Jump to content

dkarst

Honorary Members
  • Posts

    40
  • Joined

  • Last visited

Everything posted by dkarst

  1. We earlier followed procedure by posting dds.txt and our issue was resolved. Thank you for your support. However, we were instructed to remove an old version of Hijack This but were unable to remove it. We forgot to ask how to do this before our thread was closed. What is the proper way to remove Hijack This?
  2. We have completed everything listed above. Thanks for your wonderful assistance and patience. You ROCK!
  3. Correction: 5) We have many files associated with removing the infection on our desktop and in our Programs folder. Should we delete all those files?
  4. Yup. Many thanks for your help!!! Before we finish up though I do have some questions. 1) Do you have any idea how and where we might have picked up this zero access trojan? 2) Is there software we can install to detect and kill this sort of problem before it infects our computer? 3) During one of the scans we were asked to disconnect any external hard drives which we did. That hard drive stores only My Documents type of files; there are no operating system files on it. Is it safe to assume it is not infected? 4) We have connected our ipad once to our computer to download a rented movie from Itunes. Is it safe to assume it is not infected? 5) We have many files on our desktop and in our Programs folder. Should we delete all those files?
  5. Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Database version: v2013.01.23.08 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 DKarst :: HYLAS-LT-005 [administrator] 1/23/2013 11:08:40 AM mbam-log-2013-01-23 (11-08-40).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 258729 Time elapsed: 7 minute(s), 19 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
  6. SystemLook 30.07.11 by jpshortstuff Log created at 09:31 on 23/01/2013 by DKarst Administrator - Elevation successful ========== filefind ========== Searching for "mscomctl.ocx " C:\SwSetup\InetSec06\Support\Redist\MSRedist\mscomctl.ocx --a--c- 1066176 bytes [16:58 22/05/2000] [16:58 22/05/2000] 714CF24FC19A20AE0DC701B48DED2CF6 C:\WINDOWS\Installer\$PatchCache$\Managed\90400E0900063D11C8EF10054038389C\11.0.6361\MSCOMCTL.OCX -ra---- 1077344 bytes [14:13 06/06/2002] [14:13 06/06/2002] 774A15583DB1AD44C5EE32309C840C96 C:\WINDOWS\system32\MSCOMCTL.OCX --a---- 1070152 bytes [17:17 02/05/2012] [17:17 02/05/2012] E52859FCB7A827CACFCE7963184C7D24 Searching for "comctl32.ocx" C:\SwSetup\InetSec06\Support\Redist\MSRedist\comctl32.ocx --a--c- 608448 bytes [16:58 22/05/2000] [16:58 22/05/2000] EB5F811C1F78005B3C147599A0CCCF51 C:\WINDOWS\system32\COMCTL32.OCX --a---- 1351392 bytes [16:58 22/05/2000] [01:58 16/04/2005] 2640AD05AB39321E6C9D3C71236CA0DF Searching for "MSVBVM60.DLL" C:\WINDOWS\$NtServicePackUninstall$\msvbvm60.dll -----c- 1392671 bytes [23:16 13/05/2008] [08:00 04/08/2004] E949EEE7D1BE07E32267FE10D9992C38 C:\WINDOWS\LastGood\system32\MSVBVM60.DLL --a---- 1386496 bytes [15:29 23/01/2013] [02:42 24/02/2004] F28EB5CBC3CA6D8C787F09F047D1F9C8 C:\WINDOWS\ServicePackFiles\i386\msvbvm60.dll ------- 1384479 bytes [00:12 14/04/2008] [00:12 14/04/2008] 64B33CC5BF131DEF2721394CF9B3F8ED C:\WINDOWS\system32\MSVBVM60.DLL --a---- 1386496 bytes [02:42 24/02/2004] [02:42 24/02/2004] F28EB5CBC3CA6D8C787F09F047D1F9C8 -= EOF =-
  7. Dr.Web summary Total 22585898101 bytes in 26676 files scanned (32071 objects) Total 26660 files (32052 objects) are clean There are no infected objects detected Total 19 files are raised error condition Scan time is 00:52:57.197
  8. vbrun60sp6.exe asks where I would like to store the files. Where would you recommend?
  9. I reran Dr.Web scan in the un-enhanced mode which will generate a report. The enhanced version is recommended by Dr.Web but doesn't have the option to generate a report. Anyway, the report is very large (11MB). Do you still want to see it? Still nothing found. Is there a way to sent the file as an attachment? In the mean time, I will continue on with the Service Pack 6 instructions.
  10. Was not able to find a DrWeb log file but the scan found nothing. ESET scan report ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=8 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6889 # api_version=3.0.2 # EOSSerial=be517b7680ce73458c10f4a47fc818ff # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2013-01-23 12:30:59 # local_time=2013-01-22 06:30:59 (-0600, Central Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=5889 16768382 80 100 138548422 198721805 0 138619859 # scanned=156852 # found=0 # cleaned=0 # scan_time=9791
  11. The Dr.Web express scan finished after about an hour and nothing was found. I cannot find anything in the Dr.Web dialog box that says "complete scan".
