Rootkit.Win32.Bubnix.bba

View previous topic View next topic Go down

Rootkit.Win32.Bubnix.bba

Post by clawckc on Sat 16 Oct 2010, 9:28 am

Hello, i am a decent computer engineer and programmer, but this time im quite stuck!
I did run a scan with Kasparsky 2011 and it reported that i have a rootkit win32.Bubnix.bba. It asked me if i wanted to remove it with a special removal tool, something i did want to try. But after finishing the removal and the computer restarted both files reported by Kasparsky was still on the system. Then i tried to use Malewarebytes. It also found the rootkit and was able to delete one of the two files. The last file: f:\windows\system32\drivers\bclyz.sys was still rejecting to be deleted. Not by using windows explorer, dos, safemode, even started an old windows xp (dual boot). helped. Malewarebytes says in its report that the file is quarantined and deleted sucsessfully, but its not.
Starting to be a bit irritated i searched the registry for entrys with the name bclyz. Found a few under HLM\System\ControlSet002\enum\root\Legacy_BCLYZ, and the same for HCU,HCC, HU. But when i did try to remove any of them(after exporting the keys as backup) i just got the message: "Cannot delete LEGACY_BCLYZ error deleting key" nor can i change the settings. When trying to delete the files in dos i get: "a device attatched to the system is not working". The size of the file is 552kb
I do know that i dont have any processes running that could be a virus/trojan. And i have also checked if there was some errors in the Device Manager. I have googled the filename but with no luck. Kasparsky dont have any usefull info on this rootkit yet, and i would really like to keep my system up without a full reinstallation. Finally, i did also download combofix, and renamed it to test.exe while downloading. But it wont start at all. even if i downloaded it in safemode.
So, anyone have a serious suggestion to get rid of it?

clawckc

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2010-10-16
Operating System : windows 7

View user profile

Back to top Go down

Re: Rootkit.Win32.Bubnix.bba

Post by Belahzur on Sat 16 Oct 2010, 10:02 am

Hello.

Download OTL by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Extras

Post by clawckc on Sat 16 Oct 2010, 10:45 am

OTL Extras logfile created on: 10/16/2010 4:06:07 AM - Run 1
OTL by OldTimer - Version 3.2.15.2 Folder = F:\Users\Kristen\Downloads
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Norway | Language: NOR | Date Format: dd.MM.yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 45.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = F: | %SystemRoot% = F:\Windows | %ProgramFiles% = F:\Program Files
Drive C: | 111.78 Gb Total Space | 3.29 Gb Free Space | 2.94% Space Free | Partition Type: NTFS
Drive D: | 465.76 Gb Total Space | 10.77 Gb Free Space | 2.31% Space Free | Partition Type: NTFS
Drive E: | 931.50 Gb Total Space | 12.08 Gb Free Space | 1.30% Space Free | Partition Type: NTFS
Drive F: | 465.76 Gb Total Space | 43.52 Gb Free Space | 9.34% Space Free | Partition Type: NTFS
Drive G: | 298.09 Gb Total Space | 117.85 Gb Free Space | 39.54% Space Free | Partition Type: NTFS

Computer Name: DILDOG | User Name: Kristen | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- F:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- F:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "F:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "F:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00450E05-6F4C-42E5-9598-02CF18378FEA}" = Windows Live ID Sign-in Assistant
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{17F6CD67-0E9D-4C4B-8F49-17F081092AE2}" = Better Homes and Gardens Interior Designer 7.0
"{19DD26A7-F0DD-472E-887F-44128C31163C}" = Windows Live Messenger
"{1AFF3E5C-E67C-4D36-8478-8C36491440C2}" = InstallAware 7
"{1CAC7A41-583B-4483-9FA5-3E5465AFF8C2}" = Microsoft Default Manager
"{268C2D6E-CDE9-47CD-87D9-A87710966709}" = BPDSoftware_Ini
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 21
"{32E8DEED-D6E7-4A93-9687-BCC34DB594CE}" = 7000E809a_BasicWeb
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{3932CA01-E514-48A1-8D2D-B9DA712C58B5}" = Windows Live Writer
"{394A36B7-A693-48FD-AA14-DC17E291A378}" = Windows Live Writer
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{41A15ABD-081B-43DC-91A5-8727265E8D77}" = Windows Live Photo Common
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4DAF3337-369F-4C90-AB5F-B0E75A2060C2}" = 7000E809a_Help_BasicWeb
"{4E89C074-29D6-4756-B820-A95F5E15B33A}" = Windows Live MIME IFilter
"{4F88F5D8-767A-4EB4-9AFA-A7CBCC69D767}" = Windows Live SOXE
"{52CDDA92-56B6-4BA5-BD8D-E13B186008CB}" = D3DX10
"{54488589-76BC-4A3F-AC4F-71EBAD657850}" = Windows Live Communications Platform
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{582F9E42-722A-446A-8343-0902D39C7F35}" = HP Officejet 7000 E809a Series
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{61D6891E-E822-4448-9F9A-0AAAAEB6AF6C}" = Adobe Creative Suite 4 Master Collection
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{6425C9F0-D520-4F5B-9F68-C0DC643787AA}" = Windows Live Messenger
"{66069562-D3AF-4515-B1FD-7EE4DE5CE7D2}" = Windows Live PIMT Platform
"{66F1F013-008F-4875-B283-5A814B820347}" = Kaspersky Anti-Virus 2011
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{68A35043-C55A-4237-88C9-37EE1C63ED71}" = Microsoft Visual J# 2.0 Redistributable Package
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{72263053-50D1-4598-9502-51ED64E54C51}" = Borland Delphi 7
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75247E38-5C9B-45D6-ADF8-E11CB56B4990}" = Network
"{7AB3A249-FB81-416B-917A-A2A10E74C503}" = iTunes
"{7B63B2922B174135AFC0E1377DD81EC2}" =
"{7E432D8D-D78A-44A8-9FE8-B8942F7FD01F}" = Windows Live UX Platform
"{7F410305-8952-4247-BA19-69A5C32015BF}" = OpenOffice.org 3.1
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{915F574A-CFE9-4A13-851B-E37D58A41BF2}" = Windows Live Writer
"{91973772-A002-446D-8A67-B410553AD8F9}" = Windows Live SOXE Definitions
"{92127AF5-FDD8-4ADF-BC40-C356C9EE0B7D}" = 32 Bit HP CIO Components Installer
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A2B58B18-5D04-4006-9713-B6945880746E}" = CodeGear RAD Studio 2009
"{A7920A06-258A-4E57-B391-95B8E3B92A3A}" = Windows Live Essentials Beta
"{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Français, Deutsch
"{AC76BA86-7AD7-1044-7B44-A93000000001}" = Adobe Reader 9.3 - Norsk
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C0A30BAA-295D-4F7F-8776-FD09FD57E2E2}" = Windows Live Installer
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CED9B1E8-FFCB-4497-9DFC-F0B20146896E}" = Windows Live Mail
"{CF092689-6ADF-4C86-A8DA-31B0B448A36C}" = Junk Mail filter update
"{D80A6A73-E58A-4673-AFF5-F12D7110661F}" = Call of Duty(R) - World at War(TM)
"{DBCC555E-9DC5-4095-8B87-FDE406010689}" = Windows Live UX Platform Language Pack
"{DD1865F0-AD73-40FB-B23E-1822E02396FF}" = NVIDIA PhysX
"{E63E34A7-E552-412B-9E40-FD6FC5227ABA}_is1" = Uniblue RegistryBooster 2010
"{E8EE9410-8AC4-4F43-A626-DDECA75C79F3}" = Adobe Setup
"{EAD90079-5C9F-4BB0-98D2-93CD2F29EB09}" = Windows Live Writer Resources
"{EC7A11C6-B776-43A5-8C40-E468B5476D16}" = Windows Live Photo Common Beta
"{ED486248-8800-40E1-AA2D-C6228CEB9679}" = Windows Live Mail
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FD59BB38-9826-4EC0-B09E-A53FFFDC7523}" = CodeGear Delphi and C++Builder 2009 Database Pack
"{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}" = Adobe Setup
"AC3Filter_is1" = AC3Filter 1.63b
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe PageMaker 7.0" = Adobe PageMaker 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe_719d6f144d0c086a0dfa7ff76bb9ac1" = Adobe Photoshop CS3
"Adobe_b2d6abde968e6f277ddbfd501383e02" = Adobe Creative Suite 4 Master Collection
"Bass Audio Decoder" = Bass Audio Decoder (remove only)
"CD Audio Reader Filter" = CD Audio Reader Filter (remove only)
"CodeGear Delphi and C++Builder 2009 Database Pack" = CodeGear Delphi and C++Builder 2009 Database Pack
"CodeGear InterBase 2009 [instance = gds_db]" = CodeGear InterBase 2009 [instance = gds_db]
"CodeGear RAD Studio 2009" = CodeGear RAD Studio 2009
"DCoder Image Source" = DCoder Image Source (remove only)
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"DivX Setup.divx.com" = DivX Setup
"DriveBooster" = Drive Booster Manager
"DScaler 5 Mpeg Decoders_is1" = DScaler 5 Mpeg Decoders
"ffdshow_is1" = ffdshow v1.1.3562 [2010-09-07]
"FFMPEG Core Files" = FFMPEG Core Files (remove only)
"FLV Player" = FLV Player 2.0 (build 25)
"Gabest MPEG Splitter" = Gabest MPEG Splitter (remove only)
"HaaliMkx" = Haali Media Splitter
"Icon Searcher_is1" = Icon Searcher 3.20
"ImTOO Download YouTube Video" = ImTOO Download YouTube Video
"InstallAware 7" = InstallAware 7
"InstallShield_{D80A6A73-E58A-4673-AFF5-F12D7110661F}" = Call of Duty(R) - World at War(TM)
"InstallWIX_{66F1F013-008F-4875-B283-5A814B820347}" = Kaspersky Anti-Virus 2011
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 6.4.0
"Liveupdate4_is1" = Liveupdate4
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Matroska Pack" = Matroska Pack
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Visual J# 2.0 Redistributable Package" = Microsoft Visual J# 2.0 Redistributable Package
"MONOGRAM AMR Splitter/Decoder" = MONOGRAM AMR Splitter/Decoder (remove only)
"Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)
"NVIDIA Drivers" = NVIDIA Drivers
"OpenSource AVI Splitter" = OpenSource AVI Splitter (remove only)
"OpenSource DTS/AC3/DD+ Source Filter" = OpenSource DTS/AC3/DD+ Source Filter (remove only)
"OverclockingCenter_is1" = OverclockingCenter
"qt7lite_is1" = QT Lite 3.0.0
"Rave Reports 7.6.0 BE_is1" = Rave Reports 7.6.0 BE
"RealMedia" = RealMedia (remove only)
"SilentNight Pro Burner_is1" = SilentNight Pro Burner 1.0 build 17
"Spyware Doctor" = Spyware Doctor 8.0
"Steam App 10180" = Call of Duty: Modern Warfare 2
"Steam App 10190" = Call of Duty: Modern Warfare 2 - Multiplayer
"TMS GUIMotions for RAD Studio 2009_is1" = TMS GUIMotions for RAD Studio 2009 v1.1.1.0
"TMS TAdvStringGrid for RAD Studio 2009_is1" = TMS TAdvStringGrid for RAD Studio 2009 v5.0.3.1
"TMS TAdvTrackBar for RAD Studio 2009_is1" = TMS TAdvTrackBar for RAD Studio 2009 v1.3
"Unlocker" = Unlocker 1.9.0
"uTorrent" = µTorrent
"VisioForge Media Player SDK_is1" = VisioForge Media Player SDK 2.15
"VLC media player" = VLC media player 1.0.1
"WinLiveSuite" = Windows Live Essentials Beta
"WinRAR archiver" = WinRAR archiver
"ZoomPlayer" = Zoom Player (remove only)

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >




clawckc

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2010-10-16
Operating System : windows 7

View user profile

Back to top Go down

Re: Rootkit.Win32.Bubnix.bba

Post by clawckc on Sat 16 Oct 2010, 10:45 am

OTL logfile created on: 10/16/2010 4:06:07 AM - Run 1
OTL by OldTimer - Version 3.2.15.2 Folder = F:\Users\Kristen\Downloads
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: Norway | Language: NOR | Date Format: dd.MM.yyyy

3.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 45.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = F: | %SystemRoot% = F:\Windows | %ProgramFiles% = F:\Program Files
Drive C: | 111.78 Gb Total Space | 3.29 Gb Free Space | 2.94% Space Free | Partition Type: NTFS
Drive D: | 465.76 Gb Total Space | 10.77 Gb Free Space | 2.31% Space Free | Partition Type: NTFS
Drive E: | 931.50 Gb Total Space | 12.08 Gb Free Space | 1.30% Space Free | Partition Type: NTFS
Drive F: | 465.76 Gb Total Space | 43.52 Gb Free Space | 9.34% Space Free | Partition Type: NTFS
Drive G: | 298.09 Gb Total Space | 117.85 Gb Free Space | 39.54% Space Free | Partition Type: NTFS

