Topic Starter

    EXTRAS.txt (OLT) LOG file

    OTL Extras logfile created on: 26/12/2011 19:57:03 - Run 1
    OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\satnam\Desktop\__ANTI-VIRUS
    Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
    Internet Explorer (Version = 6.0.2900.5512)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    1.19 Gb Total Physical Memory | 0.67 Gb Available Physical Memory | 56.53% Memory free
    2.83 Gb Paging File | 2.44 Gb Available in Paging File | 86.28% Paging File free
    Paging file location(s): C:\pagefile.sys 1824 3648 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 17.07 Gb Total Space | 5.14 Gb Free Space | 30.11% Space Free | Partition Type: FAT32
    Drive D: | 17.24 Gb Total Space | 5.76 Gb Free Space | 33.38% Space Free | Partition Type: FAT32

    Computer Name: ACER-B0474DC4D4 | User Name: satnam | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    .url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l

    [HKEY_USERS\S-1-5-21-2811424395-234779374-2166534779-1005\SOFTWARE\Classes\<extension>]
    .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
    exefile [open] -- "%1" %*
    htmlfile [edit] -- Reg Error: Key error.
    InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "FirstRunDisabled" = 1
    "AntiVirusDisableNotify" = 0
    "FirewallDisableNotify" = 0
    "UpdatesDisableNotify" = 0
    "AntiVirusOverride" = 0
    "FirewallOverride" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
    "Start" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
    "Start" = 2

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
    "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    "{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Arcade 3.0
    "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
    "{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
    "{67EDD823-135A-4D59-87BD-950616D6E857}" = EPSON Copy Utility 3
    "{827289F5-B44F-4E49-9993-840741585A62}" = Acer eManager for Notebook
    "{8D15E1B2-D2B7-4A17-B44B-D2DDE5981406}" = iLivid
    "{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    "{AC76BA86-7AD7-1033-7B44-000000000001}" = Adobe Reader 6.0
    "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
    "{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
    "{DC226AC9-0314-496C-BE6A-B6A132628466}" = SiSAGP driver
    "{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
    "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
    "avast" = avast! Free Antivirus
    "CNXT_MODEM_PCI_VEN_1039&DEV_7013&SUBSYS_00821025" = SoftV90 Data Fax Modem with SmartCP
    "EPSON Printer and Utilities" = EPSON Printer Software
    "EPSON Scanner" = EPSON Scan
    "iLivid" = iLivid
    "InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
    "InstallShield_{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
    "InstallShield_{827289F5-B44F-4E49-9993-840741585A62}" = Acer eManager for Notebook
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
    "Mozilla Firefox 8.0.1 (x86 en-US)" = Mozilla Firefox 8.0.1 (x86 en-US)
    "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
    "SiS VGA Driver" = SiS VGA Utilities
    "SiSLan" = SiS 900 PCI Fast Ethernet Adapter Driver
    "SynTPDeinstKey" = Synaptics Pointing Device Driver
    "Windows Media Format Runtime" = Windows Media Format 11 runtime
    "Windows Media Player" = Windows Media Player 11
    "Windows XP Service Pack" = Windows XP Service Pack 3
    "WMFDist11" = Windows Media Format 11 runtime
    "wmp11" = Windows Media Player 11
    "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 23/12/2011 15:10:19 | Computer Name = ACER-B0474DC4D4 | Source = Application Error | ID = 1000
    Description = Faulting application teatimer.exe, version 1.6.6.32, faulting module
    kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

    Error - 23/12/2011 18:02:00 | Computer Name = ACER-B0474DC4D4 | Source = Application Error | ID = 1000
    Description = Faulting application teatimer.exe, version 1.6.6.32, faulting module
    teatimer.exe, version 1.6.6.32, fault address 0x0006e66e.