  12. All processes killed ========== OTL ========== ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 78991 bytes ->Flash cache emptied: 348 bytes User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 32902 bytes ->Flash cache emptied: 56468 bytes User: dkarst ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 36942248 bytes ->Java cache emptied: 1722645 bytes ->Flash cache emptied: 30386 bytes User: DKarst.HYLAS-LT-005 ->Temp folder emptied: 1451522 bytes ->Temporary Internet Files folder emptied: 83359206 bytes ->Java cache emptied: 62221725 bytes ->FireFox cache emptied: 68137337 bytes ->Flash cache emptied: 1703827 bytes User: DKARST~1~HYL User: LocalService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 49286 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 1881298 bytes ->Flash cache emptied: 3420 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 19569 bytes %systemroot%\System32 .tmp files removed: 2577 bytes %systemroot%\System32\dllcache .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 573 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes RecycleBin emptied: 1729 bytes Total Files Cleaned = 246.00 mb Restore point Set: OTL Restore Point [EMPTYFLASH] User: Administrator ->Flash cache emptied: 0 bytes User: All Users User: Default User ->Flash cache emptied: 0 bytes User: dkarst ->Flash cache emptied: 0 bytes User: DKarst.HYLAS-LT-005 ->Flash cache emptied: 0 bytes User: DKARST~1~HYL User: LocalService User: NetworkService ->Flash cache emptied: 0 bytes Total Flash Files Cleaned = 0.00 mb [EMPTYJAVA] User: Administrator User: All Users User: Default User User: dkarst ->Java cache emptied: 0 bytes User: DKarst.HYLAS-LT-005 ->Java cache emptied: 0 bytes User: DKARST~1~HYL User: LocalService User: NetworkService Total Java Files Cleaned = 0.00 mb OTL by OldTimer - Version 3.2.69.0 log created on 01222013_114904 Files\Folders moved on Reboot... PendingFileRenameOperations files... Registry entries deleted on Reboot...
  13. The OTL.exe icon is not opening the program - just the image.
  14. Add or Remove Programs will not remove Hijack This 2.0.2. Any ideas? Removed Java 6 Update 35. Java 7 Update 11 is disabled in browser (Firefox). Couldn't find Java Auto Updater in Add or Remove Programs. Removed Adobe Reader and installed new Adobe Reader. I can't find the OTLFIX.txt file.
  15. aswMBR Fix button is NOT enabled. aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software Run date: 2013-01-22 10:04:04 ----------------------------- 10:04:04.562 OS Version: Windows 5.1.2600 Service Pack 3 10:04:04.562 Number of processors: 2 586 0xF06 10:04:04.562 ComputerName: HYLAS-LT-005 UserName: DKarst 10:04:05.125 Initialize success 10:04:21.109 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 10:04:21.109 Disk 0 Vendor: ST980825 3.12 Size: 76319MB BusType: 3 10:04:21.156 Disk 0 MBR read successfully 10:04:21.171 Disk 0 MBR scan 10:04:21.171 Disk 0 unknown MBR code 10:04:21.203 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 69184 MB offset 63 10:04:21.234 Disk 0 Partition 2 00 0C FAT32 LBA RECOVERY 7131 MB offset 141689520 10:04:21.265 Disk 0 scanning sectors +156295440 10:04:21.406 Disk 0 scanning C:\WINDOWS\system32\drivers 10:04:34.703 Service scanning 10:04:51.375 Modules scanning 10:04:59.937 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS** 10:05:02.234 Scan finished successfully 10:08:36.958 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\DKarst.HYLAS-LT-005\Desktop\MBR.dat" 10:08:37.050 The log file has been saved successfully to "C:\Documents and Settings\DKarst.HYLAS-LT-005\Desktop\aswMBR.txt"
  16. Forgot to mention that when the JRT scan started, it detected a bad module and asked to reboot which I did.
  17. JRT.txt file ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 4.4.8 (01.21.2013:2) OS: Microsoft Windows XP x86 Ran by DKarst on Tue 01/22/2013 at 9:35:31.43 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\\DefaultScope Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\\DefaultScope Successfully repaired: [Registry Value] hkey_users\.default\software\microsoft\internet explorer\searchscopes\\DefaultScope Successfully repaired: [Registry Value] hkey_users\s-1-5-18\software\microsoft\internet explorer\searchscopes\\DefaultScope Successfully repaired: [Registry Value] hkey_users\s-1-5-19\software\microsoft\internet explorer\searchscopes\\DefaultScope Successfully repaired: [Registry Value] hkey_users\s-1-5-20\software\microsoft\internet explorer\searchscopes\\DefaultScope Successfully repaired: [Registry Value] hkey_users\S-1-5-21-1982115908-84239568-3640218018-1142\software\microsoft\internet explorer\searchscopes\\DefaultScope Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName Successfully repaired: [Registry Value] hkey_current_user\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\DisplayName Successfully repaired: [Registry Value] hkey_local_machine\software\microsoft\internet explorer\searchscopes\{0633ee93-d776-472f-a0ff-e1416b8b2e3a}\\URL ~~~ Registry Keys Successfully deleted: [Registry Key] hkey_current_user\software\im Successfully deleted: [Registry Key] hkey_current_user\software\iminstaller Successfully deleted: [Registry Key] hkey_current_user\software\microsoft\internet explorer\searchscopes\{36377dd7-b3eb-42f5-986f-680baf59ba9d} ~~~ Files Successfully deleted: [File] C:\Documents and Settings\DKarst.HYLAS-LT-005\Local Settings\Application Data\{5004FFC1-CF4B-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul [Trojan:JS/Medfos.A] ~~~ Folders Successfully deleted: [Folder] "C:\Documents and Settings\All Users\application data\agi" Successfully deleted: [Folder] C:\Documents and Settings\DKarst.HYLAS-LT-005\Local Settings\Application Data\{5004FFC1-CF4B-11E1-8270-B8AC6F996F26} [Trojan:JS/Medfos.A] ~~~ FireFox Successfully deleted the following from C:\Documents and Settings\DKarst.HYLAS-LT-005\Application Data\mozilla\firefox\profiles\tlpafk4k.default\prefs.js user_pref("extensions.gamesbar.msnus.config.newtabhtml", "<html>\r\n<head>\r\n<title>MSN Games - Web Search</title>\r\n</head>\r\n\r\n<body>\r\n <style>\r\nbody\r\n{\r\n color user_pref("extensions.gamesbar.msnus.config.partner_logo", "iVBORw0KGgoAAAANSUhEUgAAAF8AAAAYCAYAAACcESEhAAAABGdBTUEAALGOfPtRkwAAACBjSFJNAACHDwAAjA8AAP1SAACBQAAAfXkAAOmLAAA85QA Emptied folder: C:\Documents and Settings\DKarst.HYLAS-LT-005\Application Data\mozilla\firefox\profiles\tlpafk4k.default\minidumps [163 files] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Tue 01/22/2013 at 9:41:09.59 Computer was rebooted End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  18. Disabled Antivirus and tried to start Malwarebytes. Got this message: "This application has failed to start because MSVBVM60.DLL was not found. Re-installing the application may fix this problem." That file is actually present. Do you want me to skip step 2 and go on to step 3???