Computer Name: DILDOG | User Name: Kristen | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/10/16 04:04:58 | 000,574,464 | ---- | M] (OldTimer Tools) -- F:\Users\Kristen\Downloads\OTL.exe
PRC - [2010/10/15 12:16:11 | 000,352,976 | ---- | M] (Kaspersky Lab ZAO) -- F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe
PRC - [2010/09/23 09:47:50 | 001,588,184 | ---- | M] (PC Tools) -- F:\Program Files\PC Tools Security\pctsGui.exe
PRC - [2010/09/17 04:13:43 | 000,910,296 | ---- | M] (Mozilla Corporation) -- F:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/09/17 04:13:43 | 000,014,808 | ---- | M] (Mozilla Corporation) -- F:\Program Files\Mozilla Firefox\plugin-container.exe
PRC - [2010/09/16 22:04:06 | 001,164,584 | ---- | M] () -- F:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/08/30 08:03:22 | 001,145,816 | ---- | M] (PC Tools) -- F:\Program Files\PC Tools Security\pctsSvc.exe
PRC - [2010/07/01 21:34:46 | 000,129,720 | ---- | M] (Kaspersky Lab ZAO) -- F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtblfs.exe
PRC - [2010/03/15 13:02:36 | 000,366,840 | ---- | M] (PC Tools) -- F:\Program Files\PC Tools Security\pctsAuxs.exe
PRC - [2009/10/31 07:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- F:\Windows\explorer.exe
PRC - [2009/10/30 13:57:08 | 000,369,200 | ---- | M] (DT Soft Ltd) -- F:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2009/08/19 11:19:32 | 007,418,368 | ---- | M] (OpenOffice.org) -- F:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2009/08/19 11:18:30 | 007,424,000 | ---- | M] (OpenOffice.org) -- F:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2009/07/14 03:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- F:\Windows\System32\taskhost.exe
PRC - [2009/04/14 08:43:42 | 000,604,704 | ---- | M] (Realtek Semiconductor Corp.) -- F:\Windows\SOUNDMAN.EXE
PRC - [2008/10/07 05:37:18 | 011,003,904 | R--- | M] () -- F:\Program Files\DriveBooster\DriveBoosterSetup.exe
PRC - [2008/09/09 11:20:38 | 000,069,632 | R--- | M] () -- F:\Program Files\DriveBooster\XSrvSetup.exe
PRC - [2008/08/29 21:00:00 | 000,065,536 | ---- | M] (CodeGear) -- F:\Program Files\CodeGear\RAD Studio\6.0\bin\BSQLServer.exe
PRC - [2008/06/11 23:43:26 | 000,640,376 | ---- | M] (Adobe Systems Inc.) -- F:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe


========== Modules (SafeList) ==========

MOD - [2010/10/16 04:04:58 | 000,574,464 | ---- | M] (OldTimer Tools) -- F:\Users\Kristen\Downloads\OTL.exe
MOD - [2010/08/21 07:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- F:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll
MOD - [2010/08/04 12:19:26 | 000,150,576 | ---- | M] (PC Tools) -- F:\Program Files\PC Tools Security\PCTGMhk.dll
MOD - [2010/07/01 21:35:18 | 000,109,240 | ---- | M] (Kaspersky Lab ZAO) -- F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\mzvkbd3.dll
MOD - [2009/07/14 03:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- F:\Windows\System32\sspicli.dll
MOD - [2009/07/14 03:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- F:\Windows\System32\sechost.dll
MOD - [2009/07/14 03:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- F:\Windows\System32\samcli.dll
MOD - [2009/07/14 03:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- F:\Windows\System32\profapi.dll
MOD - [2009/07/14 03:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- F:\Windows\System32\netutils.dll
MOD - [2009/07/14 03:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- F:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 03:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- F:\Windows\System32\dwmapi.dll
MOD - [2009/07/14 03:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- F:\Windows\System32\devobj.dll
MOD - [2009/07/14 03:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- F:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 03:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- F:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 03:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- F:\Windows\System32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/10/15 12:16:11 | 000,352,976 | ---- | M] (Kaspersky Lab ZAO) [Auto | Running] -- F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe -- (AVP)
SRV - [2010/08/30 08:03:22 | 001,145,816 | ---- | M] (PC Tools) [Auto | Running] -- F:\Program Files\PC Tools Security\pctsSvc.exe -- (sdCoreService)
SRV - [2010/03/29 03:00:45 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- F:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- F:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/15 13:02:36 | 000,366,840 | ---- | M] (PC Tools) [Auto | Running] -- F:\Program Files\PC Tools Security\pctsAuxs.exe -- (sdAuxService)
SRV - [2009/12/24 11:51:48 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- F:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/07/16 18:04:16 | 000,316,664 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- F:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/07/14 03:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- F:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 03:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- F:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 03:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- F:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 03:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- F:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 03:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- F:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 03:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- F:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- F:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- F:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 03:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- F:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 03:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- F:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 03:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- F:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 03:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- F:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 03:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- F:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 03:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- F:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 03:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- F:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 03:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- F:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 03:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- F:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 03:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- F:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 03:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- F:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/14 03:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- F:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 03:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- F:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2008/09/09 11:20:38 | 000,069,632 | R--- | M] () [Auto | Running] -- F:\Program Files\DriveBooster\XSrvSetup.exe -- (DriveBooster)
SRV - [2008/08/29 21:00:00 | 000,065,536 | ---- | M] (CodeGear) [Auto | Running] -- F:\Program Files\CodeGear\RAD Studio\6.0\bin\BSQLServer.exe -- (BlackfishSQL)
SRV - [2008/08/25 13:01:34 | 002,871,296 | ---- | M] (Embarcadero Technologies, Inc.) [On_Demand | Stopped] -- F:\CodeGear\InterBase\bin\ibserver.exe -- (IBS_gds_db)
SRV - [2008/08/25 13:01:32 | 000,036,864 | ---- | M] (Embarcadero Technologies, Inc.) [Auto | Stopped] -- F:\CodeGear\InterBase\bin\ibguard.exe -- (IBG_gds_db)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | System | Stopped] -- F:\Windows\System32\drivers\zgtiduwj.sys -- (zgtiduwj)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\wd.sys -- (Wd)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\wacompen.sys -- (WacomPen)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\vmbus.sys -- (vmbus)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\viac7.sys -- (ViaC7)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\viaagp.sys -- (viaagp)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\vgapnp.sys -- (vga)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\usbuhci.sys -- (usbuhci)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\usbcir.sys -- (usbcir) eHome Infrared Receiver (USBCIR)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\umpass.sys -- (UmPass)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\uliagpkx.sys -- (uliagpkx)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\uagp35.sys -- (uagp35)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\storvsc.sys -- (storvsc)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\stexstor.sys -- (stexstor)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\sisagp.sys -- (sisagp)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\sffp_sd.sys -- (sffp_sd)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\sffp_mmc.sys -- (sffp_mmc)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\sffdisk.sys -- (sffdisk)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\sbp2port.sys -- (sbp2port)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Program Files\MSI\OverclockingCenter\RushTop.sys -- (RushTopDevice2)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Program Files\MSI\OverclockingCenter\RushJ.sys -- (RushTopDevice_J)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\ql2300.sys -- (ql2300)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\processr.sys -- (Processor)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\pcmcia.sys -- (pcmcia)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\ohci1394.sys -- (ohci1394) 1394 OHCI Compliant Host Controller (Legacy)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\nvstor.sys -- (nvstor)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\nvraid.sys -- (nvraid)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\nvm62x32.sys -- (NVENETFD)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\netr28u.sys -- (netr28u)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - File not found [Kernel | On_Demand | Stopped] -- E:\CDriver.sys -- (MSICDSetup)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\msdsm.sys -- (msdsm)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\mpio.sys -- (mpio)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\megasas.sys -- (megasas)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\msiscsi.sys -- (iScsiPrt)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\IPMIDrv.sys -- (IPMIDRV)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\iirsp.sys -- (iirsp)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\hidir.sys -- (HidIr)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\hidbth.sys -- (HidBth)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\gagp30kx.sys -- (gagp30kx)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Program Files\MSI\Live Update 4\LU4\FLASHSYS.sys -- (FLASHSYS)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\errdev.sys -- (ErrDev)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\elxstor.sys -- (elxstor)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Program Files\MSI\OverclockingCenter\NTGLM7X.sys -- (DualCoreCenter)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\circlass.sys -- (circlass)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\bthmodem.sys -- (BTHMODEM)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\b57nd60x.sys -- (b57nd60x)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\atikmdag.sys -- (atikmdag)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\arcsas.sys -- (arcsas)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\arc.sys -- (arc)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\amdsata.sys -- (amdsata)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\amdagp.sys -- (amdagp)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\drivers\RTKVAC.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\adpu320.sys -- (adpu320)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\adpahci.sys -- (adpahci)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - File not found [Kernel | On_Demand | Stopped] -- F:\Windows\System32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2010/10/15 12:16:11 | 000,488,024 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- F:\Windows\System32\drivers\klif.sys -- (KLIF)
DRV - [2010/08/18 13:51:26 | 000,237,632 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- F:\Windows\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2010/07/16 14:59:54 | 000,656,320 | ---- | M] (PC Tools) [File_System | Boot | Running] -- F:\Windows\system32\drivers\pctEFA.sys -- (pctEFA)
DRV - [2010/07/16 14:59:54 | 000,338,880 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- F:\Windows\system32\drivers\pctDS.sys -- (pctDS)
DRV - [2010/06/09 17:43:52 | 000,011,352 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- F:\Windows\System32\drivers\kl2.sys -- (kl2)
DRV - [2010/06/09 17:43:50 | 000,132,184 | ---- | M] (Kaspersky Lab ZAO) [Kernel | Boot | Running] -- F:\Windows\system32\DRIVERS\kl1.sys -- (KL1)
DRV - [2010/04/22 19:07:34 | 000,022,104 | ---- | M] (Kaspersky Lab ZAO) [Kernel | System | Running] -- F:\Windows\System32\drivers\klim6.sys -- (KLIM6)
DRV - [2009/12/11 09:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- F:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/11/02 20:27:16 | 000,019,984 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- F:\Windows\System32\drivers\klmouflt.sys -- (klmouflt)
DRV - [2009/10/31 02:08:47 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- F:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009/10/07 09:49:40 | 006,756,632 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- F:\Windows\System32\drivers\lvuvc.sys -- (LVUVC) Logitech Webcam 905(UVC)
DRV - [2009/07/14 03:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- F:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/14 03:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- F:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/14 03:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- F:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/14 03:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- F:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/14 03:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- F:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/14 03:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- F:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/14 03:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- F:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/14 03:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- F:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/14 03:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- F:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/14 03:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- F:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/14 03:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- F:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/14 03:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- F:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/14 02:18:07 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- F:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
DRV - [2009/07/14 02:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- F:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009/07/14 02:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- F:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/14 01:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- F:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/14 01:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- F:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/14 01:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- F:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/14 01:52:04 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- F:\Windows\System32\drivers\vwififlt.sys -- (vwififlt)
DRV - [2009/07/14 01:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- F:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/14 01:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- F:\Windows\System32\drivers\1394ohci.sys -- (1394ohci)
DRV - [2009/07/14 01:51:23 | 000,080,640 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- F:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2009/07/14 01:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- F:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/14 01:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- F:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/14 01:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- F:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/14 01:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- F:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/14 01:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- F:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/14 01:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- F:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/14 01:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- F:\Windows\System32\drivers\amdppm.sys -- (AmdPPM)
DRV - [2009/07/14 00:02:52 | 000,139,776 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- F:\Windows\System32\drivers\Rt86win7.sys -- (RTL8167)
DRV - [2009/03/08 10:37:00 | 007,745,696 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- F:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/02/11 05:55:48 | 000,014,352 | ---- | M] (ATI Technologies Inc.) [Kernel | Boot | Running] -- F:\Windows\system32\DRIVERS\AtiPcie.sys -- (AtiPcie) ATI PCI Express (3GIO)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = no
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 9B DB FC F9 BD 59 CA 01 [binary data]
IE - HKCU\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5643

========== FireFox ==========

FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.easy-data.no/"
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:11.0.1.400

FF - HKLM\software\mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}: F:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DMExtension\ [2010/04/26 13:48:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: F:\Program Files\Mozilla Firefox\components [2010/09/26 21:41:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: F:\Program Files\Mozilla Firefox\plugins [2010/10/07 23:59:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\THBExt [2010/10/15 12:00:20 | 000,000,000 | ---D | M]

[2009/12/14 02:22:15 | 000,000,000 | ---D | M] -- F:\Users\Kristen\AppData\Roaming\Mozilla\Extensions
[2010/09/15 08:49:23 | 000,000,000 | ---D | M] -- F:\Users\Kristen\AppData\Roaming\Mozilla\Firefox\Profiles\8ikycfp2.default\extensions
[2010/09/06 00:52:37 | 000,000,000 | ---D | M] -- F:\Users\Kristen\AppData\Roaming\Mozilla\Firefox\Profiles\8ikycfp2.default\extensions\radiobar@toolbar
[2010/10/15 23:46:09 | 000,000,000 | ---D | M] -- F:\Program Files\Mozilla Firefox\extensions
[2010/08/03 12:03:30 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- F:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/10/07 23:59:47 | 000,000,000 | ---D | M] (Java Console) -- F:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/15 12:01:21 | 000,000,000 | ---D | M] -- F:\Program Files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- F:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/07/23 01:15:46 | 000,001,525 | ---- | M] () -- F:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2010/07/23 01:15:46 | 000,000,955 | ---- | M] () -- F:\Program Files\Mozilla Firefox\searchplugins\bok-NO.xml
[2010/07/23 01:15:46 | 000,000,968 | ---- | M] () -- F:\Program Files\Mozilla Firefox\searchplugins\qxl-NO.xml
[2010/07/23 01:15:46 | 000,001,203 | ---- | M] () -- F:\Program Files\Mozilla Firefox\searchplugins\telefonkatalogen-NO.xml
[2010/07/23 01:15:46 | 000,001,176 | ---- | M] () -- F:\Program Files\Mozilla Firefox\searchplugins\wikipedia-NO.xml
[2010/07/23 01:15:47 | 000,001,192 | ---- | M] () -- F:\Program Files\Mozilla Firefox\searchplugins\yahoo-NO.xml