    Error - 24/12/2011 07:04:16 | Computer Name = ACER-B0474DC4D4 | Source = Application Error | ID = 1000
    Description = Faulting application teatimer.exe, version 1.6.6.32, faulting module
    kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

    Error - 25/12/2011 06:19:24 | Computer Name = ACER-B0474DC4D4 | Source = Application Error | ID = 1000
    Description = Faulting application teatimer.exe, version 1.6.6.32, faulting module
    kernel32.dll, version 5.1.2600.5781, fault address 0x00012afb.

    [ System Events ]
    Error - 25/12/2011 07:55:22 | Computer Name = ACER-B0474DC4D4 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service netman with
    arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

    Error - 25/12/2011 07:55:32 | Computer Name = ACER-B0474DC4D4 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service netman with
    arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

    Error - 25/12/2011 07:55:33 | Computer Name = ACER-B0474DC4D4 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service netman with
    arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

    Error - 25/12/2011 07:56:06 | Computer Name = ACER-B0474DC4D4 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service netman with
    arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

    Error - 25/12/2011 07:56:36 | Computer Name = ACER-B0474DC4D4 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service netman with
    arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

    Error - 25/12/2011 07:56:44 | Computer Name = ACER-B0474DC4D4 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service netman with
    arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

    Error - 25/12/2011 07:56:48 | Computer Name = ACER-B0474DC4D4 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service netman with
    arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

    Error - 25/12/2011 07:58:29 | Computer Name = ACER-B0474DC4D4 | Source = DCOM | ID = 10005
    Description = DCOM got error "%1084" attempting to start the service netman with
    arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

    Error - 25/12/2011 15:39:18 | Computer Name = ACER-B0474DC4D4 | Source = Dhcp | ID = 1002
    Description = The IP address lease 192.168.1.3 for the Network Card with network
    address 00C09F9D7B9C has been denied by the DHCP server 192.168.1.1 (The DHCP Server
    sent a DHCPNACK message).

    Error - 26/12/2011 09:16:02 | Computer Name = ACER-B0474DC4D4 | Source = Dhcp | ID = 1002
    Description = The IP address lease 192.168.1.2 for the Network Card with network
    address 00C09F9D7B9C has been denied by the DHCP server 192.168.1.1 (The DHCP Server
    sent a DHCPNACK message).


    < End of report >
     
  18. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      SRV - File not found [Auto | Stopped] -- -- (PEVSystemStart)
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - No CLSID value found.
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ===========================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  19. satnamj

    satnamj TS Rookie Topic Starter

    Result of OTL/Custom Scans - Fixes

    All processes killed
    ========== OTL ==========
    Service PEVSystemStart stopped successfully!
    Service PEVSystemStart deleted successfully!
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32768 bytes

    User: All Users

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 65984 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: satnam
    ->Temp folder emptied: 210753766 bytes
    ->Temporary Internet Files folder emptied: 72053816 bytes
    ->FireFox cache emptied: 355541127 bytes
    ->Flash cache emptied: 2271 bytes

    User: sunny
    ->Temp folder emptied: 4898836 bytes
    ->Temporary Internet Files folder emptied: 69732678 bytes
    ->FireFox cache emptied: 105672931 bytes
    ->Google Chrome cache emptied: 7121994 bytes
    ->Flash cache emptied: 2072 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 19569 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 2819586 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 790.00 mb


    [EMPTYFLASH]

    User: Default User

    User: All Users

    User: NetworkService

    User: LocalService

    User: satnam
    ->Flash cache emptied: 0 bytes

    User: sunny
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.31.0 log created on 12262011_231724

    Files\Folders moved on Reboot...
    File\Folder C:\WINDOWS\temp\_avast_\Webshlock.txt not found!

    Registry entries deleted on Reboot...
     
  20. satnamj

    satnamj TS Rookie Topic Starter

    Continuation of Post 19

    Hi Broni,

    Thanks again for such a speedy response !

    Appended below are the results in reponse to post 18.
    Post 19 contained the initial log (Result of OTL/Custom Scans - Fixes
    ) and all successive logs are in this post.

    rgds
    satnam

    Summary
    ========
    checkup- SecurityCheck >>>>>>> ran OK, log below.

    Temp File Cleaner (TFC) >>>>>>> ran OK.

    ESET Online Scanner >>>>>>>ran OK and result was "NO THREATS FOUND", it scanned 44,206 files..


    DETAIL LOG
    ==========

    checkup- SecurityCheck log
    ======================
    Results of screen317's Security Check version 0.99.24
    Windows XP Service Pack 3 x86
    Internet Explorer 6 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    avast! Free Antivirus
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Adobe Flash Player 11.1.102.55
    Mozilla Firefox (x86 en-US..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Malwarebytes' Anti-Malware mbamservice.exe
    satnam Desktop __ANTI-VIRUS SecurityCheck.exe
    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast avastUI.exe
    ``````````End of Log````````````
     
  21. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Upgrade Internet Explorer to version 8.

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
     
  22. satnamj

    satnamj TS Rookie Topic Starter

    OTL LOG (for reset system restore)

    Hi Broni,

    Here is the OTL Log (further below).

    Bye the way, thank you for your time, effort and support.
    You truly are a kindly, charitable soul that helps people you have never met.
    I will definitely make a paypal contribution to you.


    Question 1
    =========
    In Post 5 , I could not get DDS to run.
    In post 11, I could not get ComboFix to run
    Are these significant issues, why did they not run, should I try to run them again.

    Question 2
    =========
    What was the fault/bug that was discovered on my laptop.


    Question 3
    =========
    Do you recommend installing&running SPYBOT on my computer, in addition to MalWareBytes ?

    thank you so much
    Love,Light,Peace
    Satnam



    OTL LOG
    ========
    All processes killed
    ========== OTL ==========
    Service PEVSystemStart stopped successfully!
    Service PEVSystemStart deleted successfully!
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\ not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32768 bytes

    User: All Users

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: LocalService
    ->Temp folder emptied: 65984 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: satnam
    ->Temp folder emptied: 210753766 bytes
    ->Temporary Internet Files folder emptied: 72053816 bytes
    ->FireFox cache emptied: 355541127 bytes
    ->Flash cache emptied: 2271 bytes

    User: sunny
    ->Temp folder emptied: 4898836 bytes
    ->Temporary Internet Files folder emptied: 69732678 bytes
    ->FireFox cache emptied: 105672931 bytes
    ->Google Chrome cache emptied: 7121994 bytes
    ->Flash cache emptied: 2072 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 19569 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 2819586 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 790.00 mb


    [EMPTYFLASH]

    User: Default User

    User: All Users

    User: NetworkService

    User: LocalService

    User: satnam
    ->Flash cache emptied: 0 bytes

    User: sunny
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.31.0 log created on 12262011_231724

    Files\Folders moved on Reboot...
    File\Folder C:\WINDOWS\temp\_avast_\Webshlock.txt not found!

    Registry entries deleted on Reboot...
     
  23. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    Are you still having any issues?
     
  24. satnamj

    satnamj TS Rookie Topic Starter

    response to Broni question

    Broni,

    Heh Buddy, Computer is running FINE.

    I was just interested in the answers to my question in previous post.

    cheers
    satnam
     
  25. Broni

    Broni Malware Annihilator Posts: 46,865   +254

    1. OTL is an equivalent to DDS so no worries there.
    I've seen some computers (with nothing wrong about them) refusing to run Combofix.
    I have no explanation as to why.
    Probably combination of some installed/running programs.

    2.
    That was the only serious issue I've noticed.

    3. No. Spybot is a tool of the past.
    If you want something secondary to MBAM:
    - SUPERAntiSpyware Free Edition: http://www.superantispyware.com/download.html

    [​IMG]

    Good luck and stay safe :)
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.