  19. System seems OK but it wasn't having problems before except that it wouldn't run Malwarebytes. ComboFix 13-01-21.04 - DKarst 01/21/2013 12:30:05.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.917 [GMT -6:00] Running from: c:\documents and settings\DKarst.HYLAS-LT-005\Desktop\Combo-Fix.exe AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\All Users\Application Data\TEMP c:\documents and settings\DKarst.HYLAS-LT-005\System c:\documents and settings\DKarst.HYLAS-LT-005\System\win_qs8.jqx c:\documents and settings\DKarst.HYLAS-LT-005\WINDOWS c:\documents and settings\DKarst.HYLAS-LT-005\zlib.dll c:\windows\IsUn0407.exe c:\windows\system32\URTTemp c:\windows\system32\URTTemp\fusion.dll c:\windows\system32\URTTemp\mscoree.dll c:\windows\system32\URTTemp\mscoree.dll.local c:\windows\system32\URTTemp\mscorsn.dll c:\windows\system32\URTTemp\mscorwks.dll c:\windows\system32\URTTemp\msvcr71.dll c:\windows\system32\URTTemp\regtlib.exe C:\xcrashdump.dat E:\Autorun.inf . . ((((((((((((((((((((((((( Files Created from 2012-12-21 to 2013-01-21 ))))))))))))))))))))))))))))))) . . 2013-01-21 15:07 . 2013-01-21 15:07 -------- d-----w- C:\RK_Quarantine 2013-01-21 12:23 . 2013-01-21 12:24 -------- d-----w- c:\program files\ERUNT 2013-01-19 14:19 . 2013-01-20 00:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2013-01-19 14:19 . 2012-12-14 22:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys 2013-01-19 13:04 . 2013-01-12 09:30 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll 2013-01-14 20:55 . 2013-01-14 21:23 -------- d-----w- c:\program files\Notation 2013-01-14 20:36 . 2013-01-14 20:41 -------- d-----w- c:\program files\Akoff Music Composer Demo 2013-01-14 20:27 . 2013-01-14 20:27 -------- d-----w- c:\documents and settings\DKarst.HYLAS-LT-005\Application Data\Music Recognition . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-01-08 23:16 . 2012-03-29 11:48 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-01-08 23:16 . 2011-07-07 11:24 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-01-08 23:16 . 2012-03-30 13:16 16369160 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe 2012-12-26 16:07 . 2012-12-26 16:07 10 ----a-w- c:\windows\Fonts\wfonts.key 2012-12-16 12:23 . 2004-08-04 08:00 290560 ----a-w- c:\windows\system32\atmfd.dll 2012-11-13 01:25 . 2004-08-04 08:00 1866368 ----a-w- c:\windows\system32\win32k.sys 2012-11-06 02:01 . 2008-04-14 00:12 1371648 ------w- c:\windows\system32\msxml6.dll 2012-11-02 02:02 . 2004-08-04 08:00 375296 ----a-w- c:\windows\system32\dpnet.dll 2012-11-01 12:17 . 2004-08-04 08:00 916992 ----a-w- c:\windows\system32\wininet.dll 2012-11-01 12:17 . 2004-08-04 08:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2012-11-01 12:17 . 2004-08-04 08:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2012-11-01 00:35 . 2004-08-04 08:00 385024 ----a-w- c:\windows\system32\html.iec 2012-10-25 09:12 . 2012-10-25 09:12 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx 2012-10-25 09:12 . 2012-10-25 09:12 69632 ----a-w- c:\windows\system32\QuickTime.qts 2011-01-10 13:46 . 2011-01-10 13:46 436 ----a-w- c:\program files\011020117465817.bat 2013-01-19 03:40 . 2013-01-19 03:40 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 68856] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "FRYMXINS"="c:\program files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl" [X] "MsmqIntCert"="mqrt.dll" [2008-04-14 177152] "AGRSMMSG"="AGRSMMSG.exe" [2006-01-30 88203] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696] "AccelerometerSysTrayApplet"="c:\windows\system32\AccelerometerSt.exe" [2006-01-17 53248] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056] "PTHOSTTR"="c:\program files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-02-14 122880] "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-08-31 122940] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-10 761945] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 454656] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-02 131072] "Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960] "Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840] "Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-01-23 802816] "Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-02-15 892928] "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2005-11-08 184320] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896] "vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-28 125168] "Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472] "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392] "basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-12-19 41208] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208] "CanonQuickMenu"="c:\program files\Canon\Quick Menu\CNQMMAIN.EXE" [2012-04-03 1273448] "IJNetworkScannerSelectorEX"="c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2011-01-15 452016] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-10-25 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544] . c:\documents and settings\DKarst.HYLAS-LT-005\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912] Smile Desktop.lnk - c:\program files\Webshots\Smile Desktop\Smile.exe [2012-10-16 2229760] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2007-4-13 184320] Event Planner Reminders Tray Icon.lnk - c:\sierra\Planner\PLNRnote.exe [2008-7-2 184320] Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\PMremind.exe [2008-7-2 323584] VPN Client.lnk - c:\windows\Installer\{176130BC-99A1-41FE-A78B-56045E33AD70}\Icon3E5562ED7.ico [2007-4-13 6144] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoWelcomeScreen"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN] 2005-08-19 13:52 389120 ----a-w- c:\windows\system32\IfxWlxEN.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard] 2005-07-25 18:41 40960 ----a-w- c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= . R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/30/2008 8:27 AM 28544] R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [10/25/2005 12:10 PM 35488] R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [8/4/2004 2:00 AM 14336] R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/23/2012 12:37 PM 13672] R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 7:33 PM 116464] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/22/2012 7:15 AM 106656] R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [4/21/2006 6:36 AM 87936] R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6/10/2005 7:26 AM 35968] S3 SydexFDD;Sydex Diskette Driver;c:\windows\system32\drivers\SYDEXFDD.SYS [7/4/2008 7:55 AM 13359] S3 ZSTAR;Virtual Serial USB driver for Freescale USB Adapter;c:\windows\system32\drivers\usbser-zstar.sys [10/17/2007 9:20 AM 25600] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] Cognizance REG_MULTI_SZ ASChannel . Contents of the 'Scheduled Tasks' folder . 2013-01-21 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 23:16] . 2013-01-16 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57] . 2013-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 00:52] . 2013-01-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 00:52] . 2013-01-20 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20] . 2013-01-21 c:\windows\Tasks\SDMsgUpdate (SD).job - c:\program files\SmartDraw VP\Messages\SDNotify.exe [2011-05-09 17:29] . . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: thinkbank.com\www TCP: DhcpNameServer = 206.9.88.12 206.9.88.13 FF - ProfilePath - c:\documents and settings\DKarst.HYLAS-LT-005\Application Data\Mozilla\Firefox\Profiles\tlpafk4k.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/ FF - prefs.js: network.proxy.type - 0 FF - ExtSQL: !HIDDEN! 2009-07-11 17:21; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension . - - - - ORPHANS REMOVED - - - - . SafeBoot-WinDefend AddRemove-Coupon Printer for Windows4.0 - c:\program files\Coupons\uninstall.exe AddRemove-Moorhuhn 2 V1.1 - c:\windows\IsUn0407.exe AddRemove-Moorhuhn Winter-Edition - c:\windows\IsUn0407.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-01-21 12:49 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???(g??????(?@???????@ . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe" . [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(1404) c:\windows\system32\Ati2evxx.dll c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll c:\windows\system32\IfxWlxEN.dll . - - - - - - - > 'explorer.exe'(4384) c:\windows\system32\WININET.dll c:\program files\ScanSoft\OmniPageSE4\OpHookSE4.dll c:\program files\HPQ\IAM\Bin\SFSShell.dll c:\program files\HPQ\IAM\bin\ItMsg.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\IFXTCS.exe c:\program files\Common Files\Symantec Shared\ccSetMgr.exe c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\windows\System32\SCardSvr.exe c:\windows\system32\msdtc.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\Ati2evxx.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\program files\Symantec AntiVirus\DefWatch.exe c:\windows\system32\IFXSPMGT.exe c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe c:\program files\HPQ\IAM\bin\asghost.exe c:\program files\ProtectTools\Embedded Security Software\SpTna.exe c:\program files\Java\jre7\bin\jqs.exe c:\program files\HPQ\HP ProtectTools Security Manager\PTServs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE c:\program files\Symantec AntiVirus\Rtvscan.exe c:\program files\Canon\CAL\CALMAIN.exe c:\windows\system32\mqsvc.exe c:\program files\Windows Media Player\WMPNetwk.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe c:\windows\system32\mqtgsvc.exe c:\windows\AGRSMMSG.exe c:\program files\iPod\bin\iPodService.exe c:\progra~1\HPQ\Shared\HPQTOA~1.EXE . ************************************************************************** . Completion time: 2013-01-21 12:56:15 - machine was rebooted ComboFix-quarantined-files.txt 2013-01-21 18:56 . Pre-Run: 10,419,482,624 bytes free Post-Run: 13,133,410,304 bytes free . WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect . - - End Of File - - 1E720FB82A249EA9138127AD54ECD244
  20. mbar-log-2013-01-21 (11-28-36).txt Malwarebytes Anti-Rootkit BETA 1.01.0.1016 www.malwarebytes.org Database version: v2013.01.21.06 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 DKarst :: HYLAS-LT-005 [administrator] 1/21/2013 11:28:36 AM mbar-log-2013-01-21 (11-28-36).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 28660 Time elapsed: 37 minute(s), 36 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 2 HKLM\SOFTWARE\CLASSES\INTERFACE\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Delete on reboot. HKLM\SOFTWARE\CLASSES\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB} (PUP.MyWebSearch) -> Delete on reboot. Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) system-log.txt --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.01.0.1016 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 Java version: 1.6.0_35 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED CPU speed: 1.995000 GHz Memory total: 2146807808, free: 1053712384 --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.01.0.1016 © Malwarebytes Corporation 2011-2012 OS version: 5.1.2600 Windows XP Service Pack 3 x86 Account is Administrative Internet Explorer version: 8.0.6001.18702 Java version: 1.6.0_35 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, E:\ DRIVE_FIXED CPU speed: 1.995000 GHz Memory total: 2146807808, free: 1048051712 ------------ Kernel report ------------ 01/21/2013 10:49:38 ------------ Loaded modules ----------- \WINDOWS\system32\ntkrnlpa.exe \WINDOWS\system32\hal.dll \WINDOWS\system32\KDCOM.DLL \WINDOWS\system32\BOOTVID.dll ACPI.sys \WINDOWS\system32\DRIVERS\WMILIB.SYS pci.sys isapnp.sys ohci1394.sys \WINDOWS\system32\DRIVERS\1394BUS.SYS compbatt.sys \WINDOWS\system32\DRIVERS\BATTC.SYS pciide.sys \WINDOWS\system32\DRIVERS\PCIIDEX.SYS intelide.sys viaide.sys aliide.sys pcmcia.sys MountMgr.sys ftdisk.sys dmload.sys dmio.sys ACPIEC.sys \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS PartMgr.sys pavboot.sys VolSnap.sys atapi.sys iaStor.sys disk.sys \WINDOWS\system32\DRIVERS\CLASSPNP.SYS fltmgr.sys sr.sys DRVMCDB.SYS PxHelp20.sys KSecDD.sys Ntfs.sys NDIS.sys Mup.sys hpdskflt.sys \SystemRoot\system32\DRIVERS\nic1394.sys \SystemRoot\system32\DRIVERS\intelppm.sys \SystemRoot\system32\DRIVERS\ati2mtag.sys \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS \SystemRoot\system32\DRIVERS\HDAudBus.sys \SystemRoot\system32\DRIVERS\b57xp32.sys \SystemRoot\system32\DRIVERS\NETw3x32.sys \SystemRoot\system32\DRIVERS\usbuhci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\drivers\tifm21.sys \SystemRoot\system32\DRIVERS\sdbus.sys \SystemRoot\system32\DRIVERS\gtipci21.sys \SystemRoot\system32\DRIVERS\SMCLIB.SYS \SystemRoot\system32\DRIVERS\serial.sys \SystemRoot\system32\DRIVERS\serenum.sys \SystemRoot\system32\DRIVERS\parport.sys \SystemRoot\system32\DRIVERS\IFXTPM.SYS \SystemRoot\system32\DRIVERS\i8042prt.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\SynTP.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\imapi.sys \SystemRoot\System32\Drivers\DLACDBHM.SYS \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\DRIVERS\redbook.sys \SystemRoot\system32\DRIVERS\ks.sys \SystemRoot\System32\Drivers\GEARAspiWDM.sys \SystemRoot\system32\DRIVERS\Accelerometer.sys \SystemRoot\system32\DRIVERS\cpqbttn.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\system32\DRIVERS\CmBatt.sys \SystemRoot\system32\DRIVERS\wmiacpi.sys \SystemRoot\system32\DRIVERS\dne2000.sys \SystemRoot\system32\DRIVERS\audstub.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\DRIVERS\psched.sys \SystemRoot\system32\DRIVERS\msgpc.sys \SystemRoot\system32\DRIVERS\ptilink.sys \SystemRoot\system32\DRIVERS\raspti.sys \SystemRoot\system32\DRIVERS\rdpdr.sys \SystemRoot\system32\DRIVERS\termdd.sys \SystemRoot\system32\DRIVERS\swenum.sys \SystemRoot\system32\DRIVERS\update.sys \SystemRoot\system32\DRIVERS\mssmbios.sys \SystemRoot\system32\DRIVERS\kbdhid.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\drivers\ADIHdAud.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\drivers\AEAudio.sys \SystemRoot\system32\DRIVERS\AGRSM.sys \SystemRoot\System32\Drivers\Modem.SYS \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\System32\drivers\psd.sys \??\C:\Program Files\Symantec AntiVirus\savrt.sys \??\C:\Program Files\Symantec\SYMEVENT.SYS \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys \SystemRoot\system32\DRIVERS\ATSwpDrv.sys \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\System32\Drivers\Fs_Rec.SYS \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\Drivers\DLARTL_N.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\Drivers\mnmdd.SYS \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\rasacd.sys \SystemRoot\system32\DRIVERS\ipsec.sys \SystemRoot\system32\DRIVERS\tcpip.sys \SystemRoot\System32\Drivers\SYMTDI.SYS \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\DRIVERS\netbt.sys \SystemRoot\system32\DRIVERS\arp1394.sys \SystemRoot\System32\drivers\afd.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\eabfiltr.sys \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\System32\Drivers\Fips.SYS \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys \SystemRoot\System32\Drivers\Fastfat.SYS \SystemRoot\System32\Drivers\dump_iaStor.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\System32\watchdog.sys \SystemRoot\System32\drivers\dxg.sys \SystemRoot\System32\drivers\dxgthk.sys \SystemRoot\System32\ati2dvag.dll \SystemRoot\System32\ati2cqag.dll \SystemRoot\System32\atikvmag.dll \SystemRoot\System32\ati3duag.dll \SystemRoot\System32\ativvaxx.dll \SystemRoot\System32\Drivers\DRVNDDM.SYS \SystemRoot\System32\DLA\DLADResN.SYS \SystemRoot\System32\DLA\DLAIFS_M.SYS \SystemRoot\System32\DLA\DLAOPIOM.SYS \SystemRoot\System32\DLA\DLAPoolM.SYS \SystemRoot\System32\DLA\DLABOIOM.SYS \SystemRoot\System32\DLA\DLAUDFAM.SYS \SystemRoot\System32\DLA\DLAUDF_M.SYS \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\System32\ATMFD.DLL \SystemRoot\system32\DRIVERS\mrxdav.sys \??\C:\WINDOWS\system32\drivers\Haspnt.sys \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys \??\C:\WINDOWS\system32\drivers\hardlock.sys \SystemRoot\System32\Drivers\HTTP.sys \SystemRoot\system32\drivers\wdmaud.sys \SystemRoot\system32\drivers\sysaudio.sys \SystemRoot\system32\DRIVERS\srv.sys \??\C:\WINDOWS\system32\drivers\mqac.sys \??\C:\WINDOWS\system32\drivers\RMCast.sys \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130118.007\navex15.sys \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130118.007\naveng.sys \SystemRoot\System32\Drivers\SYMREDRV.SYS \SystemRoot\system32\drivers\kmixer.sys \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys \WINDOWS\system32\ntdll.dll ----------- End ----------- <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xffffffff8a5bdab8 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\Ide\IAAStorageDevice-0\ Lower Device Object: 0xffffffff8a563030 Lower Device Driver Name: \Driver\iaStor\ Driver name found: iaStor Initialization returned 0x0 Load Function returned 0x0 Downloaded database version: v2013.01.21.06 Initializing... Done! <<<2>>> Device number: 0, partition: 1 Physical Sector Size: 512 Drive: 0, DevicePointer: 0xffffffff8a5bdab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xffffffff8a4bf9f0, DeviceName: Unknown, DriverName: \Driver\PartMgr\ DevicePointer: 0xffffffff8a5bdab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xffffffff8a4bfc08, DeviceName: Unknown, DriverName: \Driver\hpdskflt\ DevicePointer: 0xffffffff8a52cf18, DeviceName: \Device\000000a4\, DriverName: \Driver\ACPI\ DevicePointer: 0xffffffff8a563030, DeviceName: \Device\Ide\IAAStorageDevice-0\, DriverName: \Driver\iaStor\ ------------ End ---------- Upper DeviceData: 0xffffffffe5b0bd00, 0xffffffff8a5bdab8, 0xffffffff882aeab8 Lower DeviceData: 0xffffffffe12a7128, 0xffffffff8a563030, 0xffffffff883acf18 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning directory: C:\WINDOWS\system32\drivers... Read File: File "C:\WINDOWS\system32\drivers\103C_HP_NTBK_HP Compaq nw8440 (RB556UT#ABA)_YN_0U_QCNU6511VBT_E406769001_46_I30A3_SHP_VKBC Version 40.17_B68YVD Ver. F.0E_T060928_WXP2_L409_M1024_J80_7Intel_8Core2 T7200_92_#060421_N14E416FD_(RB556UT#ABA)_XMOBILE.MRK" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\cinemst2.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\cpqdap01.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\enum1394.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\fsvga.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\gm.dls" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\gmreadme.txt" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\Hdaudio.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\mcd.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\nikedrv.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\nwlnknb.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\nwlnkspx.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\SYMEVENT.SYS" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\tsbvcap.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\rawwan.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\rio8drv.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\riodrv.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\rootmdm.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\symdns.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\vdmindvd.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\ati2erec.dll" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\wpdusb.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\ws2ifsl.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\symfw.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\symids.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\symndis.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\SymRedir.cat" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\SymRedir.inf" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\tosdvd.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\atmepvc.sys" is compressed (flags = 1) Read File: File "C:\WINDOWS\system32\drivers\atmuni.sys" is compressed (flags = 1) Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 95AA95AA Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 63 Numsec = 141689457 Partition file system is NTFS Partition is bootable Partition 1 type is Other (0xc) Partition is NOT ACTIVE. Partition starts at LBA: 141689520 Numsec = 14605920 Partition 2 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 80026361856 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-62-156281488-156301488)... Done! Performing system, memory and registry scan... Infected: HKLM\SOFTWARE\CLASSES\INTERFACE\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB} --> [PUP.MyWebSearch] Infected: HKLM\SOFTWARE\CLASSES\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB} --> [PUP.MyWebSearch] Read File: File "c:\Documents and Settings\Administrator\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1) Read File: File "c:\Documents and Settings\All Users\Application Data\Adobe\ALM\alm.log" is compressed (flags = 1) Read File: File "c:\Documents and Settings\All Users\Application Data\SBSI\ORUN\bookmrk.dbf" is compressed (flags = 1) Read File: File "c:\Documents and Settings\All Users\Application Data\SBSI\ORUN\Grpsyll.dbf" is compressed (flags = 1) Read File: File "c:\Documents and Settings\All Users\Application Data\SBSI\ORUN\Progress.dbf" is compressed (flags = 1) Read File: File "c:\Documents and Settings\All Users\Application Data\SBSI\ORUN\Settings.dbf" is compressed (flags = 1) Read File: File "c:\Documents and Settings\All Users\Application Data\SBSI\ORUN\Syllabus.dbf" is compressed (flags = 1) Read File: File "c:\Documents and Settings\All Users\Application Data\Microsoft\Machine Debug Manager\mdm.ini" is compressed (flags = 1) Read File: File "c:\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1) Read File: File "c:\Documents and Settings\dkarst\Application Data\Download Manager\AcroPro80_efg.exe_e0be61ca.tmp" is compressed (flags = 1) Read File: File "c:\Documents and Settings\dkarst\Application Data\Download Manager\adobe.GIF_e162c9d8.tmp" is compressed (flags = 1) Read File: File "c:\Documents and Settings\dkarst\Application Data\Google\Local Search History\google%2Egroups.w" is compressed (flags = 1) Read File: File "c:\Documents and Settings\dkarst\Application Data\Google\Local Search History\google%2Enews.w" is compressed (flags = 1) Read File: File "c:\Documents and Settings\dkarst\Application Data\Microsoft\Media Player\00212B16.wpl" is compressed (flags = 1) Read File: File "c:\Documents and Settings\dkarst\Application Data\Microsoft\Office\Graph11.pip" is compressed (flags = 1) Read File: File "c:\Documents and Settings\dkarst\Application Data\Microsoft\Office\MSO1031.acl" is compressed (flags = 1) Read File: File "c:\Documents and Settings\dkarst\Application Data\Microsoft\Office\Word12.pip" is compressed (flags = 1) Read File: File "c:\Documents and Settings\dkarst\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1) Read File: File "c:\Documents and Settings\dkarst\Application Data\Microsoft\Signatures\Dennis Karst.txt" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Protect\CREDHIST" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\PendingAlertsQueue.log" is compressed (flags = 1) Read File: File "c:\Program Files\Outlook Express\msoe.txt" is compressed (flags = 1) Read File: File "c:\RECYCLER\S-1-5-21-1708537768-602609370-725345543-500\desktop.ini" is compressed (flags = 1) Read File: File "c:\RECYCLER\S-1-5-21-1708537768-602609370-725345543-500\INFO2" is compressed (flags = 1) Read File: File "c:\RECYCLER\S-1-5-21-291779820-1727755652-3596386878-500\desktop.ini" is compressed (flags = 1) Read File: File "c:\RECYCLER\S-1-5-21-291779820-1727755652-3596386878-500\INFO2" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\$ncsp$.inf" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\d.scf" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\cmos.ram" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\desktop.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\dsound.vxd" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\logonui.exe.manifest" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\LuResult.txt" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\l_except.nls" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\login.cmd" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\MsiExec.log" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\pcl.sep" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\perfci.h" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\perffilt.h" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\perfwci.h" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\prodspec.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\pscript.sep" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\View Channels.scf" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\drivers\SymRedir.cat" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\drivers\etc\networks" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\oobe\HPSysInf.INI" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\oobe\migip.dun" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\oobe\migrate.isp" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\oobe\msobe.isp" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\oobe\obeip.dun" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\oobe\reg.isp" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\wbem\wmiclivalueformat.xsl" is compressed (flags = 1) Read File: File "c:\Documents and Settings\Administrator\Local Settings\Temp\delmodem.ini" is compressed (flags = 1) Read File: File "c:\Documents and Settings\dkarst\Local Settings\Temp\MSI7efdd.LOG" is compressed (flags = 1) Read File: File "c:\Documents and Settings\dkarst\Local Settings\Temp\MSIb3f89.LOG" is compressed (flags = 1) Read File: File "c:\Documents and Settings\Default User\ntuser.ini" is compressed (flags = 1) Read File: File "c:\Documents and Settings\LocalService\ntuser.ini" is compressed (flags = 1) Read File: File "c:\Documents and Settings\NetworkService\ntuser.ini" is compressed (flags = 1) Read File: File "c:\Documents and Settings\Default User\Local Settings\desktop.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini" is compressed (flags = 1) Read File: File "c:\Documents and Settings\Default User\Local Settings\Application Data\fusioncache.dat" is compressed (flags = 1) Read File: File "c:\Documents and Settings\NetworkService\Local Settings\Application Data\fusioncache.dat" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\fusioncache.dat" is compressed (flags = 1) Read File: File "c:\WINDOWS\explorer.scf" is compressed (flags = 1) Read File: File "c:\WINDOWS\SEC2.LOG" is compressed (flags = 1) Read File: File "c:\WINDOWS\setuperr.log" is compressed (flags = 1) Read File: File "c:\WINDOWS\smscfg.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\vb.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\vbaddin.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\wininit.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\Microsoft.Vsa.Vb.CodeDOMProcessor\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\cscompmgd\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\IEExecRemote\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\IEHost\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\IIEHost\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\ISymWrapper\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\Microsoft.JScript\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Graph\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Outlook\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.OutlookViewCtl\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.SmartTag\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop.Forms\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\Microsoft.VisualBasic\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\Microsoft.VisualC\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\Microsoft_VsaVb\7.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\mscorcfg\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\Regcode\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\stdole\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\System.Configuration.Install\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\System.Data\1.0.5000.0__b77a5c561934e089\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\System.Data.OracleClient\1.0.5000.0__b77a5c561934e089\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\System.Design\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\System.DirectoryServices\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\System.EnterpriseServices\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\System.Management\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\System.Messaging\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\System.Runtime.Remoting\1.0.5000.0__b77a5c561934e089\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\System.ServiceProcess\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\System.Web.Mobile\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\System.Web.RegularExpressions\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\assembly\GAC\System.Web.Services\1.0.5000.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\Debug\UserMode\gptext.log" is compressed (flags = 1) Read File: File "c:\WINDOWS\Downloaded Program Files\DownloadManagerV2.inf" is compressed (flags = 1) Read File: File "c:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf" is compressed (flags = 1) Read File: File "c:\WINDOWS\Downloaded Program Files\wuweb.inf" is compressed (flags = 1) Read File: File "c:\WINDOWS\Help\ciadmin.htm" is compressed (flags = 1) Read File: File "c:\WINDOWS\Help\conf.cnt" is compressed (flags = 1) Read File: File "c:\WINDOWS\Help\connect.cnt" is compressed (flags = 1) Read File: File "c:\WINDOWS\Help\mshearts.cnt" is compressed (flags = 1) Read File: File "c:\WINDOWS\Help\msnauth.cnt" is compressed (flags = 1) Read File: File "c:\WINDOWS\Help\nocontnt.cnt" is compressed (flags = 1) Read File: File "c:\WINDOWS\Help\ratings.cnt" is compressed (flags = 1) Read File: File "c:\WINDOWS\Help\update.cnt" is compressed (flags = 1) Read File: File "c:\WINDOWS\Help\windows.cnt" is compressed (flags = 1) Read File: File "c:\WINDOWS\Help\winhlp32.cnt" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\installutil.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\regsvcs.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\regsvcs.exe.rtm.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet.mof.uninstall" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\caspol.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ConfigWizards.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\csc.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\cvtres.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ieexec.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\jsc.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ilasm.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\l_except.nlp" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\regasm.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\regsvcs.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\vbc.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\XPThemes.manifest" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1033\SetupENU1.txt" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\1033\SetupENU2.txt" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\ASP.NETClientFiles\SmartNav.htm" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\_dataperfcounters_shared12_neutral.h" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Aspnet_regsql.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\caspol.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet.mof.uninstall" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\_DataOracleClientPerfCounters_shared12_neutral.h" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\csc.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ieexec.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ilasm.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\jsc.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regasm.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe.config" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\XPThemes.manifest" is compressed (flags = 1) Read File: File "c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\webAdminNoNavBar.master" is compressed (flags = 1) Read File: File "c:\WINDOWS\Web\bullet.gif" is compressed (flags = 1) Read File: File "c:\Documents and Settings\Administrator\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1) Read File: File "c:\Documents and Settings\Administrator\Local Settings\Temp\delmodem.ini" is compressed (flags = 1) Read File: File "c:\Documents and Settings\Default User\Local Settings\desktop.ini" is compressed (flags = 1) Read File: File "c:\Documents and Settings\Default User\Local Settings\Application Data\fusioncache.dat" is compressed (flags = 1) Read File: File "c:\Documents and Settings\dkarst\Local Settings\Temp\MSI7efdd.LOG" is compressed (flags = 1) Read File: File "c:\Documents and Settings\dkarst\Local Settings\Temp\MSIb3f89.LOG" is compressed (flags = 1) Read File: File "c:\Documents and Settings\LocalService\Local Settings\History\desktop.ini" is compressed (flags = 1) Read File: File "c:\Documents and Settings\LocalService\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1) Read File: File "c:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1) Read File: File "c:\Documents and Settings\NetworkService\Local Settings\Application Data\fusioncache.dat" is compressed (flags = 1) Read File: File "c:\Documents and Settings\NetworkService\Local Settings\History\desktop.ini" is compressed (flags = 1) Read File: File "c:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1) Read File: File "c:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\fusioncache.dat" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini" is compressed (flags = 1) Read File: File "c:\Documents and Settings\Default User\Local Settings\Application Data\fusioncache.dat" is compressed (flags = 1) Read File: File "c:\Documents and Settings\dkarst\Local Settings\Application Data\Microsoft\Feeds Cache\desktop.ini" is compressed (flags = 1) Read File: File "c:\Documents and Settings\dkarst\Local Settings\Application Data\Microsoft\Outlook\updndex.oab" is compressed (flags = 1) Read File: File "c:\Documents and Settings\NetworkService\Local Settings\Application Data\fusioncache.dat" is compressed (flags = 1) Read File: File "c:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\fusioncache.dat" is compressed (flags = 1) Read File: File "c:\RECYCLER\S-1-5-21-1708537768-602609370-725345543-500\desktop.ini" is compressed (flags = 1) Read File: File "c:\RECYCLER\S-1-5-21-1708537768-602609370-725345543-500\INFO2" is compressed (flags = 1) Read File: File "c:\RECYCLER\S-1-5-21-291779820-1727755652-3596386878-500\desktop.ini" is compressed (flags = 1) Read File: File "c:\RECYCLER\S-1-5-21-291779820-1727755652-3596386878-500\INFO2" is compressed (flags = 1) Done! Scan finished =======================================
  21. Followed instructions above and started mbar.exe and got this message: Probable rootkit activity detected Registry value "AppInit_Dlls" has been found, which may be caused by rootkit activity. Note: Press "No" button if you're not sure. If the too crashes or terminates unexpectedly during a system scan, restart the tool and press "Yes" should this message appear again. Do you want to remove this value and restart the tool? What would you recommend doing?
  22. When trying to run mbar.exe, a message appears that says "This application has failed to start because QtGui4.dll was not found. Re-installing the application may fix this problem." That file is actually present and I have tried to reinstall the anit-root kit twice. Should I reboot?
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.