O1 HOSTS File: ([2010/04/19 11:30:29 | 000,000,824 | ---- | M]) - F:\Windows\System32\drivers\etc\hosts
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\ievkbd.dll (Kaspersky Lab ZAO)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (FilterBHO Class) - {E33CF602-D945-461A-83F0-819F76A199F8} - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll (Kaspersky Lab ZAO)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] F:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] F:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] F:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVP] F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe (Kaspersky Lab ZAO)
O4 - HKLM..\Run: [DelReg] F:\Program Files\MSI\OverclockingCenter\DelReg.exe ()
O4 - HKLM..\Run: [DivXUpdate] F:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [ISTray] F:\Program Files\PC Tools Security\pctsGui.exe (PC Tools)
O4 - HKLM..\Run: [Microsoft Default Manager] F:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] F:\Windows\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] F:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [QuickTime Task] F:\Program Files\QT Lite\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SoundMan] F:\Windows\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [UnlockerAssistant] F:\Program Files\Unlocker\UnlockerAssistant.exe ()
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKCU..\Run: [DAEMON Tools Lite] F:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [uTorrent] F:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - Startup: F:\Users\Kristen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Produktregistrering.lnk = F:\Program Files\Logitech\Logitech WebCam Software\eReg.exe File not found
O4 - Startup: F:\Users\Kristen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk = F:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: 47ai2 = F:\Users\Kristen\AppData\Local\Temp\5chy0.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Append Link Target to Existing PDF - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Download with ImTOO Download YouTube Video - F:\Program Files\ImTOO\Download YouTube Video\upod_link.HTM ()
O9 - Extra Button: SilentNight - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\SilentNight\\SilentNight.exe ()
O9 - Extra 'Tools' menuitem : SilentNight - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\SilentNight\\SilentNight.exe ()
O9 - Extra Button: @F:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - F:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @F:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - F:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll (Kaspersky Lab ZAO)
O9 - Extra Button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\klwtbbho.dll (Kaspersky Lab ZAO)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - F:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - F:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - F:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - F:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - F:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - F:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000035 - F:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll (PC Tools Research Pty Ltd.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 130.67.15.198 193.213.112.4
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - F:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (avgrsstx.dll) - File not found
O20 - AppInit_DLLs: (F:\PROGRA~3\KASPER~1\KASPER~1\mzvkbd3.dll) - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\mzvkbd3.dll (Kaspersky Lab ZAO)
O20 - HKLM Winlogon: Shell - (explorer.exe) - F:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - F:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\klogon: DllName - F:\Windows\system32\klogon.dll - F:\Windows\System32\klogon.dll (Kaspersky Lab ZAO)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - F:\Windows\System32\pku2u.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (livessp) - F:\Windows\System32\livessp.dll (Microsoft Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/06/30 15:03:49 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/06/10 23:42:20 | 000,000,024 | ---- | M] () - F:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2008/07/08 00:49:31 | 000,000,000 | ---D | M] - G:\Autostart_Menu -- [ NTFS ]
O33 - MountPoints2\{1f07390d-cd86-11de-9f6f-002421b7d169}\Shell - "" = AutoRun
O33 - MountPoints2\{1f07390d-cd86-11de-9f6f-002421b7d169}\Shell\AutoRun\command - "" = J:\Launcher.exe -- File not found
O33 - MountPoints2\{89eef2fd-30c5-11df-8fb8-002421b7d169}\Shell - "" = AutoRun
O33 - MountPoints2\{89eef2fd-30c5-11df-8fb8-002421b7d169}\Shell\AutoRun\command - "" = J:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/10/16 02:25:00 | 000,656,320 | ---- | C] (PC Tools) -- F:\Windows\System32\drivers\pctEFA.sys
[2010/10/16 02:25:00 | 000,338,880 | ---- | C] (PC Tools) -- F:\Windows\System32\drivers\pctDS.sys
[2010/10/16 02:24:57 | 000,247,824 | ---- | C] (PC Tools) -- F:\Windows\System32\drivers\pctgntdi.sys
[2010/10/16 02:24:57 | 000,102,184 | ---- | C] (PC Tools) -- F:\Windows\System32\drivers\pctwfpfilter.sys
[2010/10/16 02:24:52 | 000,237,632 | ---- | C] (PC Tools) -- F:\Windows\System32\drivers\PCTCore.sys
[2010/10/16 02:24:52 | 000,159,296 | ---- | C] (PC Tools) -- F:\Windows\System32\drivers\PCTAppEvent.sys
[2010/10/16 02:24:40 | 000,087,400 | ---- | C] (PC Tools) -- F:\Windows\System32\drivers\pctNdis-PacketFilter.sys
[2010/10/16 02:24:40 | 000,031,960 | ---- | C] (PC Tools) -- F:\Windows\System32\drivers\pctNdis-DNS.sys
[2010/10/16 02:24:39 | 000,123,968 | ---- | C] (PC Tools) -- F:\Windows\System32\drivers\pctplfw.sys
[2010/10/16 02:24:39 | 000,070,536 | ---- | C] (PC Tools) -- F:\Windows\System32\drivers\pctplsg.sys
[2010/10/16 02:24:23 | 000,000,000 | ---D | C] -- F:\Program Files\PC Tools Security
[2010/10/16 02:24:23 | 000,000,000 | ---D | C] -- F:\Users\Kristen\AppData\Roaming\PC Tools
[2010/10/16 02:24:23 | 000,000,000 | ---D | C] -- F:\Program Files\Common Files\PC Tools
[2010/10/16 02:22:24 | 000,000,000 | ---D | C] -- F:\ProgramData\PC Tools
[2010/10/16 02:10:08 | 000,000,000 | ---D | C] -- F:\ComboFix
[2010/10/16 02:06:34 | 000,000,000 | ---D | C] -- F:\Qoobox
[2010/10/16 02:06:07 | 000,000,000 | ---D | C] -- F:\32788R22FWJFW
[2010/10/16 01:05:22 | 000,000,000 | ---D | C] -- F:\Program Files\Unlocker
[2010/10/15 20:09:32 | 000,000,000 | ---D | C] -- F:\Users\Kristen\AppData\Roaming\Malwarebytes
[2010/10/15 20:09:26 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- F:\Windows\System32\drivers\mbamswissarmy.sys
[2010/10/15 20:09:25 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- F:\Windows\System32\drivers\mbam.sys
[2010/10/15 20:09:25 | 000,000,000 | ---D | C] -- F:\Program Files\Malwarebytes' Anti-Malware
[2010/10/15 20:09:25 | 000,000,000 | ---D | C] -- F:\ProgramData\Malwarebytes
[2010/10/15 11:59:47 | 000,000,000 | ---D | C] -- F:\ProgramData\Kaspersky Lab
[2010/10/15 11:59:47 | 000,000,000 | ---D | C] -- F:\Program Files\Kaspersky Lab
[2010/10/15 11:59:34 | 000,488,024 | ---- | C] (Kaspersky Lab) -- F:\Windows\System32\drivers\klif.sys
[2010/10/15 11:55:36 | 000,000,000 | -H-D | C] -- F:\kleaner.tmp
[2010/10/15 11:51:52 | 000,000,000 | ---D | C] -- F:\ProgramData\Kaspersky Lab Setup Files
[2010/10/14 12:55:24 | 000,000,000 | ---D | C] -- F:\Program Files\Matroska Pack
[2010/10/14 00:13:44 | 000,000,000 | ---D | C] -- F:\ProgramData\DivX
[2010/10/13 13:01:25 | 000,000,000 | ---D | C] -- F:\FileFind
[2010/10/13 06:18:15 | 000,599,040 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\msfeeds.dll
[2010/10/13 06:18:14 | 000,606,208 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\mstime.dll
[2010/10/13 06:18:14 | 000,381,440 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\iedkcs32.dll
[2010/10/13 06:18:14 | 000,185,856 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\iepeers.dll
[2010/10/13 06:18:14 | 000,176,640 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\ieui.dll
[2010/10/13 06:18:14 | 000,064,512 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\msfeedsbs.dll
[2010/10/13 06:18:14 | 000,048,128 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\jsproxy.dll
[2010/10/13 06:18:14 | 000,044,544 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\licmgr10.dll
[2010/10/13 06:18:14 | 000,012,800 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\msfeedssync.exe
[2010/10/13 06:18:13 | 001,638,912 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\mshtml.tlb
[2010/10/13 06:18:13 | 000,386,048 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\html.iec
[2010/10/13 06:18:11 | 000,109,056 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\t2embed.dll
[2010/10/13 06:18:09 | 000,954,752 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\mfc40.dll
[2010/10/13 06:18:08 | 000,954,288 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\mfc40u.dll
[2010/10/13 06:18:04 | 012,625,408 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\wmploc.DLL
[2010/10/13 06:18:03 | 002,327,552 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\win32k.sys
[2010/10/13 06:18:00 | 000,738,816 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\wmpmde.dll
[2010/10/13 06:17:59 | 000,363,520 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\StructuredQuery.dll
[2010/10/13 02:31:32 | 000,232,448 | ---- | C] (Fraunhofer Institut Integrierte Schaltungen IIS) -- F:\Windows\System32\mp3fhg.acm
[2010/10/13 02:31:32 | 000,217,088 | ---- | C] ([You must be registered and logged in to see this link.] -- F:\Windows\System32\yv12vfw.dll
[2010/10/13 02:31:32 | 000,151,552 | ---- | C] (fccHandler) -- F:\Windows\System32\ac3acm.acm
[2010/10/13 02:31:30 | 000,000,000 | ---D | C] -- F:\Program Files\K-Lite Codec Pack
[2010/10/08 00:00:00 | 000,000,000 | ---D | C] -- F:\ProgramData\Sun
[2010/10/07 23:59:44 | 000,423,656 | ---- | C] (Sun Microsystems, Inc.) -- F:\Windows\System32\deployJava1.dll
[2010/10/07 23:59:44 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- F:\Windows\System32\javaws.exe
[2010/10/07 23:59:44 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- F:\Windows\System32\javaw.exe
[2010/10/07 23:59:44 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- F:\Windows\System32\java.exe
[2010/10/07 13:47:46 | 000,000,000 | ---D | C] -- F:\Users\Kristen\Documents\SightSpeed Recordings
[2010/09/30 05:07:09 | 000,000,000 | ---D | C] -- F:\Users\Kristen\AppData\Roaming\vlc
[2010/09/30 05:06:33 | 000,000,000 | ---D | C] -- F:\Users\Kristen\AppData\Local\Graboid_Inc
[2010/09/30 05:06:32 | 000,000,000 | ---D | C] -- F:\Users\Kristen\AppData\Local\Graboid
[2010/09/30 05:06:27 | 000,000,000 | ---D | C] -- F:\Users\Kristen\AppData\Roaming\MozillaControl
[2010/09/30 05:06:19 | 000,000,000 | ---D | C] -- F:\Program Files\Mozilla ActiveX Control v1.7.12
[2010/09/30 05:05:33 | 000,000,000 | ---D | C] -- F:\Program Files\Graboid
[2010/09/29 03:01:41 | 000,190,976 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\drivers\ks.sys
[2010/09/28 22:25:53 | 000,002,048 | ---- | C] (Microsoft Corporation) -- F:\Windows\System32\tzres.dll
[6 F:\Windows\System32\*.tmp files -> F:\Windows\System32\*.tmp -> ]
[1 F:\*.tmp files -> F:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/10/16 04:08:14 | 000,565,248 | ---- | M] () -- F:\Windows\System32\drivers\bclyz.sys (Here it is)*
[2010/10/16 03:34:43 | 000,000,258 | -HS- | M] () -- F:\Windows\KLIF.spi
[2010/10/16 02:25:39 | 001,006,916 | ---- | M] () -- F:\Windows\System32\drivers\Cat.DB
[2010/10/16 02:24:47 | 000,002,025 | ---- | M] () -- F:\Users\Public\Desktop\Spyware Doctor.lnk
[2010/10/16 02:22:03 | 000,507,360 | ---- | M] () -- F:\Users\Kristen\Desktop\sdsetup.exe
[2010/10/16 02:18:55 | 003,878,824 | ---- | M] () -- F:\Users\Kristen\Desktop\123.exe (Renamed combofix)
[2010/10/16 02:15:49 | 003,878,824 | ---- | M] () -- F:\Users\Kristen\Desktop\ComboFix(2).exe
[2010/10/16 02:10:08 | 000,000,321 | ---- | M] () -- F:\Start_.cmd
[2010/10/16 01:15:25 | 000,018,224 | -H-- | M] () -- F:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/10/16 01:15:25 | 000,018,224 | -H-- | M] () -- F:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/10/16 01:08:03 | 000,067,584 | --S- | M] () -- F:\Windows\bootstat.dat
[2010/10/16 01:08:00 | 2616,598,528 | -HS- | M] () -- F:\hiberfil.sys
[2010/10/16 00:24:30 | 000,000,836 | ---- | M] () -- F:\Users\Kristen\Desktop\bclyz.reg
[2010/10/15 23:01:00 | 247,766,892 | ---- | M] () -- F:\Windows\MEMORY.DMP
[2010/10/15 22:31:08 | 000,065,536 | ---- | M] () -- F:\Users\Kristen\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/15 20:09:28 | 000,000,988 | ---- | M] () -- F:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/15 12:16:11 | 000,488,024 | ---- | M] (Kaspersky Lab) -- F:\Windows\System32\drivers\klif.sys
[2010/10/15 12:16:03 | 000,113,933 | ---- | M] () -- F:\Windows\System32\drivers\klin.dat
[2010/10/15 12:16:02 | 000,097,549 | ---- | M] () -- F:\Windows\System32\drivers\klick.dat
[2010/10/15 12:15:40 | 000,002,429 | ---- | M] () -- F:\Users\Public\Desktop\iTunes.lnk
[2010/10/15 12:05:36 | 001,138,582 | ---- | M] () -- F:\Windows\System32\perfh009.dat
[2010/10/15 12:05:36 | 000,605,154 | ---- | M] () -- F:\Windows\System32\perfc009.dat
[2010/10/13 17:48:39 | 000,000,946 | ---- | M] () -- F:\Users\Kristen\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2010/10/13 17:48:39 | 000,000,922 | ---- | M] () -- F:\Users\Public\Desktop\µTorrent.lnk
[2010/10/13 17:36:09 | 002,227,728 | ---- | M] () -- F:\Windows\System32\FNTCACHE.DAT
[2010/10/13 17:22:38 | 000,001,009 | ---- | M] () -- F:\Windows\System32\MRT.INI
[2010/10/07 02:00:58 | 000,000,000 | ---- | M] () -- F:\Windows\System32\drivers\lvuvc.hs
[2010/09/30 05:06:03 | 000,001,033 | ---- | M] () -- F:\Users\Public\Desktop\VLC media player.lnk
[2010/09/29 13:04:10 | 000,000,038 | ---- | M] () -- F:\Windows\osAviSplitter.INI
[6 F:\Windows\System32\*.tmp files -> F:\Windows\System32\*.tmp -> ]
[1 F:\*.tmp files -> F:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/16 02:25:32 | 001,006,916 | ---- | C] () -- F:\Windows\System32\drivers\Cat.DB
[2010/10/16 02:24:47 | 000,002,025 | ---- | C] () -- F:\Users\Public\Desktop\Spyware Doctor.lnk
[2010/10/16 02:22:24 | 000,507,360 | ---- | C] () -- F:\Users\Kristen\Desktop\sdsetup.exe
[2010/10/16 02:18:44 | 003,878,824 | ---- | C] () -- F:\Users\Kristen\Desktop\123.exe (Renamed Combofix)
[2010/10/16 02:16:13 | 003,878,824 | ---- | C] () -- F:\Users\Kristen\Desktop\ComboFix(2).exe
[2010/10/16 02:10:08 | 000,000,321 | ---- | C] () -- F:\Start_.cmd
[2010/10/16 01:16:24 | 000,000,258 | -HS- | C] () -- F:\Windows\KLIF.spi
[2010/10/16 00:24:30 | 000,000,836 | ---- | C] () -- F:\Users\Kristen\Desktop\bclyz.reg
[2010/10/15 23:01:00 | 247,766,892 | ---- | C] () -- F:\Windows\MEMORY.DMP
[2010/10/15 20:09:28 | 000,000,988 | ---- | C] () -- F:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/10/15 12:01:10 | 000,113,933 | ---- | C] () -- F:\Windows\System32\drivers\klin.dat
[2010/10/15 12:01:10 | 000,097,549 | ---- | C] () -- F:\Windows\System32\drivers\klick.dat
[2010/10/13 02:31:35 | 000,165,376 | ---- | C] () -- F:\Windows\System32\unrar.dll
[2010/10/13 02:31:33 | 000,000,038 | ---- | C] () -- F:\Windows\avisplitter.ini
[2010/10/13 02:31:32 | 000,790,528 | ---- | C] () -- F:\Windows\System32\xvidcore.dll
[2010/10/13 02:31:32 | 000,134,144 | ---- | C] () -- F:\Windows\System32\xvidvfw.dll
[2010/10/13 02:31:32 | 000,108,032 | ---- | C] () -- F:\Windows\System32\ff_vfw.dll
[2010/10/08 16:37:31 | 000,065,536 | ---- | C] () -- F:\Users\Kristen\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/30 05:06:03 | 000,001,033 | ---- | C] () -- F:\Users\Public\Desktop\VLC media player.lnk
[2010/08/18 03:02:59 | 000,001,009 | ---- | C] () -- F:\Windows\System32\MRT.INI
[2010/04/19 11:29:33 | 000,565,248 | ---- | C] () -- F:\Windows\System32\drivers\bclyz.sys
[2010/04/05 17:36:12 | 000,000,059 | ---- | C] () -- F:\Windows\silentnight_ie_watcher.ini
[2010/04/03 07:34:02 | 000,000,016 | ---- | C] () -- F:\Users\Kristen\AppData\Roaming\qcopjv.dat
[2010/01/26 15:23:46 | 000,169,472 | ---- | C] () -- F:\Windows\System32\MustangpeakComponentInstaller.dll
[2010/01/25 02:56:03 | 000,000,038 | ---- | C] () -- F:\Windows\osAviSplitter.INI
[2009/12/02 03:45:38 | 000,000,156 | ---- | C] () -- F:\Windows\Kpcms.ini
[2009/12/02 03:45:26 | 000,210,944 | ---- | C] () -- F:\Windows\System32\Msvcrt10.dll
[2009/11/07 05:46:17 | 000,884,736 | ---- | C] () -- F:\Windows\System32\vorbisenc.dll
[2009/11/07 05:46:17 | 000,393,216 | ---- | C] () -- F:\Windows\System32\tagdll.dll
[2009/11/07 05:46:17 | 000,237,568 | ---- | C] () -- F:\Windows\System32\oggds.dll
[2009/11/07 05:46:17 | 000,147,456 | ---- | C] () -- F:\Windows\System32\vorbits.dll
[2009/11/07 05:46:17 | 000,045,056 | ---- | C] () -- F:\Windows\System32\ogg.dll
[2009/10/31 02:08:47 | 000,691,696 | ---- | C] () -- F:\Windows\System32\drivers\sptd.sys
[2009/10/07 09:24:22 | 000,082,289 | ---- | C] () -- F:\Windows\System32\lvcoinst.ini
[2009/10/01 16:26:30 | 000,000,387 | ---- | C] () -- F:\ProgramData\hpzinstall.log
[2009/09/06 14:32:22 | 000,000,058 | ---- | C] () -- F:\Windows\IEwatcher.ini
[2009/07/14 01:51:43 | 000,073,728 | ---- | C] () -- F:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 01:42:10 | 000,064,000 | ---- | C] () -- F:\Windows\System32\BWContextHandler.dll
[2009/04/14 08:43:32 | 000,154,144 | ---- | C] () -- F:\Windows\System32\RTLCPAPI.dll
[2009/02/11 05:55:16 | 000,011,264 | ---- | C] () -- F:\Windows\System32\atimuixx.dll
[2009/02/11 05:55:08 | 000,159,744 | ---- | C] () -- F:\Windows\System32\atitmmxx.dll
[2008/10/07 10:13:30 | 000,197,912 | ---- | C] () -- F:\Windows\System32\physxcudart_20.dll
[2008/10/07 10:13:22 | 000,058,648 | ---- | C] () -- F:\Windows\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- F:\Windows\System32\AgCPanelSwedish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- F:\Windows\System32\AgCPanelSpanish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- F:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- F:\Windows\System32\AgCPanelPortugese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- F:\Windows\System32\AgCPanelKorean.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- F:\Windows\System32\AgCPanelJapanese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- F:\Windows\System32\AgCPanelGerman.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- F:\Windows\System32\AgCPanelFrench.dll
[2008/02/01 09:18:14 | 000,009,216 | ---- | C] () -- F:\Windows\System32\drivers\FlashSys.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 161 bytes -> F:\ProgramData\Temp:DFC5A2B2
@Alternate Data Stream - 141 bytes -> F:\ProgramData\Temp:C265C458

