jgowell21
Honorary Members-
Posts
29 -
Joined
-
Last visited
Reputation
0 Neutral-
Olmarik.tdl4 remnant issues. Help appreciated.
jgowell21 replied to jgowell21's topic in Resolved Malware Removal Logs
Alright with that done, I think it is finally time to close this topic. Thanks again for the help! -
Olmarik.tdl4 remnant issues. Help appreciated.
jgowell21 replied to jgowell21's topic in Resolved Malware Removal Logs
Ran Cleanup but the TDSSKiller_Quarantine folder remains. Should I manually delete those files? -
Olmarik.tdl4 remnant issues. Help appreciated.
jgowell21 replied to jgowell21's topic in Resolved Malware Removal Logs
Ran one final scan with ESET and it came up with the following: C:\Documents and Settings\d\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\2\29636cc2-72519e87 » ZIP » a/ppbwjge.class - a variant of Java/Exploit.Agent.NCW trojan C:\Documents and Settings\d\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\2\29636cc2-72519e87 » ZIP » a/cukg.class - a variant of Java/Exploit.Agent.NCW trojan C:\Documents and Settings\d\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\2\29636cc2-72519e87 » ZIP » a/bqwyewbkt.class - a variant of Java/Exploit.Agent.NCW trojan C:\Documents and Settings\d\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\2\29636cc2-72519e87 » ZIP » vjlkintv - a variant of Win32/Kryptik.AIVI trojan I'd appreciate any advice. Thanks. -
Olmarik.tdl4 remnant issues. Help appreciated.
jgowell21 replied to jgowell21's topic in Resolved Malware Removal Logs
One last note: I ran Kaspersky Virus Removal Tool to see if that would catch anything and the only time it "detected" anything were those objects already quarantined by TDSSKiller that were in a "TDSSKiller_Quarantine" folder. Is it safe for me to delete those files in the "TDSSKiller_Quarantine" folder? -
Olmarik.tdl4 remnant issues. Help appreciated.
jgowell21 replied to jgowell21's topic in Resolved Malware Removal Logs
Seems like things are fine. RK doesn't list anything under "Infections" anymore. If I need additional help, I'll start a new topic. Thanks again for all the help Maniac. -
Olmarik.tdl4 remnant issues. Help appreciated.
jgowell21 replied to jgowell21's topic in Resolved Malware Removal Logs
When I went to the "_OTL/MovedFiles" log I found some additional lines at the end after "Restore Point Set": OTL by OldTimer - Version 3.2.54.1 log created on 07242012_190646 Files\Folders moved on Reboot... PendingFileRenameOperations files... Registry entries deleted on Reboot... -
Olmarik.tdl4 remnant issues. Help appreciated.
jgowell21 replied to jgowell21's topic in Resolved Malware Removal Logs
Update: After the 2nd fail Safe Mode attempt, I decided to try to run the OTL custom fix provided. I think it was successful and came up with this Log file once I rebooted. All processes killed ========== OTL ========== Prefs.js: vshare@toolbar:1.0.0 removed from extensions.enabledItems C:\Documents and Settings\d\Application Data\Mozilla\Firefox\Profiles\i2udtmcg.default\extensions\vshare@toolbar\META-INF folder moved successfully. C:\Documents and Settings\d\Application Data\Mozilla\Firefox\Profiles\i2udtmcg.default\extensions\vshare@toolbar\chrome folder moved successfully. C:\Documents and Settings\d\Application Data\Mozilla\Firefox\Profiles\i2udtmcg.default\extensions\vshare@toolbar folder moved successfully. C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\L\00000004.@ moved successfully. C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\@ moved successfully. C:\Documents and Settings\d\Local Settings\Application Data\{766ae966-0c13-0485-0d28-523fb79d5fb4}\@ moved successfully. ========== FILES ========== C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\U folder moved successfully. C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\L folder moved successfully. C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4} folder moved successfully. C:\Documents and Settings\d\Local Settings\Application Data\{766ae966-0c13-0485-0d28-523fb79d5fb4}\U folder moved successfully. C:\Documents and Settings\d\Local Settings\Application Data\{766ae966-0c13-0485-0d28-523fb79d5fb4}\L folder moved successfully. C:\Documents and Settings\d\Local Settings\Application Data\{766ae966-0c13-0485-0d28-523fb79d5fb4} folder moved successfully. < ipconfig /flushdns /c > Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Documents and Settings\d\Desktop\cmd.bat deleted successfully. C:\Documents and Settings\d\Desktop\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: d ->Temp folder emptied: 62119375 bytes ->Temporary Internet Files folder emptied: 68427733 bytes ->Java cache emptied: 0 bytes ->FireFox cache emptied: 85329669 bytes ->Flash cache emptied: 266024 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 7716998 bytes ->Flash cache emptied: 11031 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 33170 bytes ->Flash cache emptied: 17834 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 4577656 bytes %systemroot%\System32 .tmp files removed: 2577 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 4579 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes RecycleBin emptied: 33978788 bytes Total Files Cleaned = 250.00 mb Restore point Set: OTL Restore Point -
Olmarik.tdl4 remnant issues. Help appreciated.
jgowell21 replied to jgowell21's topic in Resolved Malware Removal Logs
Tried to boot into Safe Mode. Selected the normal "Safe Mode" option (not "with Networking" or "with Command Prompt"). Then I had 3 options: 1) Microsoft Recovery Console 2) Debugger (which said "do not select this") and 3) Microsoft Windows XP. Selected XP like I normally do when I boot into Safe Mode. However, this time, while the drivers/files were loading, the computer received the BSOD and restarted. I tried it again and it BSOD again. -
Olmarik.tdl4 remnant issues. Help appreciated.
jgowell21 replied to jgowell21's topic in Resolved Malware Removal Logs
I let it go for a full hour and since nothing changed and it was still frozen, I just restarted and will await further instructions. -
Olmarik.tdl4 remnant issues. Help appreciated.
jgowell21 replied to jgowell21's topic in Resolved Malware Removal Logs
Maniac, I am posting this from another computer because the computer I was working on has froze. I copied/pasted your exact instructions about 20 minutes ago and when I clicked "Run Fix" it said "Killing processes. DO NOT INTERRUPT" I realized the computer was frozen when I saw the time in the lower right corner of the taskbar had not changed even though 20-25 minutes have now passed since I clicked the "Run Fix" button. Should I continue to let it run? Should I force shutdown and try again? Other options? -
Olmarik.tdl4 remnant issues. Help appreciated.
jgowell21 replied to jgowell21's topic in Resolved Malware Removal Logs
Extras.txt file OTL Extras logfile created on: 7/24/2012 4:16:50 PM - Run 1 OTL by OldTimer - Version 3.2.54.1 Folder = C:\Documents and Settings\d\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.5512) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.90 Gb Total Physical Memory | 1.69 Gb Available Physical Memory | 58.41% Memory free 4.74 Gb Paging File | 3.32 Gb Available in Paging File | 70.05% Paging File free Paging file location(s): c:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 114.41 Gb Total Space | 1.85 Gb Free Space | 1.62% Space Free | Partition Type: NTFS Computer Name: BCS-FF2C23D2798 | User Name: d | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* .url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l [HKEY_USERS\S-1-5-21-2052111302-261903793-725345543-1003\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* exefile [open] -- "%1" %* InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "UpdatesDisableNotify" = 0 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr] "Start" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService] "Start" = 2 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{0360D8F0-626A-4E87-8A16-938BD0BEBCC5}" = 32 Bit HP CIO Components Installer "{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser "{26A24AE4-039D-4CA4-87B4-2F83217005FF}" = Java 7 Update 5 "{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes "{31A559C1-9E4D-423B-9DD3-34A6C5398752}" = HTC BMP USB Driver "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{3D08333C-C366-425D-8C2D-D05630D68A46}" = SlingPlayer "{3D8994A3-02A8-45B5-B955-53E608BC69ED}" = Lenovo Fingerprint Software "{46A84694-59EC-48F0-964C-7E76E9F8A2ED}" = ThinkVantage Active Protection System "{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM "{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver Installer "{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder "{6F801026-6AF0-4520-9153-4C9B4CAAB361}" = HP LaserJet P2050 Series 6.0 "{70E2B27F-0B7F-41B2-8145-E7377BC9F75A}" = DisplayLink Graphics "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{78E83B4F-7230-4F0B-B1AD-8DDF05473D6F}" = Intel® PROSet/Wireless WiFi Software "{82EB6CEA-749A-410F-8AD2-372A286BA3BE}" = Integrated Camera Driver Installer Package Ver.1.32.500.0 "{861C4DFA-E691-4BA6-BE6B-D5BA211990B6}" = DisplayLink Core Software "{8675339C-128C-44DD-83BF-0A5D6ABD8297}" = System Update "{87B8375F-AAC4-417D-BB00-2EE6FBF898E7}" = ESET NOD32 Antivirus "{89B6F63A-7E0C-424A-9D39-C4EF59E96D78}" = hppQFolderP2050 "{8B784DB3-2DBF-4660-863C-CAD974C047C7}" = hppusgP2050 "{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003 "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system "{995F2783-8311-49BF-833E-DB659774B4F6}" = hppFonts "{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ThinkPad UltraNav Driver "{9fe85a45-5110-487a-a3da-c4b7b78d5514}" = Lenovo USB Port Replicator with Digital Video "{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}" = ThinkPad Power Manager "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.1 "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update "{C5DA59CF-2BB8-48D5-8E5B-17F2E0F0FEE4}" = System Requirements Lab for Intel "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support "{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch "{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support "{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime "{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel® Graphics Media Accelerator Driver "0481B164C8D1D26C560D6A5E717C5920D4362D60" = Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric (01/14/2010 8.6.0.13) "Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin "AIM_7" = AIM 7 "Android SDK Install v.30" = Android SDK Install v.30 "Cisco Connect" = Cisco Connect "CNXT_AUDIO_HDA" = Conexant 20561 SmartAudio HD "Combined Community Codec Pack_is1" = Combined Community Codec Pack 2009-09-09 "CutePDF Writer Installation" = CutePDF Writer 2.8 "DAEMON Tools Lite" = DAEMON Tools Lite "HPExtendedCapabilities" = HP Customer Participation Program 10.0 "InstallShield_{3D08333C-C366-425D-8C2D-D05630D68A46}" = SlingPlayer "ITPM" = Intel® Trusted Platform Module "Lenovo USB Port Replicator" = Lenovo USB Port Replicator "LENOVO.SMIIF" = Lenovo System Interface Driver "LenovoAutoScrollUtility" = Lenovo Auto Scroll Utility "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.62.0.1300 "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Mozilla Firefox 14.0.1 (x86 en-US)" = Mozilla Firefox 14.0.1 (x86 en-US) "MozillaMaintenanceService" = Mozilla Maintenance Service "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "OnScreenDisplay" = On Screen Display "Power Management Driver" = ThinkPad Power Management Driver "ProInst" = Intel PROSet Wireless "PROSet" = Intel® Network Connections Drivers "ThinkPad FullScreen Magnifier" = ThinkPad FullScreen Magnifier "Veetle TV" = Veetle TV 0.9.18 "VLC media player" = VLC media player 1.1.11 "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "WinRAR archiver" = WinRAR archiver "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 3/25/2012 5:43:00 PM | Computer Name = SUH-FF2C23D2798 | Source = Windows Search Service | ID = 3013 Description = The entry <C:\DOCUMENTS AND SETTINGS\D\DESKTOP\BECKER\AUD\A5PASSMASTER.DB> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error - 3/25/2012 5:43:00 PM | Computer Name = SUH-FF2C23D2798 | Source = Windows Search Service | ID = 3013 Description = The entry <C:\DOCUMENTS AND SETTINGS\D\DESKTOP\BECKER\AUD\A6LECTURE.DB> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error - 3/25/2012 5:43:00 PM | Computer Name = SUH-FF2C23D2798 | Source = Windows Search Service | ID = 3013 Description = The entry <C:\DOCUMENTS AND SETTINGS\D\DESKTOP\BECKER\AUD\A6PASSMASTER.DB> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error - 3/25/2012 5:43:00 PM | Computer Name = SUH-FF2C23D2798 | Source = Windows Search Service | ID = 3013 Description = The entry <C:\DOCUMENTS AND SETTINGS\D\DESKTOP\BECKER\AUD\A6PASSMASTER.DB> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error - 3/25/2012 5:43:00 PM | Computer Name = SUH-FF2C23D2798 | Source = Windows Search Service | ID = 3013 Description = The entry <C:\DOCUMENTS AND SETTINGS\D\DESKTOP\BECKER\AUD> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error - 3/25/2012 5:43:00 PM | Computer Name = SUH-FF2C23D2798 | Source = Windows Search Service | ID = 3013 Description = The entry <C:\DOCUMENTS AND SETTINGS\D\DESKTOP\BECKER\AUD> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error - 4/9/2012 8:30:31 PM | Computer Name = SUH-FF2C23D2798 | Source = Windows Search Service | ID = 3013 Description = The entry <C:\DOCUMENTS AND SETTINGS\D\MY DOCUMENTS\TURBOTAX\2011 SUH D FORM 1040 INDIVIDUAL TAX RETURN.TAX2011> in the hash map cannot be updated. Context: Application, SystemIndex Catalog Details: A device attached to the system is not functioning. (0x8007001f) Error - 4/10/2012 1:48:38 AM | Computer Name = SUH-FF2C23D2798 | Source = Application Error | ID = 1000 Description = Faulting application pockettanks.exe, version 1.3.0.4, faulting module bass.dll, version 2.3.0.3, fault address 0x0001acb1. Error - 4/10/2012 10:48:33 AM | Computer Name = SUH-FF2C23D2798 | Source = MsiInstaller | ID = 10005 Description = Product: Lenovo USB Port Replicator with Digital Video -- Last installation need to reboot OS. Error - 4/11/2012 3:07:30 PM | Computer Name = SUH-FF2C23D2798 | Source = Application Error | ID = 1000 Description = Faulting application , version 0.0.0.0, faulting module FpWinLogonNp.dll, version 3.3.2.27, fault address 0x000038c0. [ System Events ] Error - 7/22/2012 9:07:39 PM | Computer Name = BCS-FF2C23D2798 | Source = Service Control Manager | ID = 7001 Description = The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: %%31 Error - 7/22/2012 9:07:39 PM | Computer Name = BCS-FF2C23D2798 | Source = Service Control Manager | ID = 7001 Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: %%31 Error - 7/22/2012 9:07:39 PM | Computer Name = BCS-FF2C23D2798 | Source = Service Control Manager | ID = 7001 Description = The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: %%31 Error - 7/22/2012 9:07:39 PM | Computer Name = BCS-FF2C23D2798 | Source = Service Control Manager | ID = 7026 Description = The following boot-start or system-start driver(s) failed to load: AFD dqbridge ehdrv epfwtdir Fips intelppm IPSec lenovo.smi MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip TPHKDRV TPPWRIF WS2IFSL Error - 7/22/2012 9:19:22 PM | Computer Name = BCS-FF2C23D2798 | Source = DCOM | ID = 10005 Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Error - 7/22/2012 9:24:28 PM | Computer Name = BCS-FF2C23D2798 | Source = Service Control Manager | ID = 7024 Description = The Windows Search service terminated with service-specific error 2147749155 (0x80040D23). Error - 7/22/2012 9:24:30 PM | Computer Name = BCS-FF2C23D2798 | Source = DCOM | ID = 10005 Description = DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} Error - 7/22/2012 9:24:30 PM | Computer Name = BCS-FF2C23D2798 | Source = Service Control Manager | ID = 7009 Description = Timeout (30000 milliseconds) waiting for the Windows Search service to connect. Error - 7/22/2012 9:24:30 PM | Computer Name = BCS-FF2C23D2798 | Source = Service Control Manager | ID = 7000 Description = The Windows Search service failed to start due to the following error: %%1053 Error - 7/23/2012 6:12:00 PM | Computer Name = BCS-FF2C23D2798 | Source = Service Control Manager | ID = 7034 Description = The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s). < End of report > -
Olmarik.tdl4 remnant issues. Help appreciated.
jgowell21 replied to jgowell21's topic in Resolved Malware Removal Logs
OTL.txt File OTL logfile created on: 7/24/2012 4:16:50 PM - Run 1 OTL by OldTimer - Version 3.2.54.1 Folder = C:\Documents and Settings\d\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 6.0.2900.5512) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.90 Gb Total Physical Memory | 1.69 Gb Available Physical Memory | 58.41% Memory free 4.74 Gb Paging File | 3.32 Gb Available in Paging File | 70.05% Paging File free Paging file location(s): c:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 114.41 Gb Total Space | 1.85 Gb Free Space | 1.62% Space Free | Partition Type: NTFS Computer Name: BCS-FF2C23D2798 | User Name: d | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012/07/24 16:15:49 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\d\Desktop\OTL.exe PRC - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe PRC - [2012/07/03 13:46:44 | 000,462,920 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe PRC - [2012/03/23 14:25:24 | 000,087,040 | ---- | M] () -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe PRC - [2011/05/16 15:49:28 | 000,676,312 | ---- | M] (Lenovo) -- C:\Program Files\Lenovo\Lenovo USB Port Replicator with Digital Video\dcute.exe PRC - [2011/05/16 15:49:28 | 000,085,464 | ---- | M] () -- C:\Program Files\Lenovo\Lenovo USB Port Replicator with Digital Video\dqscrproj.exe PRC - [2011/05/16 15:49:28 | 000,033,240 | ---- | M] (lenovo) -- C:\Program Files\Lenovo\Lenovo USB Port Replicator with Digital Video\dqscrproxy.exe PRC - [2011/04/10 16:06:42 | 000,951,656 | ---- | M] (DisplayLink Corp.) -- C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe PRC - [2011/04/10 16:06:40 | 000,730,472 | ---- | M] (DisplayLink Corp.) -- C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe PRC - [2011/04/10 16:06:38 | 005,240,168 | ---- | M] (DisplayLink Corp.) -- C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe PRC - [2010/11/03 19:19:24 | 000,094,024 | ---- | M] (Sling Media Inc.) -- C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe PRC - [2010/08/25 01:28:00 | 000,132,456 | ---- | M] (Lenovo.) -- C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE PRC - [2010/08/25 01:28:00 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe PRC - [2010/07/27 17:05:00 | 000,069,560 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe PRC - [2010/04/26 13:46:32 | 000,144,824 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe PRC - [2010/04/07 14:37:22 | 000,063,928 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe PRC - [2010/04/01 14:50:44 | 000,043,960 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe PRC - [2010/03/05 13:01:46 | 000,862,480 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe PRC - [2010/03/05 12:54:20 | 000,954,368 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe PRC - [2010/03/05 12:43:50 | 000,473,360 | ---- | M] (Intel® Corporation) -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe PRC - [2010/02/22 16:50:16 | 000,810,120 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe PRC - [2010/02/22 16:49:56 | 002,140,880 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe PRC - [2010/02/05 06:44:44 | 000,118,784 | ---- | M] (AuthenTec,Inc) -- C:\WINDOWS\system32\FpLogonServ.exe PRC - [2010/02/05 06:43:20 | 000,098,304 | ---- | M] () -- C:\WINDOWS\system32\DTS.exe PRC - [2010/02/05 06:39:58 | 001,824,064 | ---- | M] (AuthenTec, Inc.) -- C:\WINDOWS\system32\AtService.exe PRC - [2009/11/24 13:51:18 | 000,176,056 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe PRC - [2009/06/12 10:55:48 | 000,028,672 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\System Update\SUService.exe PRC - [2009/02/12 12:48:42 | 002,058,776 | ---- | M] (Intel Corporation) -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe PRC - [2008/10/30 18:23:52 | 000,031,744 | ---- | M] (Ricoh co.,Ltd.) -- C:\Program Files\RotateImage\RCIMGDIR.exe PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2007/09/26 17:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe ========== Modules (No Company Name) ========== MOD - [2012/07/06 13:29:58 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8b84bb74d7724e147a642a1d5358feb7\System.ServiceProcess.ni.dll MOD - [2012/07/05 21:32:25 | 000,060,928 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\UIAutomationProvider\f121ccced1aa14badb316d8d9be5154d\UIAutomationProvider.ni.dll MOD - [2012/07/05 21:32:23 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\3bba1b8b0b5ef0be238b011cc7a0575e\System.Xml.ni.dll MOD - [2012/07/05 21:30:16 | 001,592,320 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d86f2038209a4cf0d0f5b30f6375c9b2\System.Drawing.ni.dll MOD - [2012/07/05 21:27:21 | 000,539,648 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\8b873631a0855fb6aa0ad25f1d9de7fe\PresentationFramework.Luna.ni.dll MOD - [2012/07/05 21:26:05 | 012,218,368 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\PresentationCore\f33e2a4d9b385234406fa2d662f78875\PresentationCore.ni.dll MOD - [2012/07/05 21:25:47 | 003,325,440 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\WindowsBase\6d8bef0d008389874e55c0308f0c18e5\WindowsBase.ni.dll MOD - [2012/07/05 21:25:25 | 007,953,408 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\e4b5afc4da43b1c576f9322f9f2e1bfe\System.ni.dll MOD - [2012/07/05 21:25:14 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\e337c89bc9f81b69d7237aa70e935900\mscorlib.ni.dll MOD - [2012/07/05 21:25:05 | 005,283,840 | ---- | M] () -- C:\WINDOWS\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PresentationFramework.dll MOD - [2012/03/23 14:25:24 | 000,087,040 | ---- | M] () -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe MOD - [2012/03/11 14:55:40 | 000,088,656 | ---- | M] () -- C:\WINDOWS\system32\cpwmon2k.dll MOD - [2011/05/16 15:49:28 | 000,085,464 | ---- | M] () -- C:\Program Files\Lenovo\Lenovo USB Port Replicator with Digital Video\dqscrproj.exe MOD - [2010/08/25 01:28:00 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRO.DLL MOD - [2010/08/25 01:28:00 | 000,053,248 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe MOD - [2010/08/25 01:28:00 | 000,036,352 | ---- | M] () -- C:\Program Files\ThinkPad\Utilities\US\PWRMGRRT.DLL MOD - [2010/08/10 00:01:06 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll MOD - [2010/03/15 11:28:22 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll MOD - [2010/02/05 06:43:20 | 000,098,304 | ---- | M] () -- C:\WINDOWS\system32\DTS.exe MOD - [2010/02/05 06:42:38 | 000,634,880 | ---- | M] () -- C:\Program Files\Lenovo Fingerprint Software\SharedResources.dll ========== Win32 Services (SafeList) ========== SRV - [2012/07/22 20:37:01 | 000,161,776 | ---- | M] (Oracle Corporation) [Auto | Stopped] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService) SRV - [2012/07/17 18:04:42 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance) SRV - [2012/07/03 13:46:44 | 000,655,944 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService) SRV - [2012/03/23 14:25:24 | 000,087,040 | ---- | M] () [Auto | Running] -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe -- (PassThru Service) SRV - [2011/05/16 15:49:28 | 000,085,464 | ---- | M] () [Auto | Running] -- C:\Program Files\Lenovo\Lenovo USB Port Replicator with Digital Video\dqscrproj.exe -- (ScrProj) SRV - [2011/04/10 16:06:38 | 005,240,168 | ---- | M] (DisplayLink Corp.) [Auto | Running] -- C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe -- (DisplayLinkService) SRV - [2010/11/03 19:19:24 | 000,094,024 | ---- | M] (Sling Media Inc.) [Auto | Running] -- C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe -- (SlingAgentService) SRV - [2010/08/25 01:28:00 | 000,132,456 | ---- | M] (Lenovo.) [Auto | Running] -- C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE -- (DozeSvc) SRV - [2010/08/25 01:28:00 | 000,053,248 | ---- | M] () [Auto | Running] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe -- (Power Manager DBC Service) SRV - [2010/04/07 14:37:22 | 000,063,928 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe -- (TPHKSVC) SRV - [2010/04/07 12:02:16 | 000,045,496 | ---- | M] (Lenovo Group Limited) [Auto | Stopped] -- C:\Program Files\Lenovo\HOTKEY\micmute.exe -- (LENOVO.MICMUTE) SRV - [2010/03/05 13:01:46 | 000,862,480 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe -- (EvtEng) SRV - [2010/03/05 12:54:20 | 000,954,368 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe -- (S24EventMonitor) SRV - [2010/03/05 12:43:50 | 000,473,360 | ---- | M] (Intel® Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe -- (RegSrvc) SRV - [2010/02/22 16:52:52 | 000,033,560 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv) SRV - [2010/02/22 16:50:16 | 000,810,120 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn) SRV - [2010/02/05 06:44:44 | 000,118,784 | ---- | M] (AuthenTec,Inc) [Auto | Running] -- C:\WINDOWS\system32\FpLogonServ.exe -- (FingerprintServer) SRV - [2010/02/05 06:43:20 | 000,098,304 | ---- | M] () [Auto | Running] -- C:\WINDOWS\system32\DTS.exe -- (dtsvc) SRV - [2010/02/05 06:43:16 | 000,106,496 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\ADMonitor.exe -- (ADMonitor) SRV - [2010/02/05 06:39:58 | 001,824,064 | ---- | M] (AuthenTec, Inc.) [Auto | Running] -- C:\WINDOWS\system32\AtService.exe -- (ATService) SRV - [2009/06/12 10:55:48 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService) SRV - [2009/02/12 12:48:42 | 002,058,776 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS) SRV - [2007/09/26 17:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto | Running] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME) DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP) DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump) DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc) DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt) DRV - File not found [Kernel | System | Stopped] -- -- (Changer) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\DOCUME~1\d\LOCALS~1\Temp\catchme.sys -- (catchme) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ax88772.sys -- (AX88772) DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\d\LOCALS~1\Temp\aswMBR.sys -- (aswMBR) DRV - [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector) DRV - [2012/04/09 19:13:13 | 000,242,240 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dtsoftbus01.sys -- (dtsoftbus01) DRV - [2011/06/02 11:08:34 | 000,011,336 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\SystemRequirementsLab\cpudrv.sys -- (cpudrv) DRV - [2011/05/16 15:49:28 | 000,055,256 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\dqbridge.sys -- (dqbridge) DRV - [2011/05/16 15:49:28 | 000,019,928 | ---- | M] (lenovo) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dqVDDrvK.sys -- (dqVDDrv) DRV - [2011/05/16 15:49:26 | 000,029,656 | ---- | M] (Lenovo Soft Corporation(32)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ALvldr.sys -- (ALvldr) DRV - [2011/04/10 16:07:03 | 000,024,448 | ---- | M] (DisplayLink Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DisplayLinkmirrorport.sys -- (DisplayLinkmirror) DRV - [2011/04/10 16:07:03 | 000,007,296 | ---- | M] (DisplayLink Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\DisplayLinkFilter.sys -- (DisplayLinkFilter) DRV - [2010/08/25 01:28:00 | 000,024,304 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\DOZEHDD.SYS -- (DozeHDD) DRV - [2010/08/25 01:28:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF) DRV - [2010/07/18 14:58:34 | 000,822,400 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CHDAU32.sys -- (CnxtHdAudService) DRV - [2010/07/14 15:20:08 | 000,025,560 | ---- | M] (Lenovo) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dqusb.sys -- (dqusb) DRV - [2010/06/22 18:01:50 | 000,021,248 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\htcnprot.sys -- (htcnprot) DRV - [2010/03/18 01:15:18 | 006,601,216 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw5x32.sys -- (NETw5x32) DRV - [2010/02/22 16:51:10 | 000,095,872 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir) DRV - [2010/02/22 16:50:06 | 000,114,984 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ehdrv.sys -- (ehdrv) DRV - [2010/02/22 16:47:20 | 000,139,192 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon) DRV - [2010/02/05 10:14:14 | 000,661,448 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ATSwpWDF.sys -- (ATSwpWDF) DRV - [2009/12/09 14:54:46 | 000,154,672 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService) DRV - [2009/12/08 14:11:40 | 000,031,680 | R--- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd) DRV - [2009/10/23 16:40:30 | 000,187,776 | ---- | M] (Ricoh co.,Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RCUVCMNP.sys -- (5U875UVC) DRV - [2009/10/09 12:12:02 | 000,120,360 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ApsX86.sys -- (Shockprf) DRV - [2009/10/09 12:10:24 | 000,020,520 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\ApsHM86.sys -- (TPDIGIMN) DRV - [2009/08/10 04:46:38 | 000,013,952 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans) DRV - [2009/06/10 00:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys -- (HTCAND32) DRV - [2008/09/19 16:29:54 | 000,243,856 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1y5132.sys -- (e1yexpress) DRV - [2008/05/12 18:04:02 | 000,013,480 | ---- | M] (Lenovo Group Limited) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\smiif32.sys -- (lenovo.smi) DRV - [2008/03/26 13:21:06 | 000,013,824 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tpm.sys -- (tpm) DRV - [2007/07/16 17:29:33 | 000,017,432 | ---- | M] (Hewlett Packard) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hpfxbulk.sys -- (HPFXBULK) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-2052111302-261903793-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..extensions.enabledItems: vshare@toolbar:1.0.0 FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_265.dll () FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.5.0: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll (Veetle Inc) FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.18: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc) FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.18: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc) FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/17 18:04:44 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/07/22 19:22:10 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2012/07/22 16:42:07 | 000,000,000 | ---D | M] [2010/09/20 10:02:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\d\Application Data\Mozilla\Extensions [2012/06/04 19:49:26 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\d\Application Data\Mozilla\Firefox\Profiles\i2udtmcg.default\extensions [2011/12/04 07:37:53 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\d\Application Data\Mozilla\Firefox\Profiles\i2udtmcg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2012/06/04 19:49:26 | 000,000,000 | ---D | M] (WebSlingPlayer) -- C:\Documents and Settings\d\Application Data\Mozilla\Firefox\Profiles\i2udtmcg.default\extensions\{9EB34849-81D3-4841-939D-666D522B889A} [2010/10/03 14:05:11 | 000,000,000 | ---D | M] (vShare Plugin) -- C:\Documents and Settings\d\Application Data\Mozilla\Firefox\Profiles\i2udtmcg.default\extensions\vshare@toolbar [2012/07/03 09:17:49 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2012/07/17 18:04:44 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2012/04/11 16:34:06 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml [2012/04/11 16:34:06 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml O1 HOSTS File: ([2012/07/22 16:06:33 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Java Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation) O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET) O4 - HKLM..\Run: [FingerPrintSoftware] C:\Program Files\Lenovo Fingerprint Software\fpapp.exe (Authentec,Inc) O4 - HKLM..\Run: [HPUsageTracking] c:\Program Files\HP\HP UT\bin\hppusg.exe (Hewlett-Packard Company) O4 - HKLM..\Run: [iMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation) O4 - HKLM..\Run: [Lenovo dCute] C:\Program Files\Lenovo\Lenovo USB Port Replicator with Digital Video\dCute.exe (Lenovo) O4 - HKLM..\Run: [LenovoAutoScrollUtility] C:\Program Files\Lenovo\VIRTSCRL\virtscrl.exe (Lenovo Group Limited) O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe () O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation) O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation) O4 - HKLM..\Run: [picon] C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe (Intel Corporation) O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited) O4 - HKLM..\Run: [RotateImage] C:\Program Files\RotateImage\RCIMGDIR.exe (Ricoh co.,Ltd.) O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-2052111302-261903793-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-2052111302-261903793-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKU\S-1-5-21-2052111302-261903793-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKU\S-1-5-21-2052111302-261903793-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O15 - HKU\S-1-5-21-2052111302-261903793-725345543-1003\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool) O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1341536361125 (WUWebControl Class) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{821D4603-DA1E-47B9-8BD9-E97EEBC1D518}: DhcpNameServer = 75.75.75.75 75.75.76.76 O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation) O20 - Winlogon\Notify\ATFUS: DllName - (C:\WINDOWS\system32\FpWinLogonNp.dll) - C:\WINDOWS\system32\FpWinlogonNp.dll (AuthenTec,Inc) O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2010/09/20 12:04:23 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2012/07/24 16:15:49 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\d\Desktop\OTL.exe [2012/07/24 15:42:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\d\Desktop\RK_Quarantine [2012/07/23 23:49:03 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2012/07/23 11:25:08 | 000,000,000 | RHSD | C] -- C:\cmdcons [2012/07/22 21:33:08 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine [2012/07/22 21:20:24 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\d\Recent [2012/07/22 20:43:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner [2012/07/22 20:39:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java [2012/07/22 20:38:32 | 000,000,000 | ---D | C] -- C:\Program Files\Oracle [2012/07/22 20:36:37 | 000,000,000 | ---D | C] -- C:\Program Files\Java [2012/07/22 20:36:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee [2012/07/22 18:12:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\d\Local Settings\Application Data\ESET [2012/07/22 16:42:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\ESET [2012/07/22 16:42:01 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2012/07/22 16:42:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ESET [2012/07/22 15:56:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\d\Start Menu\Programs\Administrative Tools [2012/07/22 15:56:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt [2012/07/21 22:05:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia [2012/07/21 22:05:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe [2012/07/20 19:30:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\d\Local Settings\Application Data\CutePDF Writer [2012/07/20 19:29:44 | 000,000,000 | ---D | C] -- C:\Program Files\GPLGS [2012/07/20 19:28:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CutePDF [2012/07/20 19:28:05 | 000,000,000 | ---D | C] -- C:\Program Files\Acro Software [2012/07/17 18:44:15 | 000,000,000 | ---D | C] -- C:\Program Files\SystemRequirementsLab [2012/07/17 18:44:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\d\Application Data\SystemRequirementsLab [2012/07/17 18:22:51 | 000,000,000 | ---D | C] -- C:\Program Files\Lenovo USB Port Replicator [2012/07/17 18:22:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Lenovo USB Port Replicator [2012/07/15 04:11:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia [2012/07/15 04:10:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe [2012/07/05 19:30:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware [2012/07/05 19:29:59 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2012/07/24 16:15:49 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\d\Desktop\OTL.exe [2012/07/24 15:40:36 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2012/07/24 15:40:23 | 001,552,384 | ---- | M] () -- C:\Documents and Settings\d\Desktop\RogueKiller.exe [2012/07/24 15:39:07 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\TEMP [2012/07/24 14:53:48 | 000,000,292 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job [2012/07/23 18:12:05 | 000,508,390 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2012/07/23 18:12:04 | 000,090,666 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2012/07/23 17:55:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2012/07/23 17:55:34 | 3112,198,144 | -HS- | M] () -- C:\hiberfil.sys [2012/07/23 11:25:16 | 000,000,327 | RHS- | M] () -- C:\boot.ini [2012/07/23 03:49:43 | 000,217,600 | ---- | M] () -- C:\Documents and Settings\d\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2012/07/23 03:24:26 | 000,204,120 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2012/07/22 21:44:40 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2012/07/22 20:55:08 | 2145,386,496 | ---- | M] () -- C:\WINDOWS\MEMORY.DMP [2012/07/22 20:42:08 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\d\defogger_reenable [2012/07/22 17:21:13 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat [2012/07/22 16:06:33 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2012/07/20 19:31:15 | 000,140,609 | ---- | M] () -- C:\Documents and Settings\d\Desktop\YS Tix 3.pdf [2012/07/20 19:30:52 | 000,140,583 | ---- | M] () -- C:\Documents and Settings\d\Desktop\YS Tix 2.pdf [2012/07/20 19:30:12 | 000,140,512 | ---- | M] () -- C:\Documents and Settings\d\Desktop\YS Tix 1.pdf [2012/07/20 19:04:46 | 017,178,218 | ---- | M] () -- C:\Documents and Settings\d\Desktop\bullsbeat_245.mp3 [2012/07/17 21:25:58 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat [2012/07/11 23:12:33 | 000,037,311 | ---- | M] () -- C:\Documents and Settings\d\Desktop\Groupon_chikalicious.pdf [2012/07/05 13:05:50 | 004,503,728 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\l_u0_0.pad [2012/07/03 13:46:44 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2012/07/01 17:39:46 | 000,002,641 | ---- | M] () -- C:\Documents and Settings\d\Desktop\images.jpg [2012/06/26 04:59:21 | 000,009,420 | ---- | M] () -- C:\Documents and Settings\d\Desktop\SAC.jpg [8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2012/07/24 15:40:22 | 001,552,384 | ---- | C] () -- C:\Documents and Settings\d\Desktop\RogueKiller.exe [2012/07/23 11:25:16 | 000,000,211 | ---- | C] () -- C:\Boot.bak [2012/07/23 11:25:13 | 000,260,272 | RHS- | C] () -- C:\cmldr [2012/07/22 21:44:17 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK [2012/07/22 21:23:56 | 3112,198,144 | -HS- | C] () -- C:\hiberfil.sys [2012/07/22 20:42:08 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\d\defogger_reenable [2012/07/22 16:03:13 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\TEMP [2012/07/20 19:31:15 | 000,140,609 | ---- | C] () -- C:\Documents and Settings\d\Desktop\YS Tix 3.pdf [2012/07/20 19:30:51 | 000,140,583 | ---- | C] () -- C:\Documents and Settings\d\Desktop\YS Tix 2.pdf [2012/07/20 19:30:11 | 000,140,512 | ---- | C] () -- C:\Documents and Settings\d\Desktop\YS Tix 1.pdf [2012/07/20 19:28:14 | 000,088,656 | ---- | C] () -- C:\WINDOWS\System32\cpwmon2k.dll [2012/07/20 19:04:38 | 017,178,218 | ---- | C] () -- C:\Documents and Settings\d\Desktop\bullsbeat_245.mp3 [2012/07/15 04:02:24 | 000,000,804 | ---- | C] () -- C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\L\00000004.@ [2012/07/11 23:12:33 | 000,037,311 | ---- | C] () -- C:\Documents and Settings\d\Desktop\Groupon_chikalicious.pdf [2012/07/05 21:40:08 | 000,725,840 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat [2012/07/05 21:01:14 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll [2012/07/05 21:01:14 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll [2012/07/05 12:53:36 | 004,503,728 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\l_u0_0.pad [2012/07/01 17:39:46 | 000,002,641 | ---- | C] () -- C:\Documents and Settings\d\Desktop\images.jpg [2012/06/26 04:59:21 | 000,009,420 | ---- | C] () -- C:\Documents and Settings\d\Desktop\SAC.jpg [2012/04/09 19:21:59 | 000,000,590 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Microsoft.SqlServer.Compact.400.32.bc [2011/05/16 15:49:28 | 000,055,256 | ---- | C] () -- C:\WINDOWS\System32\drivers\dqbridge.sys [2010/10/09 18:11:20 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat [2010/10/09 16:41:52 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat [2010/10/04 05:28:49 | 000,000,619 | ---- | C] () -- C:\WINDOWS\System32\hppapr13.dat [2010/10/04 05:28:04 | 000,172,891 | ---- | C] () -- C:\WINDOWS\hppins13.dat [2010/10/04 05:28:04 | 000,006,760 | ---- | C] () -- C:\WINDOWS\hppmdl13.dat [2010/09/27 19:52:50 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2010/09/26 17:43:01 | 000,045,612 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat [2010/09/21 02:22:54 | 000,196,608 | ---- | C] () -- C:\WINDOWS\PWMBTHLP.EXE [2010/09/21 02:22:53 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS [2010/09/20 12:07:23 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat [2010/09/20 12:01:27 | 000,022,720 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat [2010/09/20 10:09:21 | 000,982,240 | ---- | C] () -- C:\WINDOWS\System32\igkrng500.bin [2010/09/20 10:09:19 | 000,004,096 | ---- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll [2010/09/20 10:09:17 | 000,439,308 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng500.bin [2010/09/20 10:09:17 | 000,000,151 | ---- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config [2010/09/20 10:02:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat [2010/09/20 09:48:03 | 000,217,600 | ---- | C] () -- C:\Documents and Settings\d\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/09/20 04:50:43 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI [2010/09/20 04:49:29 | 000,204,120 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2008/04/14 06:41:26 | 000,002,048 | ---- | C] () -- C:\WINDOWS\Installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\@ [2008/04/14 06:41:26 | 000,002,048 | ---- | C] () -- C:\Documents and Settings\d\Local Settings\Application Data\{766ae966-0c13-0485-0d28-523fb79d5fb4}\@ ========== LOP Check ========== [2010/09/30 18:27:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AIM [2010/12/23 18:32:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Cisco Systems [2012/04/09 19:12:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite [2010/10/09 15:09:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\debugout [2012/07/22 16:42:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET [2012/06/04 22:03:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sling Media [2010/09/27 23:02:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} [2010/09/30 18:28:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\d\Application Data\acccore [2010/09/20 14:59:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\d\Application Data\CachedFiles [2012/07/22 20:45:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\d\Application Data\DAEMON Tools Lite [2012/06/12 01:22:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\d\Application Data\Oracle [2012/06/04 19:49:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\d\Application Data\Sling Media [2012/07/17 18:44:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\d\Application Data\SystemRequirementsLab [2011/12/28 03:00:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\d\Application Data\Windows Desktop Search [2012/03/19 21:20:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\d\Application Data\Windows Search [2012/07/24 14:53:48 | 000,000,292 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:502D809E < End of report > -
Olmarik.tdl4 remnant issues. Help appreciated.
jgowell21 replied to jgowell21's topic in Resolved Malware Removal Logs
Let me know if this is what you are looking for or if you need something else: https://www.virustotal.com/file/5999b39242283cd803319aadca171cccc6e2a40fb2fafa51b1d29f3ff2dd8d6c/analysis/ -
Olmarik.tdl4 remnant issues. Help appreciated.
jgowell21 replied to jgowell21's topic in Resolved Malware Removal Logs
Actually, I tried running Roguekiller again to see if maybe it was crashing because of the malware before. This time, I was able to get it to successfully run and it found one entry. Please see the log below: RogueKiller V7.6.4 [07/17/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User: d [Admin rights] Mode: Scan -- Date: 07/24/2012 15:42:40 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 1 ¤¤¤ [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] @ : c:\windows\installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\windows\installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\U --> FOUND [ZeroAccess][FOLDER] L : c:\windows\installer\{766ae966-0c13-0485-0d28-523fb79d5fb4}\L --> FOUND [ZeroAccess][FILE] @ : c:\documents and settings\d\local settings\application data\{766ae966-0c13-0485-0d28-523fb79d5fb4}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\documents and settings\d\local settings\application data\{766ae966-0c13-0485-0d28-523fb79d5fb4}\U --> FOUND [ZeroAccess][FOLDER] L : c:\documents and settings\d\local settings\application data\{766ae966-0c13-0485-0d28-523fb79d5fb4}\L --> FOUND [Faked.Drv][FAKED] fltMgr.sys : c:\windows\system32\drivers\fltMgr.sys --> CANNOT FIX [Faked.Drv][FAKED] mf.sys : c:\windows\system32\drivers\mf.sys --> CANNOT FIX [Faked.Drv][FAKED] nic1394.sys : c:\windows\system32\drivers\nic1394.sys --> CANNOT FIX [Faked.Drv][FAKED] nwlnknb.sys : c:\windows\system32\drivers\nwlnknb.sys --> CANNOT FIX [Faked.Drv][FAKED] serial.sys : c:\windows\system32\drivers\serial.sys --> CANNOT FIX ¤¤¤ Driver: [LOADED] ¤¤¤ SSDT[177] : NtQueryValueKey @ 0x806221FA -> HOOKED (ALvldr.sys @ 0xB990A7E6) ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: SAMSUNG MMCQE28G8MUP-0VA +++++ --- User --- [MBR] 8fede7d59eefb86210a17e6e811edb02 [bSP] 76eced74339309ac5fccd08057324ebb : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 117153 Mo 1 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 239931392 | Size: 4949 Mo User = LL1 ... OK! User = LL2 ... OK! Finished : << RKreport[1].txt >> RKreport[1].txt The only option I am given is to delete or fix the registry entry related to "NewStartPanel". Should I also be concerned with the things RK states "Cannot Fix"? Please advise. -
Olmarik.tdl4 remnant issues. Help appreciated.
jgowell21 replied to jgowell21's topic in Resolved Malware Removal Logs
Okay thanks again for the help Maniac. Feel free to close this thread and should I experience any future problems, I'll start another one.