< End of report >





clawckc

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2010-10-16
Operating System : windows 7

View user profile

Back to top Go down

Re: Rootkit.Win32.Bubnix.bba

Post by clawckc on Sat 16 Oct 2010, 10:51 am

OK, here are the log files. Problem is that i really dont know when i did get the rootkit. I first noticed that my internet modem was working with a lot of outgoing traffic a couple of days ago, mistaking it to be torrents seeding.
How long this has been going on i cant say. Tried to find some logs on that matter but cant find any.

clawckc

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2010-10-16
Operating System : windows 7

View user profile

Back to top Go down

Re: Rootkit.Win32.Bubnix.bba

Post by Belahzur on Sun 17 Oct 2010, 10:55 am

Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Combofix log

Post by clawckc on Mon 18 Oct 2010, 11:21 pm

ComboFix 10-10-16.03 - Kristen 18.10.2010 13:03:35.1.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.47.1033.18.3327.2566 [GMT 2:00]
Kjører fra: f:\users\Kristen\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\resycled
d:\resycled\boot.com
f:\programdata\Microsoft\Network\Downloader\qmgr0.dat
f:\programdata\Microsoft\Network\Downloader\qmgr1.dat
F:\Thumbs.db
f:\users\Kristen\AppData\Roaming\Microsoft\Windows\Cookies\Index_8CF39803.dat
f:\users\Kristen\AppData\Roaming\Microsoft\Windows\Cookies\IndexIE_8CF39803.dat
f:\windows\7Loader.TAG
f:\windows\system32\drivers\npf.sys
f:\windows\system32\Install.txt
f:\windows\system32\Packet.dll
f:\windows\system32\wpcap.dll
G:\resycled
g:\resycled\boot.com
I:\autorun.inf

----- BITS: Mulige infiserte sider -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((((( Filer Opprettet Fra 2010-09-18 til 2010-10-18 )))))))))))))))))))))))))))))))))
.

2010-10-18 10:56 . 2010-10-18 10:57 -------- d-----w- F:\32788R22FWJFW
2010-10-16 00:22 . 2010-10-16 17:12 -------- d-----w- f:\programdata\PC Tools
2010-10-15 23:05 . 2010-10-15 23:05 -------- d-----w- f:\program files\Unlocker
2010-10-15 18:09 . 2010-10-15 18:09 -------- d-----w- f:\users\Kristen\AppData\Roaming\Malwarebytes
2010-10-15 18:09 . 2010-04-29 13:39 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2010-10-15 18:09 . 2010-10-15 18:09 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2010-10-15 18:09 . 2010-10-15 18:09 -------- d-----w- f:\programdata\Malwarebytes
2010-10-15 18:09 . 2010-04-29 13:39 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
2010-10-15 10:16 . 2010-10-15 10:16 -------- d-----w- f:\users\Default\AppData\Local\Apple Computer
2010-10-15 10:16 . 2010-10-15 10:16 -------- d-----w- f:\users\Default\AppData\Roaming\Apple Computer
2010-10-15 10:01 . 2010-07-01 19:35 150200 ----a-w- f:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
2010-10-15 10:01 . 2010-10-15 10:16 113933 ----a-w- f:\windows\system32\drivers\klin.dat
2010-10-15 10:01 . 2010-10-15 10:16 97549 ----a-w- f:\windows\system32\drivers\klick.dat
2010-10-15 09:59 . 2010-10-18 10:59 -------- d-----w- f:\programdata\Kaspersky Lab
2010-10-15 09:59 . 2010-10-15 09:59 -------- d-----w- f:\program files\Kaspersky Lab
2010-10-15 09:55 . 2010-10-15 09:55 -------- d-----w- F:\kleaner.tmp
2010-10-15 09:51 . 2010-10-15 09:51 -------- d-----w- f:\programdata\Kaspersky Lab Setup Files
2010-10-14 10:55 . 2010-10-14 10:55 -------- d-----w- f:\program files\Matroska Pack
2010-10-13 22:13 . 2010-10-13 22:15 -------- d-----w- f:\programdata\DivX
2010-10-13 11:01 . 2010-10-13 11:01 -------- d-----w- F:\FileFind
2010-10-13 04:17 . 2010-05-05 06:46 363520 ----a-w- f:\windows\system32\StructuredQuery.dll
2010-10-13 00:31 . 2010-03-15 09:31 165376 ----a-w- f:\windows\system32\unrar.dll
2010-10-13 00:31 . 2010-09-08 07:09 108032 ----a-w- f:\windows\system32\ff_vfw.dll
2010-10-13 00:31 . 2010-06-08 16:10 790528 ----a-w- f:\windows\system32\xvidcore.dll
2010-10-13 00:31 . 2010-06-08 16:10 134144 ----a-w- f:\windows\system32\xvidvfw.dll
2010-10-13 00:31 . 2010-01-17 15:18 151552 ----a-w- f:\windows\system32\ac3acm.acm
2010-10-13 00:31 . 2006-10-18 18:05 232448 ----a-w- f:\windows\system32\mp3fhg.acm
2010-10-13 00:31 . 2004-01-25 16:18 217088 ----a-w- f:\windows\system32\yv12vfw.dll
2010-10-13 00:31 . 2010-10-13 00:32 -------- d-----w- f:\program files\K-Lite Codec Pack
2010-10-07 21:59 . 2010-07-17 03:00 423656 ----a-w- f:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-07 21:59 . 2010-07-17 03:00 423656 ----a-w- f:\windows\system32\deployJava1.dll
2010-09-30 03:07 . 2010-10-13 22:18 -------- d-----w- f:\users\Kristen\AppData\Roaming\vlc
2010-09-30 03:06 . 2010-09-30 03:06 -------- d-----w- f:\users\Kristen\AppData\Local\Graboid
2010-09-30 03:06 . 2010-09-30 03:06 -------- d-----w- f:\users\Kristen\AppData\Roaming\MozillaControl
2010-09-30 03:06 . 2010-09-30 03:06 -------- d-----w- f:\program files\Mozilla ActiveX Control v1.7.12
2010-09-30 03:05 . 2010-09-30 03:11 -------- d-----w- f:\program files\Graboid
2010-09-29 01:01 . 2010-03-04 04:04 146304 ----a-w- f:\windows\system32\drivers\usbvideo.sys
2010-09-29 01:01 . 2010-03-04 03:57 190976 ----a-w- f:\windows\system32\drivers\ks.sys
2010-09-28 20:25 . 2010-06-19 06:15 2048 ----a-w- f:\windows\system32\tzres.dll
2010-09-28 20:25 . 2010-08-27 05:30 13312 ----a-w- f:\program files\Internet Explorer\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="f:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"Sidebar"="f:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"uTorrent"="f:\program files\uTorrent\uTorrent.exe" [2010-10-13 328568]
"msnmsgr"="f:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-08-10 4217720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"DelReg"="f:\program files\MSI\OverclockingCenter\DelReg.exe" [2008-12-03 196608]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-03-08 13683232]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2009-03-08 92704]
"SunJavaUpdateSched"="f:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AdobeCS4ServiceManager"="f:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="f:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="f:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="f:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="f:\program files\QT Lite\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Microsoft Default Manager"="f:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"DivXUpdate"="f:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"AVP"="f:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-10-15 352976]
"UnlockerAssistant"="f:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=f:\progra~3\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R0 ifpulgo;ifpulgo; [x]
R1 zgtiduwj;zgtiduwj;f:\windows\system32\drivers\zgtiduwj.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 DriveBooster;DriveBooster;f:\program files\DriveBooster\XSrvSetup.exe [2008-09-09 69632]
R2 IBG_gds_db;InterBase 2009 Guardian gds_db;f:\codegear\InterBase\bin\ibguard.exe [2008-08-25 36864]
R3 d85497026fe44633;d85497026fe44633;f:\windows\TEMP\57605124fc6c [x]
R3 DualCoreCenter;DualCoreCenter;f:\program files\MSI\OverclockingCenter\NTGLM7X.sys [x]
R3 FLASHSYS;FLASHSYS;f:\program files\MSI\Live Update 4\LU4\FLASHSYS.sys [x]
R3 IBS_gds_db;InterBase 2009 Server gds_db;f:\codegear\InterBase\bin\ibserver.exe [2008-08-25 2871296]
R3 MSICDSetup;MSICDSetup;E:\CDriver.sys [x]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;f:\windows\system32\DRIVERS\netr28u.sys [x]
R3 RushTopDevice_J;RushTopDevice_J;f:\program files\MSI\OverclockingCenter\RushJ.sys [x]
R3 RushTopDevice2;RushTopDevice2;f:\program files\MSI\OverclockingCenter\RushTop.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;f:\windows\system32\Wat\WatAdminSvc.exe [2010-03-29 1343400]
R4 sptd;sptd;f:\windows\system32\Drivers\sptd.sys [2009-10-31 691696]
S1 kl2;kl2;f:\windows\system32\DRIVERS\kl2.sys [2010-06-09 11352]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;f:\windows\system32\DRIVERS\klim6.sys [2010-04-22 22104]
S1 vwififlt;Virtual WiFi Filter Driver;f:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 BlackfishSQL;BlackfishSQL;f:\program files\CodeGear\RAD Studio\6.0\bin\BSQLServer.exe [2008-08-29 65536]
S3 klmouflt;Kaspersky Lab KLMOUFLT;f:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 19984]
S3 RTL8167;Realtek 8167 NT Driver;f:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S3 WSDPrintDevice;WSD Print Support via UMB;f:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]


--- Andre tjenester/drivere lastet i minnet ---

*Deregistered* - bclyz

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
.
------- Tilleggsskanning -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5643
IE: Append Link Target to Existing PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with ImTOO Download YouTube Video - f:\program files\ImTOO\Download YouTube Video\upod_link.HTM
FF - ProfilePath - f:\users\Kristen\AppData\Roaming\Mozilla\Firefox\Profiles\8ikycfp2.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: f:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - plugin: f:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
f:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - TOMME PEKERE FJERNET - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-AdobeBridge - (no file)
AddRemove-TMS GUIMotions for RAD Studio 2009_is1 - f:\program files\tmssoftware\Guimotions RS2009\unins000.exe
AddRemove-TMS TAdvTrackBar for RAD Studio 2009_is1 - f:\program files\tmssoftware\AdvTrackBar RS2009\unins000.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - f:\program files\DivX\DivXCodecUninstall.exe



[HKEY_LOCAL_MACHINE\system\ControlSet003\services\d85497026fe44633]
"ImagePath"="\??\f:\windows\TEMP\57605124fc6c"

[HKEY_LOCAL_MACHINE\system\ControlSet003\services\bclyz]

.
--------------------- LÅSTE REGISTERNØKLER ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Tidspunkt ferdig: 2010-10-18 14:13:38
ComboFix-quarantined-files.txt 2010-10-18 12:13

Pre-Run: 44 210 597 888 bytes free
Post-Run: 45 602 275 328 bytes free

- - End Of File - - D3AE74ECEE572EA1317EC6D708C3BD7F

clawckc

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2010-10-16
Operating System : windows 7

View user profile

Back to top Go down

Re: Rootkit.Win32.Bubnix.bba

Post by Belahzur on Tue 19 Oct 2010, 10:44 am

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    Dirver::
    ifpulgo
    zgtiduwj
    d85497026fe44633

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5643

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Log after new scan with script

Post by clawckc on Wed 20 Oct 2010, 12:14 am

ComboFix 10-10-18.03 - Kristen 19.10.2010 14:52:39.2.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.47.1033.18.3327.2112 [GMT 2:00]
Kjører fra: f:\users\Kristen\Desktop\Combo-Fix.exe
Command switches brukt :: f:\users\Kristen\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\users\Kristen\AppData\Roaming\Microsoft\Windows\Cookies\Index_4ACA8BBB.dat
f:\users\Kristen\AppData\Roaming\Microsoft\Windows\Cookies\IndexIE_4ACA8BBB.dat

.
((((((((((((((((((((((((((( Filer Opprettet Fra 2010-09-19 til 2010-10-19 )))))))))))))))))))))))))))))))))
.

2010-10-19 12:59 . 2010-10-19 13:03 -------- d-----w- f:\users\Kristen\AppData\Local\temp
2010-10-19 12:59 . 2010-10-19 12:59 -------- d-----w- f:\users\Default\AppData\Local\temp
2010-10-19 12:50 . 2010-10-19 12:50 -------- d-----w- F:\32788R22FWJFW
2010-10-19 11:57 . 2010-10-19 12:35 -------- d-----w- f:\users\Kristen\AppData\Roaming\IcoFX
2010-10-19 11:57 . 2010-10-19 12:01 -------- d-----w- f:\program files\IcoFX 1.6
2010-10-18 11:03 . 2010-10-18 11:03 12568 ----a-w- f:\windows\system32\drivers\PROCEXP113.SYS
2010-10-16 00:22 . 2010-10-16 17:12 -------- d-----w- f:\programdata\PC Tools
2010-10-15 23:05 . 2010-10-15 23:05 -------- d-----w- f:\program files\Unlocker
2010-10-15 18:09 . 2010-10-15 18:09 -------- d-----w- f:\users\Kristen\AppData\Roaming\Malwarebytes
2010-10-15 18:09 . 2010-04-29 13:39 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2010-10-15 18:09 . 2010-10-15 18:09 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2010-10-15 18:09 . 2010-10-15 18:09 -------- d-----w- f:\programdata\Malwarebytes
2010-10-15 18:09 . 2010-04-29 13:39 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
2010-10-15 10:16 . 2010-10-15 10:16 -------- d-----w- f:\users\Default\AppData\Local\Apple Computer
2010-10-15 10:16 . 2010-10-15 10:16 -------- d-----w- f:\users\Default\AppData\Roaming\Apple Computer
2010-10-15 10:01 . 2010-07-01 19:35 150200 ----a-w- f:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
2010-10-15 10:01 . 2010-10-15 10:16 113933 ----a-w- f:\windows\system32\drivers\klin.dat
2010-10-15 10:01 . 2010-10-15 10:16 97549 ----a-w- f:\windows\system32\drivers\klick.dat
2010-10-15 09:59 . 2010-10-19 13:02 -------- d-----w- f:\programdata\Kaspersky Lab
2010-10-15 09:59 . 2010-10-15 09:59 -------- d-----w- f:\program files\Kaspersky Lab
2010-10-15 09:55 . 2010-10-15 09:55 -------- d-----w- F:\kleaner.tmp
2010-10-15 09:51 . 2010-10-15 09:51 -------- d-----w- f:\programdata\Kaspersky Lab Setup Files
2010-10-14 10:55 . 2010-10-14 10:55 -------- d-----w- f:\program files\Matroska Pack
2010-10-13 22:13 . 2010-10-13 22:15 -------- d-----w- f:\programdata\DivX
2010-10-13 11:01 . 2010-10-13 11:01 -------- d-----w- F:\FileFind
2010-10-13 04:17 . 2010-05-05 06:46 363520 ----a-w- f:\windows\system32\StructuredQuery.dll
2010-10-13 00:31 . 2010-03-15 09:31 165376 ----a-w- f:\windows\system32\unrar.dll
2010-10-13 00:31 . 2010-09-08 07:09 108032 ----a-w- f:\windows\system32\ff_vfw.dll
2010-10-13 00:31 . 2010-06-08 16:10 790528 ----a-w- f:\windows\system32\xvidcore.dll
2010-10-13 00:31 . 2010-06-08 16:10 134144 ----a-w- f:\windows\system32\xvidvfw.dll
2010-10-13 00:31 . 2010-01-17 15:18 151552 ----a-w- f:\windows\system32\ac3acm.acm
2010-10-13 00:31 . 2006-10-18 18:05 232448 ----a-w- f:\windows\system32\mp3fhg.acm
2010-10-13 00:31 . 2004-01-25 16:18 217088 ----a-w- f:\windows\system32\yv12vfw.dll
2010-10-13 00:31 . 2010-10-13 00:32 -------- d-----w- f:\program files\K-Lite Codec Pack
2010-10-07 21:59 . 2010-07-17 03:00 423656 ----a-w- f:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-07 21:59 . 2010-07-17 03:00 423656 ----a-w- f:\windows\system32\deployJava1.dll
2010-09-30 03:07 . 2010-10-13 22:18 -------- d-----w- f:\users\Kristen\AppData\Roaming\vlc
2010-09-30 03:06 . 2010-09-30 03:06 -------- d-----w- f:\users\Kristen\AppData\Local\Graboid
2010-09-30 03:06 . 2010-09-30 03:06 -------- d-----w- f:\users\Kristen\AppData\Roaming\MozillaControl
2010-09-30 03:06 . 2010-09-30 03:06 -------- d-----w- f:\program files\Mozilla ActiveX Control v1.7.12
2010-09-30 03:05 . 2010-09-30 03:11 -------- d-----w- f:\program files\Graboid
2010-09-29 01:01 . 2010-03-04 04:04 146304 ----a-w- f:\windows\system32\drivers\usbvideo.sys
2010-09-29 01:01 . 2010-03-04 03:57 190976 ----a-w- f:\windows\system32\drivers\ks.sys
2010-09-28 20:25 . 2010-06-19 06:15 2048 ----a-w- f:\windows\system32\tzres.dll
2010-09-28 20:25 . 2010-08-27 05:30 13312 ----a-w- f:\program files\Internet Explorer\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="f:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"Sidebar"="f:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"uTorrent"="f:\program files\uTorrent\uTorrent.exe" [2010-10-13 328568]
"msnmsgr"="f:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-08-10 4217720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"DelReg"="f:\program files\MSI\OverclockingCenter\DelReg.exe" [2008-12-03 196608]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-03-08 13683232]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2009-03-08 92704]
"SunJavaUpdateSched"="f:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AdobeCS4ServiceManager"="f:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="f:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="f:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="f:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="f:\program files\QT Lite\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Microsoft Default Manager"="f:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"DivXUpdate"="f:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"AVP"="f:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-10-15 352976]
"UnlockerAssistant"="f:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=f:\progra~3\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R0 ifpulgo;ifpulgo; [x]
R1 zgtiduwj;zgtiduwj;f:\windows\system32\drivers\zgtiduwj.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 IBG_gds_db;InterBase 2009 Guardian gds_db;f:\codegear\InterBase\bin\ibguard.exe [2008-08-25 36864]
R3 d85497026fe44633;d85497026fe44633;f:\windows\TEMP\57605124fc6c [x]
R3 DualCoreCenter;DualCoreCenter;f:\program files\MSI\OverclockingCenter\NTGLM7X.sys [x]
R3 FLASHSYS;FLASHSYS;f:\program files\MSI\Live Update 4\LU4\FLASHSYS.sys [x]
R3 IBS_gds_db;InterBase 2009 Server gds_db;f:\codegear\InterBase\bin\ibserver.exe [2008-08-25 2871296]
R3 MSICDSetup;MSICDSetup;E:\CDriver.sys [x]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;f:\windows\system32\DRIVERS\netr28u.sys [x]
R3 PROCEXP113;PROCEXP113;f:\windows\system32\Drivers\PROCEXP113.SYS [2010-10-18 12568]
R3 RushTopDevice_J;RushTopDevice_J;f:\program files\MSI\OverclockingCenter\RushJ.sys [x]
R3 RushTopDevice2;RushTopDevice2;f:\program files\MSI\OverclockingCenter\RushTop.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;f:\windows\system32\Wat\WatAdminSvc.exe [2010-03-29 1343400]
R4 sptd;sptd;f:\windows\system32\Drivers\sptd.sys [2009-10-31 691696]
S1 kl2;kl2;f:\windows\system32\DRIVERS\kl2.sys [2010-06-09 11352]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;f:\windows\system32\DRIVERS\klim6.sys [2010-04-22 22104]
S1 vwififlt;Virtual WiFi Filter Driver;f:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 BlackfishSQL;BlackfishSQL;f:\program files\CodeGear\RAD Studio\6.0\bin\BSQLServer.exe [2008-08-29 65536]
S2 DriveBooster;DriveBooster;f:\program files\DriveBooster\XSrvSetup.exe [2008-09-09 69632]
S3 klmouflt;Kaspersky Lab KLMOUFLT;f:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 19984]
S3 RTL8167;Realtek 8167 NT Driver;f:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S3 WSDPrintDevice;WSD Print Support via UMB;f:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]


--- Andre tjenester/drivere lastet i minnet ---

*Deregistered* - bclyz

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
.
------- Tilleggsskanning -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with ImTOO Download YouTube Video - f:\program files\ImTOO\Download YouTube Video\upod_link.HTM
FF - ProfilePath - f:\users\Kristen\AppData\Roaming\Mozilla\Firefox\Profiles\8ikycfp2.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: f:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - plugin: f:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
f:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

[HKEY_LOCAL_MACHINE\system\ControlSet003\services\d85497026fe44633]
"ImagePath"="\??\f:\windows\TEMP\57605124fc6c"

[HKEY_LOCAL_MACHINE\system\ControlSet003\services\bclyz]

.
--------------------- LÅSTE REGISTERNØKLER ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Andre Kjørende Prosesser ------------------------
.
f:\windows\system32\nvvsvc.exe
f:\windows\system32\Ati2evxx.exe
f:\windows\system32\rundll32.exe
f:\program files\DriveBooster\DriveBoosterSetup.exe
f:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
f:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
f:\windows\system32\Ati2evxx.exe
f:\windows\system32\taskhost.exe
f:\windows\system32\conhost.exe
f:\windows\SOUNDMAN.EXE
f:\windows\System32\rundll32.exe
f:\program files\OpenOffice.org 3\program\soffice.exe
f:\program files\OpenOffice.org 3\program\soffice.bin
f:\program files\Windows Media Player\wmpnetwk.exe
f:\program files\iPod\bin\iPodService.exe
f:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Tidspunkt ferdig: 2010-10-19 15:07:48 - maskinen ble startet på nytt
ComboFix-quarantined-files.txt 2010-10-19 13:07
ComboFix2.txt 2010-10-18 12:13

Pre-Run: 45 239 771 136 bytes free
Post-Run: 45 181 976 576 bytes free

- - End Of File - - F0CD47B8B7597D51A6C0738AE6598C74

clawckc

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2010-10-16
Operating System : windows 7

View user profile

Back to top Go down

Re: Rootkit.Win32.Bubnix.bba

Post by Belahzur on Wed 20 Oct 2010, 10:28 am

Hello.
Minor error with my script, need to do this again.

Hello.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    Driver::
    ifpulgo
    zgtiduwj
    d85497026fe44633
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Here u have it

Post by clawckc on Wed 20 Oct 2010, 11:09 am

ComboFix 10-10-18.03 - Kristen 20.10.2010 1:47.3.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.47.1033.18.3327.2032 [GMT 2:00]
Kjører fra: f:\users\Kristen\Desktop\Combo-Fix.exe
Command switches brukt :: f:\users\Kristen\Desktop\cfscript.txt
.

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivere/Tjenester )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IFPULGO
-------\Service_d85497026fe44633
-------\Service_ifpulgo
-------\Service_zgtiduwj


((((((((((((((((((((((((((( Filer Opprettet Fra 2010-09-19 til 2010-10-19 )))))))))))))))))))))))))))))))))
.

2010-10-19 23:55 . 2010-10-19 23:55 -------- d-----w- f:\users\Default\AppData\Local\temp
2010-10-19 23:45 . 2010-10-19 23:45 -------- d-----w- F:\32788R22FWJFW
2010-10-19 12:59 . 2010-10-19 23:59 -------- d-----w- f:\users\Kristen\AppData\Local\temp
2010-10-19 11:57 . 2010-10-19 12:35 -------- d-----w- f:\users\Kristen\AppData\Roaming\IcoFX
2010-10-19 11:57 . 2010-10-19 12:01 -------- d-----w- f:\program files\IcoFX 1.6
2010-10-16 00:22 . 2010-10-16 17:12 -------- d-----w- f:\programdata\PC Tools
2010-10-15 23:05 . 2010-10-15 23:05 -------- d-----w- f:\program files\Unlocker
2010-10-15 18:09 . 2010-10-15 18:09 -------- d-----w- f:\users\Kristen\AppData\Roaming\Malwarebytes
2010-10-15 18:09 . 2010-04-29 13:39 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2010-10-15 18:09 . 2010-10-15 18:09 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2010-10-15 18:09 . 2010-10-15 18:09 -------- d-----w- f:\programdata\Malwarebytes
2010-10-15 18:09 . 2010-04-29 13:39 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
2010-10-15 10:16 . 2010-10-15 10:16 -------- d-----w- f:\users\Default\AppData\Local\Apple Computer
2010-10-15 10:16 . 2010-10-15 10:16 -------- d-----w- f:\users\Default\AppData\Roaming\Apple Computer
2010-10-15 10:01 . 2010-07-01 19:35 150200 ----a-w- f:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
2010-10-15 10:01 . 2010-10-15 10:16 113933 ----a-w- f:\windows\system32\drivers\klin.dat
2010-10-15 10:01 . 2010-10-15 10:16 97549 ----a-w- f:\windows\system32\drivers\klick.dat
2010-10-15 09:59 . 2010-10-19 23:58 -------- d-----w- f:\programdata\Kaspersky Lab
2010-10-15 09:59 . 2010-10-15 09:59 -------- d-----w- f:\program files\Kaspersky Lab
2010-10-15 09:55 . 2010-10-15 09:55 -------- d-----w- F:\kleaner.tmp
2010-10-15 09:51 . 2010-10-15 09:51 -------- d-----w- f:\programdata\Kaspersky Lab Setup Files
2010-10-14 10:55 . 2010-10-14 10:55 -------- d-----w- f:\program files\Matroska Pack
2010-10-13 22:13 . 2010-10-13 22:15 -------- d-----w- f:\programdata\DivX
2010-10-13 11:01 . 2010-10-13 11:01 -------- d-----w- F:\FileFind
2010-10-13 04:17 . 2010-05-05 06:46 363520 ----a-w- f:\windows\system32\StructuredQuery.dll
2010-10-13 00:31 . 2010-03-15 09:31 165376 ----a-w- f:\windows\system32\unrar.dll
2010-10-13 00:31 . 2010-09-08 07:09 108032 ----a-w- f:\windows\system32\ff_vfw.dll
2010-10-13 00:31 . 2010-06-08 16:10 790528 ----a-w- f:\windows\system32\xvidcore.dll
2010-10-13 00:31 . 2010-06-08 16:10 134144 ----a-w- f:\windows\system32\xvidvfw.dll
2010-10-13 00:31 . 2010-01-17 15:18 151552 ----a-w- f:\windows\system32\ac3acm.acm
2010-10-13 00:31 . 2006-10-18 18:05 232448 ----a-w- f:\windows\system32\mp3fhg.acm
2010-10-13 00:31 . 2004-01-25 16:18 217088 ----a-w- f:\windows\system32\yv12vfw.dll
2010-10-13 00:31 . 2010-10-13 00:32 -------- d-----w- f:\program files\K-Lite Codec Pack
2010-10-07 21:59 . 2010-07-17 03:00 423656 ----a-w- f:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-07 21:59 . 2010-07-17 03:00 423656 ----a-w- f:\windows\system32\deployJava1.dll
2010-09-30 03:07 . 2010-10-19 17:22 -------- d-----w- f:\users\Kristen\AppData\Roaming\vlc
2010-09-30 03:06 . 2010-09-30 03:06 -------- d-----w- f:\users\Kristen\AppData\Local\Graboid
2010-09-30 03:06 . 2010-09-30 03:06 -------- d-----w- f:\users\Kristen\AppData\Roaming\MozillaControl
2010-09-30 03:06 . 2010-09-30 03:06 -------- d-----w- f:\program files\Mozilla ActiveX Control v1.7.12
2010-09-30 03:05 . 2010-09-30 03:11 -------- d-----w- f:\program files\Graboid
2010-09-29 01:01 . 2010-03-04 04:04 146304 ----a-w- f:\windows\system32\drivers\usbvideo.sys
2010-09-29 01:01 . 2010-03-04 03:57 190976 ----a-w- f:\windows\system32\drivers\ks.sys
2010-09-28 20:25 . 2010-06-19 06:15 2048 ----a-w- f:\windows\system32\tzres.dll
2010-09-28 20:25 . 2010-08-27 05:30 13312 ----a-w- f:\program files\Internet Explorer\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="f:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"Sidebar"="f:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"uTorrent"="f:\program files\uTorrent\uTorrent.exe" [2010-10-13 328568]
"msnmsgr"="f:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-08-10 4217720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"DelReg"="f:\program files\MSI\OverclockingCenter\DelReg.exe" [2008-12-03 196608]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-03-08 13683232]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2009-03-08 92704]
"SunJavaUpdateSched"="f:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AdobeCS4ServiceManager"="f:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="f:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="f:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="f:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="f:\program files\QT Lite\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Microsoft Default Manager"="f:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"DivXUpdate"="f:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"AVP"="f:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-10-15 352976]
"UnlockerAssistant"="f:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=f:\progra~3\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 IBG_gds_db;InterBase 2009 Guardian gds_db;f:\codegear\InterBase\bin\ibguard.exe [2008-08-25 36864]
R3 DualCoreCenter;DualCoreCenter;f:\program files\MSI\OverclockingCenter\NTGLM7X.sys [x]
R3 FLASHSYS;FLASHSYS;f:\program files\MSI\Live Update 4\LU4\FLASHSYS.sys [x]
R3 IBS_gds_db;InterBase 2009 Server gds_db;f:\codegear\InterBase\bin\ibserver.exe [2008-08-25 2871296]
R3 MSICDSetup;MSICDSetup;E:\CDriver.sys [x]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;f:\windows\system32\DRIVERS\netr28u.sys [x]
R3 RushTopDevice_J;RushTopDevice_J;f:\program files\MSI\OverclockingCenter\RushJ.sys [x]
R3 RushTopDevice2;RushTopDevice2;f:\program files\MSI\OverclockingCenter\RushTop.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;f:\windows\system32\Wat\WatAdminSvc.exe [2010-03-29 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;f:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
R4 sptd;sptd;f:\windows\system32\Drivers\sptd.sys [2009-10-31 691696]
S1 kl2;kl2;f:\windows\system32\DRIVERS\kl2.sys [2010-06-09 11352]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;f:\windows\system32\DRIVERS\klim6.sys [2010-04-22 22104]
S1 vwififlt;Virtual WiFi Filter Driver;f:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 BlackfishSQL;BlackfishSQL;f:\program files\CodeGear\RAD Studio\6.0\bin\BSQLServer.exe [2008-08-29 65536]
S2 DriveBooster;DriveBooster;f:\program files\DriveBooster\XSrvSetup.exe [2008-09-09 69632]
S3 klmouflt;Kaspersky Lab KLMOUFLT;f:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 19984]
S3 RTL8167;Realtek 8167 NT Driver;f:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]


--- Andre tjenester/drivere lastet i minnet ---

*Deregistered* - bclyz
*Deregistered* - qtzkope

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
.
------- Tilleggsskanning -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with ImTOO Download YouTube Video - f:\program files\ImTOO\Download YouTube Video\upod_link.HTM
FF - ProfilePath - f:\users\Kristen\AppData\Roaming\Mozilla\Firefox\Profiles\8ikycfp2.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: f:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - plugin: f:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
f:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

[HKEY_LOCAL_MACHINE\system\ControlSet003\services\bclyz]

--

[HKEY_LOCAL_MACHINE\system\ControlSet003\services\qtzkope]

.
--------------------- LÅSTE REGISTERNØKLER ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Andre Kjørende Prosesser ------------------------
.
f:\windows\system32\nvvsvc.exe
f:\windows\system32\Ati2evxx.exe
f:\windows\system32\rundll32.exe
f:\program files\DriveBooster\DriveBoosterSetup.exe
f:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
f:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
f:\windows\system32\Ati2evxx.exe
f:\windows\system32\taskhost.exe
f:\windows\system32\conhost.exe
f:\windows\SOUNDMAN.EXE
f:\windows\System32\rundll32.exe
f:\program files\OpenOffice.org 3\program\soffice.exe
f:\program files\OpenOffice.org 3\program\soffice.bin
f:\program files\iPod\bin\iPodService.exe
f:\program files\Windows Media Player\wmpnetwk.exe
f:\windows\system32\sppsvc.exe
f:\windows\system32\taskhost.exe
.
**************************************************************************
.
Tidspunkt ferdig: 2010-10-20 02:03:09 - maskinen ble startet på nytt
ComboFix-quarantined-files.txt 2010-10-20 00:03
ComboFix2.txt 2010-10-19 13:07
ComboFix3.txt 2010-10-18 12:13

Pre-Run: 44 575 977 472 bytes free
Post-Run: 44 313 866 240 bytes free

- - End Of File - - 766867416480F49EAE23BC844B9C6A21

clawckc

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2010-10-16
Operating System : windows 7

View user profile

Back to top Go down

Re: Rootkit.Win32.Bubnix.bba

Post by Belahzur on Thu 21 Oct 2010, 10:24 am

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :reg
    [-HKEY_LOCAL_MACHINE\system\ControlSet003\services\bclyz]
    [-HKEY_LOCAL_MACHINE\system\ControlSet003\services\qtzkope]


  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Read notes also.

Post by clawckc on Thu 21 Oct 2010, 7:09 pm

========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\system\ControlSet003\services\bclyz\ not found.
Registry key HKEY_LOCAL_MACHINE\system\ControlSet003\services\qtzkope\ not found.

OTL by OldTimer - Version 3.2.16.0 log created on 10212010_093350


Private notes:
I did run a scan through registry with search value bclyz. below is the result:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_BCLYZ
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_BCLYZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_BCLYZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_BCLYZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BCLYZ
HKEY_USERS\S-1-5-21-1394755757-3929699587-1953729653-1000\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
Key to line above:= LastKey REG_SZ Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_BCLYZ

And then i did the same for qtzkope:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_BCLYZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_BCLYZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BCLYZ

Ok, this is what i did find. As mentioned before none of those registry settings above let any user do any changes and/or deletion ta any of the registry keys.
Seems to me i dont have the proper rights even when running as administrator. Is there some security settings locking the files? I did a google search a while ago on the rootkit and foud
a russian site (a forum) where i did not understand any of the text, but the title was the rootkit name and one of the posts had a Borland Delphi code pasted.

Function RegKeyResetSecurityEx(ARoot, AName : string) : boolean;
var
i : integer;
KeyList : TStringList;
KeyName : string;
begin
RegKeyResetSecurity(ARoot, AName);
KeyList := TStringList.Create;
RegKeyEnumKey(ARoot, AName, KeyList);
for i := 0 to KeyList.Count-1 do
begin
KeyName := AName+''+KeyList[i];
RegKeyResetSecurity(ARoot, KeyName);
RegKeyResetSecurityEx(ARoot, KeyName);
end;
KeyList.Free;
end;
Function BC_ServiceKill(AServiceName : string; AIsSvcHosted : boolean = true) : byte;
var
i : integer;
KeyList : TStringList;
KeyName : string;
begin
Result := 0;
if StopService(AServiceName) then Result := Result or 1;
if DeleteService(AServiceName, not(AIsSvcHosted)) then Result := Result or 2;
KeyList := TStringList.Create;
RegKeyEnumKey('HKLM','SYSTEM', KeyList);
for i := 0 to KeyList.Count-1 do
if pos('controlset', LowerCase(KeyList[i])) > 0 then begin
KeyName := 'SYSTEM'+KeyList[i]+'\Services'+AServiceName;
if RegKeyExistsEx('HKLM', KeyName) then begin
Result := Result or 4;
RegKeyResetSecurityEx('HKLM', KeyName);
RegKeyDel('HKLM', KeyName);
if RegKeyExistsEx('HKLM', KeyName) then
Result := Result or 8;
end;
end;
if AIsSvcHosted then
BC_DeleteSvcReg(AServiceName)
else
BC_DeleteSvc(AServiceName);
KeyList.Free;
end;
begin
RegKeyResetSecurity('HKLM', 'SYSTEM\CurrentControlSet\Services\iioyftgj');
RegKeyResetSecurity('HKLM', 'SYSTEM\CurrentControlSet\Services\iioyftgj\Parameters');
RegKeyResetSecurity('HKLM', 'SYSTEM\CurrentControlSet\Services\lawpu');
RegKeyResetSecurity('HKLM', 'SYSTEM\CurrentControlSet\Services\lawpu\Parameters');
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
DeleteService('lljwedsj');
QuarantineFile('C:\Windows\system32\drivers\lljwedsj.sys','');
DeleteService('9655a01e6b3da57a');
DeleteService('665fe31acea064be');
DeleteService('5eecf46a66883af2');
QuarantineFile('C:\Windows\TEMP\7240987c700c','');
QuarantineFile('C:\Windows\TEMP\7480aea4deb0','');
QuarantineFile('C:\Windows\TEMP\7360f5be175e','');
QuarantineFile('C:\Program Files\Lissi\LirVPN\bin\lirvpnserv.exe','');
QuarantineFile('C:\Windows\System32\Drivers\iioyftgj.sys','');
QuarantineFile('C:\Windows\System32\Drivers\lawpu.sys','');
BC_DeleteFile('C:\Windows\System32\Drivers\lawpu.sys');
DeleteFile('C:\Windows\System32\Drivers\lawpu.sys');
DeleteFile('C:\Windows\System32\Drivers\iioyftgj.sys');
BC_DeleteFile('C:\Windows\System32\Drivers\iioyftgj.sys');
DeleteFile('C:\Windows\TEMP\7360f5be175e');
DeleteFile('C:\Windows\TEMP\7480aea4deb0');
DeleteFile('C:\Windows\TEMP\7240987c700c');
DeleteFile('C:\Windows\system32\drivers\lljwedsj.sys');
BC_ImportAll;
AddToLog(inttostr(BC_ServiceKill('iioyftgj')) );
AddToLog(inttostr(BC_ServiceKill('lawpu')) );
SaveLog(GetAVZDirectory+'avz_log.txt');
BC_Activate;
ExecuteWizard('TSW',2,2,true);
RebootWindows(true);
end.



I dont know if this helps you in any way, but thought i should post it.
The link to this forum is: [You must be registered and logged in to see this link.]



clawckc

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2010-10-16
Operating System : windows 7

View user profile

Back to top Go down

Re: Rootkit.Win32.Bubnix.bba

Post by Belahzur on Fri 22 Oct 2010, 11:16 am

Hmm, please run Combofix again.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

New combofix log

Post by clawckc on Fri 22 Oct 2010, 7:42 pm

ComboFix 10-10-18.03 - Kristen 22.10.2010 10:28:36.4.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.47.1033.18.3327.2270 [GMT 2:00]
Kjører fra: f:\users\Kristen\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Andre slettinger )))))))))))))))))))))))))))))))))))))))))))))))))
.

f:\users\Kristen\AppData\Roaming\Microsoft\Windows\Cookies\Index_8CF39803.dat
f:\users\Kristen\AppData\Roaming\Microsoft\Windows\Cookies\IndexIE_8CF39803.dat

.
((((((((((((((((((((((((((( Filer Opprettet Fra 2010-09-22 til 2010-10-22 )))))))))))))))))))))))))))))))))
.

2010-10-22 08:37 . 2010-10-22 08:37 -------- d-----w- f:\users\Default\AppData\Local\temp
2010-10-22 08:27 . 2010-10-22 08:27 -------- d-----w- F:\32788R22FWJFW
2010-10-21 07:33 . 2010-10-21 07:33 -------- d-----w- F:\_OTL
2010-10-19 12:59 . 2010-10-22 08:37 -------- d-----w- f:\users\Kristen\AppData\Local\temp
2010-10-19 11:57 . 2010-10-19 12:35 -------- d-----w- f:\users\Kristen\AppData\Roaming\IcoFX
2010-10-19 11:57 . 2010-10-19 12:01 -------- d-----w- f:\program files\IcoFX 1.6
2010-10-16 00:22 . 2010-10-16 17:12 -------- d-----w- f:\programdata\PC Tools
2010-10-15 23:05 . 2010-10-15 23:05 -------- d-----w- f:\program files\Unlocker
2010-10-15 18:09 . 2010-10-15 18:09 -------- d-----w- f:\users\Kristen\AppData\Roaming\Malwarebytes
2010-10-15 18:09 . 2010-04-29 13:39 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2010-10-15 18:09 . 2010-10-15 18:09 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2010-10-15 18:09 . 2010-10-15 18:09 -------- d-----w- f:\programdata\Malwarebytes
2010-10-15 18:09 . 2010-04-29 13:39 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
2010-10-15 10:16 . 2010-10-15 10:16 -------- d-----w- f:\users\Default\AppData\Local\Apple Computer
2010-10-15 10:16 . 2010-10-15 10:16 -------- d-----w- f:\users\Default\AppData\Roaming\Apple Computer
2010-10-15 10:01 . 2010-07-01 19:35 150200 ----a-w- f:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
2010-10-15 10:01 . 2010-10-15 10:16 113933 ----a-w- f:\windows\system32\drivers\klin.dat
2010-10-15 10:01 . 2010-10-15 10:16 97549 ----a-w- f:\windows\system32\drivers\klick.dat
2010-10-15 09:59 . 2010-10-22 08:21 -------- d-----w- f:\programdata\Kaspersky Lab
2010-10-15 09:59 . 2010-10-15 09:59 -------- d-----w- f:\program files\Kaspersky Lab
2010-10-15 09:55 . 2010-10-15 09:55 -------- d-----w- F:\kleaner.tmp
2010-10-15 09:51 . 2010-10-15 09:51 -------- d-----w- f:\programdata\Kaspersky Lab Setup Files
2010-10-14 10:55 . 2010-10-14 10:55 -------- d-----w- f:\program files\Matroska Pack
2010-10-13 22:13 . 2010-10-13 22:15 -------- d-----w- f:\programdata\DivX
2010-10-13 11:01 . 2010-10-13 11:01 -------- d-----w- F:\FileFind
2010-10-13 04:17 . 2010-05-05 06:46 363520 ----a-w- f:\windows\system32\StructuredQuery.dll
2010-10-13 00:31 . 2010-03-15 09:31 165376 ----a-w- f:\windows\system32\unrar.dll
2010-10-13 00:31 . 2010-09-08 07:09 108032 ----a-w- f:\windows\system32\ff_vfw.dll
2010-10-13 00:31 . 2010-06-08 16:10 790528 ----a-w- f:\windows\system32\xvidcore.dll
2010-10-13 00:31 . 2010-06-08 16:10 134144 ----a-w- f:\windows\system32\xvidvfw.dll
2010-10-13 00:31 . 2010-01-17 15:18 151552 ----a-w- f:\windows\system32\ac3acm.acm
2010-10-13 00:31 . 2006-10-18 18:05 232448 ----a-w- f:\windows\system32\mp3fhg.acm
2010-10-13 00:31 . 2004-01-25 16:18 217088 ----a-w- f:\windows\system32\yv12vfw.dll
2010-10-13 00:31 . 2010-10-13 00:32 -------- d-----w- f:\program files\K-Lite Codec Pack
2010-10-07 21:59 . 2010-07-17 03:00 423656 ----a-w- f:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-07 21:59 . 2010-07-17 03:00 423656 ----a-w- f:\windows\system32\deployJava1.dll
2010-09-30 03:07 . 2010-10-19 17:22 -------- d-----w- f:\users\Kristen\AppData\Roaming\vlc
2010-09-30 03:06 . 2010-09-30 03:06 -------- d-----w- f:\users\Kristen\AppData\Local\Graboid
2010-09-30 03:06 . 2010-09-30 03:06 -------- d-----w- f:\users\Kristen\AppData\Roaming\MozillaControl
2010-09-30 03:06 . 2010-09-30 03:06 -------- d-----w- f:\program files\Mozilla ActiveX Control v1.7.12
2010-09-30 03:05 . 2010-09-30 03:11 -------- d-----w- f:\program files\Graboid
2010-09-29 01:01 . 2010-03-04 04:04 146304 ----a-w- f:\windows\system32\drivers\usbvideo.sys
2010-09-29 01:01 . 2010-03-04 03:57 190976 ----a-w- f:\windows\system32\drivers\ks.sys
2010-09-28 20:25 . 2010-06-19 06:15 2048 ----a-w- f:\windows\system32\tzres.dll
2010-09-28 20:25 . 2010-08-27 05:30 13312 ----a-w- f:\program files\Internet Explorer\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="f:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"Sidebar"="f:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"uTorrent"="f:\program files\uTorrent\uTorrent.exe" [2010-10-13 328568]
"msnmsgr"="f:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-08-10 4217720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"DelReg"="f:\program files\MSI\OverclockingCenter\DelReg.exe" [2008-12-03 196608]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-03-08 13683232]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2009-03-08 92704]
"SunJavaUpdateSched"="f:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AdobeCS4ServiceManager"="f:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="f:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="f:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="f:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="f:\program files\QT Lite\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Microsoft Default Manager"="f:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"DivXUpdate"="f:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"AVP"="f:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-10-15 352976]
"UnlockerAssistant"="f:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=f:\progra~3\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 DriveBooster;DriveBooster;f:\program files\DriveBooster\XSrvSetup.exe [2008-09-09 69632]
R2 IBG_gds_db;InterBase 2009 Guardian gds_db;f:\codegear\InterBase\bin\ibguard.exe [2008-08-25 36864]
R3 340a53a63bc54401;340a53a63bc54401;f:\windows\TEMP\57203669b5b4 [x]
R3 35cda5cf937f0584;35cda5cf937f0584;f:\windows\TEMP\576061816d9e [x]
R3 3e416015bd0a2248;3e416015bd0a2248;f:\windows\TEMP\5720ae57393d [x]
R3 bd5f9771f93f52b1;bd5f9771f93f52b1;f:\windows\TEMP\58002a13a73b [x]
R3 df0327d2cde2de31;df0327d2cde2de31;f:\windows\TEMP\5800440fcf92 [x]
R3 DualCoreCenter;DualCoreCenter;f:\program files\MSI\OverclockingCenter\NTGLM7X.sys [x]
R3 FLASHSYS;FLASHSYS;f:\program files\MSI\Live Update 4\LU4\FLASHSYS.sys [x]
R3 IBS_gds_db;InterBase 2009 Server gds_db;f:\codegear\InterBase\bin\ibserver.exe [2008-08-25 2871296]
R3 MSICDSetup;MSICDSetup;E:\CDriver.sys [x]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;f:\windows\system32\DRIVERS\netr28u.sys [x]
R3 RushTopDevice_J;RushTopDevice_J;f:\program files\MSI\OverclockingCenter\RushJ.sys [x]
R3 RushTopDevice2;RushTopDevice2;f:\program files\MSI\OverclockingCenter\RushTop.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;f:\windows\system32\Wat\WatAdminSvc.exe [2010-03-29 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;f:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
R4 sptd;sptd;f:\windows\system32\Drivers\sptd.sys [2009-10-31 691696]
S1 kl2;kl2;f:\windows\system32\DRIVERS\kl2.sys [2010-06-09 11352]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;f:\windows\system32\DRIVERS\klim6.sys [2010-04-22 22104]
S1 vwififlt;Virtual WiFi Filter Driver;f:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 BlackfishSQL;BlackfishSQL;f:\program files\CodeGear\RAD Studio\6.0\bin\BSQLServer.exe [2008-08-29 65536]
S3 klmouflt;Kaspersky Lab KLMOUFLT;f:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 19984]
S3 RTL8167;Realtek 8167 NT Driver;f:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]


--- Andre tjenester/drivere lastet i minnet ---

*Deregistered* - bclyz
*Deregistered* - qtzkope

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
.
------- Tilleggsskanning -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with ImTOO Download YouTube Video - f:\program files\ImTOO\Download YouTube Video\upod_link.HTM
FF - ProfilePath - f:\users\Kristen\AppData\Roaming\Mozilla\Firefox\Profiles\8ikycfp2.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: f:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - plugin: f:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
f:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

[HKEY_LOCAL_MACHINE\system\ControlSet003\services\340a53a63bc54401]
"ImagePath"="\??\f:\windows\TEMP\57203669b5b4"

[HKEY_LOCAL_MACHINE\system\ControlSet003\services\35cda5cf937f0584]
"ImagePath"="\??\f:\windows\TEMP\576061816d9e"

[HKEY_LOCAL_MACHINE\system\ControlSet003\services\3e416015bd0a2248]
"ImagePath"="\??\f:\windows\TEMP\5720ae57393d"

[HKEY_LOCAL_MACHINE\system\ControlSet003\services\bd5f9771f93f52b1]
"ImagePath"="\??\f:\windows\TEMP\58002a13a73b"

[HKEY_LOCAL_MACHINE\system\ControlSet003\services\df0327d2cde2de31]
"ImagePath"="\??\f:\windows\TEMP\5800440fcf92"

[HKEY_LOCAL_MACHINE\system\ControlSet003\services\bclyz]

--

[HKEY_LOCAL_MACHINE\system\ControlSet003\services\qtzkope]

.
--------------------- LÅSTE REGISTERNØKLER ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Tidspunkt ferdig: 2010-10-22 10:38:33
ComboFix-quarantined-files.txt 2010-10-22 08:38
ComboFix2.txt 2010-10-20 00:03
ComboFix3.txt 2010-10-19 13:07
ComboFix4.txt 2010-10-18 12:13

Pre-Run: 41 306 959 872 bytes free
Post-Run: 41 865 596 928 bytes free

- - End Of File - - 63DB3A28031EB6EF72BB727EA90AFD9D

clawckc

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2010-10-16
Operating System : windows 7

View user profile

Back to top Go down

Re: Rootkit.Win32.Bubnix.bba

Post by Belahzur on Sat 23 Oct 2010, 10:52 am


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    Driver::
    340a53a63bc54401
    35cda5cf937f0584
    3e416015bd0a2248
    bd5f9771f93f52b1
    df0327d2cde2de31

    Registry::
    [-HKEY_LOCAL_MACHINE\system\ControlSet003\services\340a53a63bc54401]
    [-HKEY_LOCAL_MACHINE\system\ControlSet003\services\35cda5cf937f0584]
    [-HKEY_LOCAL_MACHINE\system\ControlSet003\services\3e416015bd0a2248]
    [-HKEY_LOCAL_MACHINE\system\ControlSet003\services\bd5f9771f93f52b1]
    [-HKEY_LOCAL_MACHINE\system\ControlSet003\services\df0327d2cde2de31]
    [-HKEY_LOCAL_MACHINE\system\ControlSet003\services\bclyz]
    [-HKEY_LOCAL_MACHINE\system\ControlSet003\services\qtzkope]

  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Combofix log

Post by clawckc on Sat 23 Oct 2010, 1:54 pm

ComboFix 10-10-18.03 - Kristen 23.10.2010 4:31.5.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.47.1033.18.3327.2062 [GMT 2:00]
Kjører fra: f:\users\Kristen\Desktop\Combo-Fix.exe
Command switches brukt :: f:\users\Kristen\Desktop\CFScript.txt
* Opprettet nytt gjenopprettingspunkt
.

((((((((((((((((((((((((((( Filer Opprettet Fra 2010-09-23 til 2010-10-23 )))))))))))))))))))))))))))))))))
.

2010-10-23 02:40 . 2010-10-23 02:40 -------- d-----w- f:\users\Default\AppData\Local\temp
2010-10-23 02:29 . 2010-10-23 02:29 -------- d-----w- F:\32788R22FWJFW
2010-10-22 08:27 . 2010-10-22 08:38 -------- d-----w- F:\Combo-Fix
2010-10-21 07:33 . 2010-10-21 07:33 -------- d-----w- F:\_OTL
2010-10-19 12:59 . 2010-10-23 02:43 -------- d-----w- f:\users\Kristen\AppData\Local\temp
2010-10-19 11:57 . 2010-10-19 12:35 -------- d-----w- f:\users\Kristen\AppData\Roaming\IcoFX
2010-10-19 11:57 . 2010-10-19 12:01 -------- d-----w- f:\program files\IcoFX 1.6
2010-10-16 00:22 . 2010-10-16 17:12 -------- d-----w- f:\programdata\PC Tools
2010-10-15 23:05 . 2010-10-15 23:05 -------- d-----w- f:\program files\Unlocker
2010-10-15 18:09 . 2010-10-15 18:09 -------- d-----w- f:\users\Kristen\AppData\Roaming\Malwarebytes
2010-10-15 18:09 . 2010-04-29 13:39 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2010-10-15 18:09 . 2010-10-15 18:09 -------- d-----w- f:\program files\Malwarebytes' Anti-Malware
2010-10-15 18:09 . 2010-10-15 18:09 -------- d-----w- f:\programdata\Malwarebytes
2010-10-15 18:09 . 2010-04-29 13:39 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
2010-10-15 10:16 . 2010-10-15 10:16 -------- d-----w- f:\users\Default\AppData\Local\Apple Computer
2010-10-15 10:16 . 2010-10-15 10:16 -------- d-----w- f:\users\Default\AppData\Roaming\Apple Computer
2010-10-15 10:01 . 2010-07-01 19:35 150200 ----a-w- f:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
2010-10-15 10:01 . 2010-10-15 10:16 113933 ----a-w- f:\windows\system32\drivers\klin.dat
2010-10-15 10:01 . 2010-10-15 10:16 97549 ----a-w- f:\windows\system32\drivers\klick.dat
2010-10-15 09:59 . 2010-10-23 02:42 -------- d-----w- f:\programdata\Kaspersky Lab
2010-10-15 09:59 . 2010-10-15 09:59 -------- d-----w- f:\program files\Kaspersky Lab
2010-10-15 09:55 . 2010-10-15 09:55 -------- d-----w- F:\kleaner.tmp
2010-10-15 09:51 . 2010-10-15 09:51 -------- d-----w- f:\programdata\Kaspersky Lab Setup Files
2010-10-14 10:55 . 2010-10-14 10:55 -------- d-----w- f:\program files\Matroska Pack
2010-10-13 22:13 . 2010-10-13 22:15 -------- d-----w- f:\programdata\DivX
2010-10-13 11:01 . 2010-10-13 11:01 -------- d-----w- F:\FileFind
2010-10-13 04:17 . 2010-05-05 06:46 363520 ----a-w- f:\windows\system32\StructuredQuery.dll
2010-10-13 00:31 . 2010-03-15 09:31 165376 ----a-w- f:\windows\system32\unrar.dll
2010-10-13 00:31 . 2010-09-08 07:09 108032 ----a-w- f:\windows\system32\ff_vfw.dll
2010-10-13 00:31 . 2010-06-08 16:10 790528 ----a-w- f:\windows\system32\xvidcore.dll
2010-10-13 00:31 . 2010-06-08 16:10 134144 ----a-w- f:\windows\system32\xvidvfw.dll
2010-10-13 00:31 . 2010-01-17 15:18 151552 ----a-w- f:\windows\system32\ac3acm.acm
2010-10-13 00:31 . 2006-10-18 18:05 232448 ----a-w- f:\windows\system32\mp3fhg.acm
2010-10-13 00:31 . 2004-01-25 16:18 217088 ----a-w- f:\windows\system32\yv12vfw.dll
2010-10-13 00:31 . 2010-10-13 00:32 -------- d-----w- f:\program files\K-Lite Codec Pack
2010-10-07 21:59 . 2010-07-17 03:00 423656 ----a-w- f:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-07 21:59 . 2010-07-17 03:00 423656 ----a-w- f:\windows\system32\deployJava1.dll
2010-09-30 03:07 . 2010-10-19 17:22 -------- d-----w- f:\users\Kristen\AppData\Roaming\vlc
2010-09-30 03:06 . 2010-09-30 03:06 -------- d-----w- f:\users\Kristen\AppData\Local\Graboid
2010-09-30 03:06 . 2010-09-30 03:06 -------- d-----w- f:\users\Kristen\AppData\Roaming\MozillaControl
2010-09-30 03:06 . 2010-09-30 03:06 -------- d-----w- f:\program files\Mozilla ActiveX Control v1.7.12
2010-09-30 03:05 . 2010-09-30 03:11 -------- d-----w- f:\program files\Graboid
2010-09-29 01:01 . 2010-03-04 04:04 146304 ----a-w- f:\windows\system32\drivers\usbvideo.sys
2010-09-29 01:01 . 2010-03-04 03:57 190976 ----a-w- f:\windows\system32\drivers\ks.sys
2010-09-28 20:25 . 2010-06-19 06:15 2048 ----a-w- f:\windows\system32\tzres.dll
2010-09-28 20:25 . 2010-08-27 05:30 13312 ----a-w- f:\program files\Internet Explorer\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

(((((((((((((((((((((((((((((((( Oppstartspunkter I Registeret )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Merk* tomme oppføringer & gyldige standardoppføringer vises ikke
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="f:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"Sidebar"="f:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"uTorrent"="f:\program files\uTorrent\uTorrent.exe" [2010-10-13 328568]
"msnmsgr"="f:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-08-10 4217720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"DelReg"="f:\program files\MSI\OverclockingCenter\DelReg.exe" [2008-12-03 196608]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-03-08 13683232]
"NvMediaCenter"="f:\windows\system32\NvMcTray.dll" [2009-03-08 92704]
"SunJavaUpdateSched"="f:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"AdobeCS4ServiceManager"="f:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Acrobat Speed Launcher"="f:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="f:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 640376]
"Adobe Reader Speed Launcher"="f:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="f:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="f:\program files\QT Lite\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="f:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"Microsoft Default Manager"="f:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"DivXUpdate"="f:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"AVP"="f:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2011\avp.exe" [2010-10-15 352976]
"UnlockerAssistant"="f:\program files\Unlocker\UnlockerAssistant.exe" [2010-07-04 17408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=f:\progra~3\KASPER~1\KASPER~1\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux4"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 IBG_gds_db;InterBase 2009 Guardian gds_db;f:\codegear\InterBase\bin\ibguard.exe [2008-08-25 36864]
R3 DualCoreCenter;DualCoreCenter;f:\program files\MSI\OverclockingCenter\NTGLM7X.sys [x]
R3 FLASHSYS;FLASHSYS;f:\program files\MSI\Live Update 4\LU4\FLASHSYS.sys [x]
R3 IBS_gds_db;InterBase 2009 Server gds_db;f:\codegear\InterBase\bin\ibserver.exe [2008-08-25 2871296]
R3 MSICDSetup;MSICDSetup;E:\CDriver.sys [x]
R3 netr28u;RT2870 USB Wireless LAN Card Driver for Vista;f:\windows\system32\DRIVERS\netr28u.sys [x]
R3 RushTopDevice_J;RushTopDevice_J;f:\program files\MSI\OverclockingCenter\RushJ.sys [x]
R3 RushTopDevice2;RushTopDevice2;f:\program files\MSI\OverclockingCenter\RushTop.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;f:\windows\system32\Wat\WatAdminSvc.exe [2010-03-29 1343400]
R3 WSDPrintDevice;WSD Print Support via UMB;f:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]
R4 sptd;sptd;f:\windows\system32\Drivers\sptd.sys [2009-10-31 691696]
S1 kl2;kl2;f:\windows\system32\DRIVERS\kl2.sys [2010-06-09 11352]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;f:\windows\system32\DRIVERS\klim6.sys [2010-04-22 22104]
S1 vwififlt;Virtual WiFi Filter Driver;f:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 BlackfishSQL;BlackfishSQL;f:\program files\CodeGear\RAD Studio\6.0\bin\BSQLServer.exe [2008-08-29 65536]
S2 DriveBooster;DriveBooster;f:\program files\DriveBooster\XSrvSetup.exe [2008-09-09 69632]
S3 klmouflt;Kaspersky Lab KLMOUFLT;f:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 19984]
S3 RTL8167;Realtek 8167 NT Driver;f:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]


--- Andre tjenester/drivere lastet i minnet ---

*Deregistered* - bclyz
*Deregistered* - qtzkope

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
.
------- Tilleggsskanning -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - f:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with ImTOO Download YouTube Video - f:\program files\ImTOO\Download YouTube Video\upod_link.HTM
FF - ProfilePath - f:\users\Kristen\AppData\Roaming\Mozilla\Firefox\Profiles\8ikycfp2.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: f:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\kavlinkfilter.dll
FF - plugin: f:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: f:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
f:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
f:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");
f:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

[HKEY_LOCAL_MACHINE\system\ControlSet003\services\bclyz]

--

[HKEY_LOCAL_MACHINE\system\ControlSet003\services\qtzkope]

.
--------------------- LÅSTE REGISTERNØKLER ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Andre Kjørende Prosesser ------------------------
.
f:\windows\system32\nvvsvc.exe
f:\windows\system32\Ati2evxx.exe
f:\windows\system32\rundll32.exe
f:\program files\DriveBooster\DriveBoosterSetup.exe
f:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
f:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
f:\windows\system32\Ati2evxx.exe
f:\windows\system32\taskhost.exe
f:\windows\system32\conhost.exe
f:\windows\SOUNDMAN.EXE
f:\windows\System32\rundll32.exe
f:\program files\OpenOffice.org 3\program\soffice.exe
f:\program files\OpenOffice.org 3\program\soffice.bin
f:\program files\iPod\bin\iPodService.exe
f:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Tidspunkt ferdig: 2010-10-23 04:46:41 - maskinen ble startet på nytt
ComboFix-quarantined-files.txt 2010-10-23 02:46
ComboFix2.txt 2010-10-22 08:38
ComboFix3.txt 2010-10-20 00:03
ComboFix4.txt 2010-10-19 13:07
ComboFix5.txt 2010-10-23 02:29

Pre-Run: 44 424 282 112 bytes free
Post-Run: 44 303 015 936 bytes free

- - End Of File - - 215E255D6138BE51CBCC50D3D414F319

clawckc

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2010-10-16
Operating System : windows 7

View user profile

Back to top Go down

Re: Rootkit.Win32.Bubnix.bba

Post by Belahzur on Sun 24 Oct 2010, 11:04 am

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to delete:
bclyz
qtzkope

Registry keys to delete:
HKEY_LOCAL_MACHINE\system\ControlSet003\services\bclyz
HKEY_LOCAL_MACHINE\system\ControlSet003\services\qtzkope

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Still trouble!

Post by clawckc on Mon 25 Oct 2010, 1:20 am

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at F:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "bclyz" deleted successfully.
Driver "qtzkope" deleted successfully.

Error: registry key "HKEY_LOCAL_MACHINE\system\ControlSet003\services\bclyz" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\system\ControlSet003\services\bclyz" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\system\ControlSet003\services\qtzkope" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\system\ControlSet003\services\qtzkope" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.


Hi again, did a new search in regedit after running this script. Searched for all instances of bclyz,
and this is what i found. (both driver files are still on the system. They was NOT deleted).

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_BCLYZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\bclyz
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_BCLYZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_BCLYZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BCLYZ


clawckc

Newbie Surfer
Newbie Surfer

Posts : 11
Joined : 2010-10-16
Operating System : windows 7

View user profile

Back to top Go down

Re: Rootkit.Win32.Bubnix.bba

Post by Belahzur on Mon 25 Oct 2010, 11:16 am

Why doesn't this thing want to die. -_-

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_BCLYZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\bclyz
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_BCLYZ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_BCLYZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BCLYZ

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Rootkit.Win32.Bubnix.bba

Post by Sponsored content Today at 6:08 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum