Whistler Bootkit

View previous topic View next topic Go down

Whistler Bootkit

Post by albsutherja on Wed Nov 03, 2010 11:44 pm

I think I'v been infected with the whistler bootkit, and have run OTL. Should i post OTL.Txt or Extras.Txt?

albsutherja
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-11-03
Gender Gender : Male
OS OS : Windows XP Proffesional
Protection Protection : Norton Antivirus
Points Points : 22313
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by Belahzur on Thu Nov 04, 2010 12:22 am

Both please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

OTL.Txt

Post by albsutherja on Thu Nov 04, 2010 12:38 am

OTL logfile created on: 11/3/2010 6:16:40 PM - Run 1
OTL by OldTimer - Version 3.2.17.2 Folder = C:\Documents and Settings\Jordan\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 19.23 Gb Free Space | 34.41% Space Free | Partition Type: NTFS

Computer Name: USER-CAB611CE52 | User Name: Jordan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/11/03 18:15:39 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jordan\My Documents\Downloads\OTL (1).com
PRC - [2010/10/21 21:30:01 | 000,134,808 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Jordan\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
PRC - [2010/10/12 01:37:00 | 000,974,904 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Jordan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2010/09/16 15:04:06 | 001,164,584 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/08/13 12:58:56 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/07/23 00:05:56 | 000,126,904 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe
PRC - [2010/05/14 11:44:46 | 000,501,480 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jucheck.exe
PRC - [2010/03/28 14:28:05 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2005/07/05 02:32:04 | 000,639,040 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\ZCfgSvc.exe
PRC - [2005/07/05 02:28:34 | 000,421,955 | ---- | M] (Intel Corporation ) -- C:\WINDOWS\system32\S24EvMon.exe
PRC - [2005/07/05 02:26:36 | 000,389,186 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\1XConfig.exe
PRC - [2005/07/05 02:26:00 | 000,122,880 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\RegSrvc.exe
PRC - [2004/08/04 07:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/07/07 19:53:17 | 001,232,946 | ---- | M] (Ahead Software AG) -- C:\Program Files\Ahead\InCD\InCD.exe
PRC - [2004/07/07 19:53:17 | 000,798,772 | ---- | M] (AHEAD Software) -- C:\Program Files\Ahead\InCD\incdsrv.exe


========== Modules (SafeList) ==========

MOD - [2010/11/03 18:15:39 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Jordan\My Documents\Downloads\OTL (1).com
MOD - [2010/08/16 22:39:11 | 000,413,552 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\18.1.0.37\asOEHook.dll
MOD - [2009/07/12 00:02:02 | 000,653,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
MOD - [2009/07/12 00:02:00 | 000,569,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
MOD - [2004/08/04 07:00:00 | 001,050,624 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/09/23 14:44:39 | 002,950,744 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_062a651.dll -- (Akamai)
SRV - [2010/08/13 12:58:56 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/07/23 00:05:56 | 000,126,904 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe -- (NIS)
SRV - [2005/07/05 02:28:34 | 000,421,955 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\WINDOWS\system32\S24EvMon.exe -- (S24EventMonitor)
SRV - [2005/07/05 02:26:00 | 000,122,880 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\WINDOWS\system32\RegSrvc.exe -- (RegSrvc)
SRV - [2004/07/07 19:53:17 | 000,798,772 | ---- | M] (AHEAD Software) [Auto | Running] -- C:\Program Files\Ahead\InCD\incdsrv.exe -- (InCDsrv)
SRV - [2003/04/29 15:29:54 | 000,139,264 | ---- | M] (Intel(R) Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\UIUSys.sys -- (UIUSys)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2010/10/19 15:36:22 | 000,341,880 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20101102.001\IDSXpx86.sys -- (IDSxpx86)
DRV - [2010/10/13 17:28:27 | 001,371,184 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20101103.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/10/13 17:28:27 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/10/13 17:28:27 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/10/13 17:28:27 | 000,086,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20101103.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/10/13 16:57:51 | 000,126,512 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/08/31 17:57:04 | 000,692,272 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20101029.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/07/28 22:33:05 | 000,666,672 | R--- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1201000.025\SYMEFA.SYS -- (SymEFA)
DRV - [2010/07/28 21:54:36 | 000,489,008 | R--- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NIS\1201000.025\SRTSP.SYS -- (SRTSP)
DRV - [2010/07/28 21:54:36 | 000,050,096 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1201000.025\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/07/12 20:20:22 | 000,369,072 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1201000.025\SYMTDI.SYS -- (SYMTDI)
DRV - [2010/06/26 23:05:55 | 000,134,704 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\NIS\1201000.025\Ironx86.SYS -- (SymIRON)
DRV - [2010/06/13 05:50:57 | 000,339,504 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\NIS\1201000.025\SYMDS.SYS -- (SymDS)
DRV - [2007/02/08 15:51:16 | 002,209,408 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\w29n51.sys -- (w29n51) Intel(R)
DRV - [2005/07/26 17:36:50 | 000,662,400 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\w70n51.sys -- (w70n51) Intel(R)
DRV - [2005/06/17 08:15:26 | 000,010,970 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2005/05/03 15:09:28 | 001,033,728 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.SYS -- (HSF_DPV)
DRV - [2005/05/03 15:08:50 | 000,208,384 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2005/05/03 15:08:44 | 000,705,408 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/11/15 17:37:52 | 000,264,440 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\stac97.sys -- (STAC97) Audio Driver (WDM)
DRV - [2004/10/26 13:01:00 | 002,830,688 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/07/07 19:53:17 | 000,088,848 | ---- | M] (Ahead Software) [File_System | Disabled | Running] -- C:\WINDOWS\System32\drivers\incdfs.sys -- (InCDfs)
DRV - [2004/07/07 19:53:17 | 000,028,624 | ---- | M] (Ahead Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\incdpass.sys -- (InCDPass)
DRV - [2003/09/26 11:41:10 | 000,044,032 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/11/22 21:01:26 | 000,020,096 | ---- | M] (Intel Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/03/28 14:35:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFFPlgn\ [2010/10/13 16:58:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\coFFPlgn\ [2010/10/13 16:56:50 | 000,000,000 | ---D | M]

[2010/06/09 17:17:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jordan\Application Data\Mozilla\Extensions
[2009/11/25 18:54:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Jordan\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/06/09 17:17:27 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/08/04 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.1.0.37\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.1.0.37\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.1.0.37\CoIEPlg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.1.0.37\CoIEPlg.dll (Symantec Corporation)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe (Ahead Software AG)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe (Intel(R) Corporation)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe (Intel Corporation)
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - Startup: C:\Documents and Settings\Jordan\Start Menu\Programs\Startup\Civilization Registration.lnk = D:\ATR1.EXE File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_21)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\Sebring: DllName - C:\WINDOWS\system32\LgNotify.dll - C:\WINDOWS\system32\LgNotify.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Jordan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Jordan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/11/22 14:34:28 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.vorbis - C:\WINDOWS\System32\vorbis.acm (HMS [You must be registered and logged in to see this link.]
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - DivX.dll File not found
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.yv12 - DivX.dll File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (54619756233228288)

========== Files/Folders - Created Within 30 Days ==========

[2010/11/01 22:18:38 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/11/01 22:12:43 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/11/01 21:03:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jordan\My Documents\Vuze Downloads
[2010/10/29 17:53:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jordan\My Documents\FrostWire
[2010/10/29 17:52:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jordan\Application Data\FrostWire
[2010/10/28 20:45:23 | 000,000,000 | ---D | C] -- C:\Program Files\TuneUpMedia
[2010/10/28 20:45:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jordan\Application Data\TuneUpMedia
[2010/10/28 20:45:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TuneUpMedia
[2010/10/28 20:42:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jordan\Application Data\Azureus
[2010/10/26 16:01:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jordan\Application Data\LolClient
[2010/10/25 23:22:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2010/10/25 17:00:54 | 000,000,000 | ---D | C] -- C:\Riot Games
[2010/10/25 14:57:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jordan\Desktop\LoL.Prod.9_08_2010
[2010/10/25 14:57:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jordan\Local Settings\Application Data\PMB Files
[2010/10/25 14:57:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PMB Files
[2010/10/25 14:57:00 | 000,000,000 | ---D | C] -- C:\Program Files\Pando Networks
[2010/10/25 14:54:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2010/10/13 16:58:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Jordan\My Documents\Symantec
[2010/10/13 16:57:51 | 000,126,512 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/10/13 16:57:51 | 000,060,808 | ---- | C] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/10/13 16:57:51 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2010/10/13 16:57:28 | 000,369,072 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1201000.025\symtdi.sys
[2010/10/13 16:57:28 | 000,331,312 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1201000.025\symtdiv.sys
[2010/10/13 16:57:28 | 000,294,448 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1201000.025\symnets.sys
[2010/10/13 16:57:27 | 000,666,672 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1201000.025\SymEFA.sys
[2010/10/13 16:57:27 | 000,489,008 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1201000.025\srtsp.sys
[2010/10/13 16:57:27 | 000,339,504 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1201000.025\SymDS.sys
[2010/10/13 16:57:27 | 000,134,704 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1201000.025\Ironx86.sys
[2010/10/13 16:57:27 | 000,050,096 | R--- | C] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\NIS\1201000.025\srtspx.sys
[2010/10/13 16:56:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NIS
[2010/10/13 16:56:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\NIS\1201000.025
[2010/10/13 16:56:50 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2010/10/13 16:56:50 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Internet Security
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/11/03 17:39:29 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-18.job
[2010/11/03 17:39:29 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-18.job
[2010/11/03 17:37:18 | 000,011,336 | ---- | M] () -- C:\WINDOWS\System32\nvModes.001
[2010/11/02 20:22:44 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-343818398-1078145449-1060284298-1003.job
[2010/11/02 20:22:42 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-343818398-1078145449-1060284298-1003.job
[2010/11/02 20:07:54 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/11/02 19:35:01 | 000,000,982 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1078145449-1060284298-1003UA.job
[2010/11/01 22:41:05 | 000,023,760 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/11/01 22:25:08 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/11/01 22:24:27 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/11/01 22:24:25 | 000,017,112 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/11/01 22:24:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/11/01 22:24:15 | 1609,871,360 | -HS- | M] () -- C:\hiberfil.sys
[2010/11/01 22:13:18 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/11/01 21:35:02 | 000,000,930 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1078145449-1060284298-1003Core.job
[2010/10/31 21:37:00 | 000,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/10/30 14:50:05 | 000,011,336 | ---- | M] () -- C:\WINDOWS\System32\nvModes.dat
[2010/10/30 11:58:30 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/10/29 20:57:26 | 000,001,064 | ---- | M] () -- C:\Documents and Settings\Jordan\Application Data\Microsoft\Internet Explorer\Quick Launch\Perfect World International (2).lnk
[2010/10/28 20:46:03 | 000,000,708 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\TuneUp Companion.lnk
[2010/10/25 14:54:06 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/10/23 19:38:39 | 000,002,271 | ---- | M] () -- C:\Documents and Settings\Jordan\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/10/23 19:38:38 | 000,002,293 | ---- | M] () -- C:\Documents and Settings\Jordan\Desktop\Google Chrome.lnk
[2010/10/13 16:58:16 | 001,054,278 | ---- | M] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\Cat.DB
[2010/10/13 16:57:51 | 000,126,512 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2010/10/13 16:57:51 | 000,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2010/10/13 16:57:51 | 000,007,456 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/10/13 16:57:51 | 000,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/10/13 16:57:30 | 000,001,973 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
[2010/10/12 21:02:27 | 004,754,938 | ---- | M] () -- C:\Documents and Settings\Jordan\My Documents\Pokemon-Theme.mp3
[2010/10/12 16:27:29 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Jordan\Desktop\Microsoft Word.lnk
[2010/10/09 15:04:52 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/11/01 22:19:38 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/11/01 22:13:18 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/10/29 20:57:26 | 000,001,064 | ---- | C] () -- C:\Documents and Settings\Jordan\Application Data\Microsoft\Internet Explorer\Quick Launch\Perfect World International (2).lnk
[2010/10/28 20:46:03 | 000,000,708 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\TuneUp Companion.lnk
[2010/10/13 16:58:01 | 001,054,278 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\Cat.DB
[2010/10/13 16:57:51 | 000,007,456 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2010/10/13 16:57:51 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2010/10/13 16:57:30 | 000,001,973 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton Internet Security.LNK
[2010/10/13 16:57:09 | 000,003,373 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\SymEFA.inf
[2010/10/13 16:57:09 | 000,002,792 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\SymDS.inf
[2010/10/13 16:57:09 | 000,001,473 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\SymNetV.inf
[2010/10/13 16:57:09 | 000,001,445 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\SymNet.inf
[2010/10/13 16:57:09 | 000,001,389 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\srtspx.inf
[2010/10/13 16:57:09 | 000,001,383 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\srtsp.inf
[2010/10/13 16:57:09 | 000,000,741 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\Iron.inf
[2010/10/13 16:56:54 | 000,007,787 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\symnetv.cat
[2010/10/13 16:56:54 | 000,007,446 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\SymNet.cat
[2010/10/13 16:56:54 | 000,007,444 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\SymEFA.cat
[2010/10/13 16:56:54 | 000,007,442 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\srtspx.cat
[2010/10/13 16:56:54 | 000,007,438 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\SymDS.cat
[2010/10/13 16:56:54 | 000,007,438 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\srtsp.cat
[2010/10/13 16:56:54 | 000,007,438 | R--- | C] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\iron.cat
[2010/10/13 16:56:54 | 000,000,172 | ---- | C] () -- C:\WINDOWS\System32\drivers\NIS\1201000.025\isolate.ini
[2010/10/12 21:02:27 | 004,754,938 | ---- | C] () -- C:\Documents and Settings\Jordan\My Documents\Pokemon-Theme.mp3
[2010/05/12 16:04:42 | 000,076,407 | ---- | C] () -- C:\Documents and Settings\Jordan\Application Data\Smiley.ico
[2009/12/31 21:53:27 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\Jordan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/25 16:02:36 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/11/22 14:49:46 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/11/22 07:52:28 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2005/07/05 02:37:14 | 000,045,124 | ---- | C] () -- C:\WINDOWS\System32\LsaWrApi.dll
[2005/07/05 02:29:16 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\ShellNav.dll
[2005/07/05 02:27:42 | 000,532,549 | ---- | C] () -- C:\WINDOWS\System32\C1XStngs.dll
[2005/07/05 02:26:40 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\D8021Xps.dll
[2005/01/13 04:00:14 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2005/01/13 04:00:10 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll

========== Custom Scans ==========


< %systemroot%*. /mp /s >

< %systemroot%system32*.dll /lockedfiles >

< %systemroot%system32*.exe /lockedfiles >

< %systemroot%Tasks*.job /lockedfiles >

< %systemroot%system32drivers*.sys /lockedfiles >

< %systemroot%System32config*.sav >

< %systemroot%system32*.sys >

< %systemroot%system32drivers*.dll >

< %systemroot%system32drivers*.ini >

< %systemroot%system32drivers*.exe >

< %SYSTEMDRIVE%*.* >
[2009/11/22 14:34:28 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/11/22 14:01:54 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2009/11/22 14:34:28 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/11/01 22:24:15 | 1609,871,360 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/22 14:34:28 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/03/24 20:44:19 | 000,000,845 | -H-- | M] () -- C:\IPH.PH
[2009/11/22 14:34:28 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 07:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2004/08/04 07:00:00 | 000,250,032 | RHS- | M] () -- C:\ntldr
[2010/11/01 22:24:13 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys

< %PROGRAMFILES%*. >
[2010/09/18 12:50:11 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2010/06/08 14:03:11 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe Media Player
[2009/11/23 13:40:06 | 000,000,000 | ---D | M] -- C:\Program Files\Ahead
[2010/03/24 20:44:00 | 000,000,000 | ---D | M] -- C:\Program Files\AIM
[2010/07/13 14:22:11 | 000,000,000 | ---D | M] -- C:\Program Files\Alwil Software
[2009/12/29 21:19:49 | 000,000,000 | ---D | M] -- C:\Program Files\AMT
[2010/09/10 20:12:15 | 000,000,000 | ---D | M] -- C:\Program Files\Apple Software Update
[2009/12/29 20:59:54 | 000,000,000 | ---D | M] -- C:\Program Files\AVG
[2010/09/04 19:06:12 | 000,000,000 | ---D | M] -- C:\Program Files\Bonjour
[2009/11/23 10:21:39 | 000,000,000 | ---D | M] -- C:\Program Files\Broadcom
[2010/10/02 22:15:53 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2009/11/22 14:29:41 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2009/11/23 10:28:12 | 000,000,000 | ---D | M] -- C:\Program Files\CONEXANT
[2009/11/23 13:38:15 | 000,000,000 | ---D | M] -- C:\Program Files\CyberLink
[2010/10/02 22:15:58 | 000,000,000 | ---D | M] -- C:\Program Files\DivX
[2010/05/04 15:20:30 | 000,000,000 | ---D | M] -- C:\Program Files\Image-Line
[2010/09/05 18:52:35 | 000,000,000 | ---D | M] -- C:\Program Files\iMesh Applications
[2010/10/25 17:00:47 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2009/11/23 13:23:12 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2010/06/10 07:49:34 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2010/11/01 22:18:38 | 000,000,000 | ---D | M] -- C:\Program Files\iPod
[2010/09/08 20:00:48 | 000,000,000 | ---D | M] -- C:\Program Files\iPod(2)
[2010/11/01 22:29:14 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes
[2010/09/08 20:00:49 | 000,000,000 | ---D | M] -- C:\Program Files\iTunes(2)
[2010/08/11 17:23:55 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2010/10/27 18:40:42 | 000,000,000 | ---D | M] -- C:\Program Files\LimeWire
[2009/11/26 00:21:09 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2009/11/22 14:48:56 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2009/11/22 14:35:07 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2009/11/22 14:48:07 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2010/09/30 16:17:45 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2009/11/22 14:48:32 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Visual Studio
[2010/03/10 15:01:54 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2010/06/09 17:17:28 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox
[2009/11/22 14:28:19 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2009/11/22 14:28:54 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2009/11/22 14:31:19 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2010/10/13 16:56:54 | 000,000,000 | ---D | M] -- C:\Program Files\Norton Internet Security
[2010/10/13 16:46:22 | 000,000,000 | ---D | M] -- C:\Program Files\Norton Security Scan
[2010/10/13 18:44:07 | 000,000,000 | ---D | M] -- C:\Program Files\NortonInstaller
[2009/11/22 14:29:08 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2010/05/12 15:51:48 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2010/03/27 13:55:29 | 000,000,000 | ---D | M] -- C:\Program Files\Outsim
[2010/10/25 14:57:00 | 000,000,000 | ---D | M] -- C:\Program Files\Pando Networks
[2010/07/15 09:54:02 | 000,000,000 | ---D | M] -- C:\Program Files\Project64 1.6
[2010/11/01 22:13:31 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime
[2010/09/08 20:03:48 | 000,000,000 | ---D | M] -- C:\Program Files\QuickTime(2)
[2010/03/28 14:32:21 | 000,000,000 | ---D | M] -- C:\Program Files\Real
[2009/11/23 10:20:08 | 000,000,000 | ---D | M] -- C:\Program Files\SigmaTel
[2010/06/14 22:47:47 | 000,000,000 | R--D | M] -- C:\Program Files\Skype
[2010/10/13 16:57:52 | 000,000,000 | ---D | M] -- C:\Program Files\Symantec
[2010/10/28 20:46:00 | 000,000,000 | ---D | M] -- C:\Program Files\TuneUpMedia
[2009/11/22 14:44:42 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2010/05/04 15:15:27 | 000,000,000 | ---D | M] -- C:\Program Files\VstPlugins
[2009/12/16 19:21:24 | 000,000,000 | ---D | M] -- C:\Program Files\Watchtower
[2010/02/09 16:38:05 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2010/02/09 16:38:03 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2009/11/22 14:28:46 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2010/10/13 16:56:50 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Sidebar
[2009/11/22 14:32:18 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2009/11/22 14:35:07 | 000,000,000 | ---D | M] -- C:\Program Files\xerox

< %appdata%*.* >
[2009/11/22 07:51:49 | 000,000,062 | -HS- | M] () -- C:\Documents and Settings\Jordan\Application Data\desktop.ini
[2010/06/30 16:02:14 | 000,022,952 | ---- | M] () -- C:\Documents and Settings\Jordan\Application Data\GDIPFONTCACHEV1.DAT
[2009/11/04 06:49:48 | 000,076,407 | ---- | M] () -- C:\Documents and Settings\Jordan\Application Data\Smiley.ico


< MD5 for: AGP440.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/04/13 13:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\agp440.sys
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\dllcache\agp440.sys
[2004/08/04 00:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\AGP440.SYS
[2004/08/03 18:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/04/13 13:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/03 23:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 07:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:disk.sys
[2004/08/04 07:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=00CA44E4534865F8A3B64F7C0984BFF0 -- C:\WINDOWS\system32\drivers\disk.sys
[2008/04/13 13:40:47 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\disk.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 19:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll
[2004/08/04 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2004/08/04 07:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >
[2005/04/25 10:28:14 | 000,871,040 | ---- | M] (Intel Corporation) MD5=D593517879E65167DF35F6015814AC59 -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/13 19:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 13:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2004/08/04 07:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATABUS.SYS >
[2005/03/21 20:49:00 | 000,088,960 | ---- | M] (NVIDIA Corporation) MD5=A1F88223528AADBB6374132BECBBDCC1 -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys
[2005/03/21 20:49:00 | 000,088,960 | ---- | M] (NVIDIA Corporation) MD5=A1F88223528AADBB6374132BECBBDCC1 -- C:\WINDOWS\system32\drivers\NvAtaBus.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\dllcache\scecli.dll
[2004/08/04 07:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2008/04/13 19:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\scecli.dll

< MD5 for: USBSTOR.SYS >
[2004/08/04 07:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:usbstor.sys
[2004/08/04 00:08:48 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- C:\WINDOWS\system32\dllcache\usbstor.sys
[2004/08/04 00:08:48 | 000,026,496 | ---- | M] (Microsoft Corporation) MD5=6CD7B22193718F1D17A47A1CD6D37E75 -- C:\WINDOWS\system32\drivers\USBSTOR.SYS
[2008/04/13 13:45:38 | 000,026,368 | ---- | M] (Microsoft Corporation) MD5=A32426D9B14A089EAA1D922E0C5801A9 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\usbstor.sys

< HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto UpdateResultsInstall|LastSuccessTime /rs >

< End of report >

albsutherja
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-11-03
Gender Gender : Male
OS OS : Windows XP Proffesional
Protection Protection : Norton Antivirus
Points Points : 22313
# Likes # Likes : 0

View user profile

Back to top Go down

Extras.Txt

Post by albsutherja on Thu Nov 04, 2010 12:39 am

OTL Extras logfile created on: 11/3/2010 6:16:41 PM - Run 1
OTL by OldTimer - Version 3.2.17.2 Folder = C:\Documents and Settings\Jordan\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 58.00% Memory free
3.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 19.23 Gb Free Space | 34.41% Space Free | Partition Type: NTFS

Computer Name: USER-CAB611CE52 | User Name: Jordan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"58368:TCP" = 58368:TCP:*:Enabled:Pando Media Booster
"58368:UDP" = 58368:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"58368:TCP" = 58368:TCP:*:Enabled:Pando Media Booster
"58368:UDP" = 58368:UDP:*:Enabled:Pando Media Booster
"8380:TCP" = 8380:TCP:*:Enabled:League of Legends Launcher
"8380:UDP" = 8380:UDP:*:Enabled:League of Legends Launcher
"1040:TCP" = 1040:TCP:*:Enabled:Akamai NetSession Interface
"5000:UDP" = 5000:UDP:*:Enabled:Akamai NetSession Interface

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AIM -- (AOL Inc.)
"C:\Program Files\LimeWire\LimeWire.exe" = C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire -- File not found
"C:\Program Files\Steam\Steam.exe" = C:\Program Files\Steam\Steam.exe:*:Enabled:Steam -- File not found
"C:\Program Files\Real\RealPlayer\realplay.exe" = C:\Program Files\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer -- (RealNetworks, Inc.)
"C:\games\Red Faction Worldwide Demo\RedFaction.exe" = C:\games\Red Faction Worldwide Demo\RedFaction.exe:*:Enabled:Red Faction Launcher -- File not found
"C:\games\Red Faction Worldwide Demo\RF.exe" = C:\games\Red Faction Worldwide Demo\RF.exe:*:Enabled:Red Faction -- File not found
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Pando Networks\Media Booster\PMB.exe" = C:\Program Files\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()
"C:\Riot Games\League of Legends\air\LolClient.exe" = C:\Riot Games\League of Legends\air\LolClient.exe:*:Enabled:League of Legends Lobby -- (Adobe Systems Inc.)
"C:\Riot Games\League of Legends\game\League of Legends.exe" = C:\Riot Games\League of Legends\game\League of Legends.exe:*:Enabled:League of Legends Game Client -- ()
"C:\Program Files\FrostWire\FrostWire.exe" = C:\Program Files\FrostWire\FrostWire.exe:*:Enabled:FrostWire -- File not found
"C:\Program Files\Vuze\Azureus.exe" = C:\Program Files\Vuze\Azureus.exe:*:Enabled:Azureus / Vuze -- File not found
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 21
"{28999392-5871-4A39-863A-D2A6EA3260AF}" = League of Legends
"{2CE5A2E7-3437-4CE7-BCF4-85ED6EEFF9E4}" = iTunes
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{92606477-9366-4D3B-8AE3-6BE4B29727AB}" = League of Legends
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{9559F7CA-5E34-4237-A2D9-D856464AD727}" = Project64 1.6
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{b697396d-4bff-430d-9578-8aa5a549777a}" = Intel(R) PROSet
"{C4124E95-5061-4776-8D5D-E3D931C778E1}" = Microsoft VC9 runtime libraries
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}" = Apple Application Support
"{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player
"{DE5BFF9C-84D1-4B09-9C20-54633044CB85}" = Watchtower Library 2008 - English
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}" = Bonjour
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AIM_7" = AIM 7
"Akamai" = Akamai NetSession Interface
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D480 MDC V.92 Modem
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DivX Setup.divx.com" = DivX Setup
"ie8" = Windows Internet Explorer 8
"InCD!UninstallKey" = InCD
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero OEM
"NIS" = Norton Internet Security
"NVIDIA Drivers" = NVIDIA Drivers
"RealPlayer 12.0" = RealPlayer
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"TuneUpMedia" = TuneUp Companion 1.9.0
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/1/2010 9:49:38 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 1302

Error - 11/1/2010 9:49:38 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 1302

Error - 11/1/2010 9:49:40 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 11/1/2010 9:49:40 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3565

Error - 11/1/2010 9:49:40 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3565

Error - 11/1/2010 10:50:21 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = 252: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 11/1/2010 10:51:41 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = 384: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 11/1/2010 10:51:41 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = 416: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 11/1/2010 10:51:41 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = 404: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 11/1/2010 10:51:42 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = 252: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

[ Application Events ]
Error - 11/1/2010 9:49:38 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 1302

Error - 11/1/2010 9:49:38 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 1302

Error - 11/1/2010 9:49:40 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 11/1/2010 9:49:40 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3565

Error - 11/1/2010 9:49:40 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3565

Error - 11/1/2010 10:50:21 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = 252: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 11/1/2010 10:51:41 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = 384: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 11/1/2010 10:51:41 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = 416: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 11/1/2010 10:51:41 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = 404: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

Error - 11/1/2010 10:51:42 PM | Computer Name = USER-CAB611CE52 | Source = Bonjour Service | ID = 100
Description = 252: ERROR: read_msg errno 10054 (An existing connection was forcibly
closed by the remote host.)

[ System Events ]
Error - 10/25/2010 7:06:47 PM | Computer Name = USER-CAB611CE52 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the NIS service.

Error - 10/25/2010 7:07:17 PM | Computer Name = USER-CAB611CE52 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the NIS service.

Error - 10/25/2010 7:44:39 PM | Computer Name = USER-CAB611CE52 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the NIS service.

Error - 11/1/2010 10:43:13 PM | Computer Name = USER-CAB611CE52 | Source = DCOM | ID = 10010
Description = The server {DC0C2640-1415-4644-875C-6F4D769839BA} did not register
with DCOM within the required timeout.

Error - 11/1/2010 10:56:27 PM | Computer Name = USER-CAB611CE52 | Source = DCOM | ID = 10010
Description = The server {DC0C2640-1415-4644-875C-6F4D769839BA} did not register
with DCOM within the required timeout.

Error - 11/1/2010 11:11:24 PM | Computer Name = USER-CAB611CE52 | Source = DCOM | ID = 10010
Description = The server {DC0C2640-1415-4644-875C-6F4D769839BA} did not register
with DCOM within the required timeout.

Error - 11/1/2010 11:20:32 PM | Computer Name = USER-CAB611CE52 | Source = DCOM | ID = 10010
Description = The server {DC0C2640-1415-4644-875C-6F4D769839BA} did not register
with DCOM within the required timeout.

Error - 11/3/2010 7:15:07 PM | Computer Name = USER-CAB611CE52 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the NIS service.

Error - 11/3/2010 7:15:36 PM | Computer Name = USER-CAB611CE52 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the NIS service.

Error - 11/3/2010 7:17:55 PM | Computer Name = USER-CAB611CE52 | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the NIS service.


< End of report >

albsutherja
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-11-03
Gender Gender : Male
OS OS : Windows XP Proffesional
Protection Protection : Norton Antivirus
Points Points : 22313
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by Belahzur on Thu Nov 04, 2010 1:05 am

Hello.

Download [You must be registered and logged in to see this link.] to your desktop.

  • Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  • It will show a black screen with some data on it.
  • A report called MBRcheckxxxx.txt will be on your desktop
  • Open this report and post its content in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

MBR

Post by albsutherja on Thu Nov 04, 2010 1:27 am

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 139):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EC000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7607000 ohci1394.sys
0xF7617000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF789B000 compbatt.sys
0xF789F000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF74D9000 pcmcia.sys
0xF7627000 MountMgr.sys
0xF74BA000 ftdisk.sys
0xF770F000 PartMgr.sys
0xF7637000 VolSnap.sys
0xF74A2000 atapi.sys
0xF7717000 cercsr6.sys
0xF748A000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF7647000 disk.sys
0xF7657000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF746B000 fltMgr.sys
0xF7414000 SYMDS.SYS
0xF7402000 sr.sys
0xF7B36000 SYMEFA.SYS
0xF7880000 KSecDD.sys
0xBA773000 Ntfs.sys
0xBA746000 NDIS.sys
0xBA72B000 Mup.sys
0xF7667000 agp440.sys
0xBA68B000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA653000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB9ADE000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB9ACA000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77EF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9AA7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77F7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7687000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xB9F1B000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB9A05000 \SystemRoot\system32\DRIVERS\w70n51.sys
0xB9F0B000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF77FF000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7807000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB9EFB000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA64B000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB99F1000 \SystemRoot\system32\DRIVERS\parport.sys
0xB9EEB000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB9EDB000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB9ECB000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB99CE000 \SystemRoot\system32\DRIVERS\ks.sys
0xF780F000 \SystemRoot\System32\DRIVERS\InCDPass.sys
0xF7817000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xB998D000 \SystemRoot\system32\drivers\stac97.sys
0xB9969000 \SystemRoot\system32\drivers\portcls.sys
0xB9EBB000 \SystemRoot\system32\drivers\drmk.sys
0xB9936000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xB9839000 \SystemRoot\system32\DRIVERS\HSF_DPV.SYS
0xB978C000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF781F000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7ABE000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB9EAB000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA643000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9775000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB9E9B000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB9E8B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF772F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9764000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7697000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7737000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF773F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB9733000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79B1000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB96FF000 \SystemRoot\system32\DRIVERS\update.sys
0xBA627000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF76C7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF76D7000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79B7000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF79BD000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB9DAB000 \SystemRoot\System32\Drivers\Null.SYS
0xF79BF000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7767000 \SystemRoot\System32\drivers\vga.sys
0xF79C1000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79C5000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF79C3000 \SystemRoot\System32\Drivers\InCDrec.SYS
0xB84FC000 \SystemRoot\System32\Drivers\InCDfs.SYS
0xF776F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7777000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9F59000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB84E9000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB8491000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB8438000 \SystemRoot\system32\drivers\NIS\1201000.025\SYMTDI.SYS
0xB8412000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xB83F1000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB82F1000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB82CF000 \SystemRoot\System32\drivers\afd.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB820C000 \SystemRoot\system32\drivers\NIS\1201000.025\Ironx86.SYS
0xF7587000 \SystemRoot\system32\drivers\NIS\1201000.025\SRTSPX.SYS
0xB81BA000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB814B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7577000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7567000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7557000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB806E000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xB8047000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xB7EE6000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20101029.001\BHDrvx86.sys
0xBA71B000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB7ECE000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7A01000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB8589000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77DF000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xB8148000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB61CF000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xB61CB000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xB61A7000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB559A000 \SystemRoot\system32\drivers\wdmaud.sys
0xF7537000 \SystemRoot\system32\drivers\sysaudio.sys
0xB49EF000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF79E5000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB4844000 \SystemRoot\system32\DRIVERS\srv.sys
0xB489F000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB48A7000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xB4083000 \SystemRoot\System32\Drivers\HTTP.sys
0xB3EEA000 \SystemRoot\system32\drivers\NIS\1201000.025\SRTSP.SYS
0xB37C1000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xAC612000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20101103.023\NAVEX15.SYS
0xAC5FE000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20101103.023\NAVENG.SYS
0xAC5A6000 \??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20101103.001\IDSxpx86.sys
0xAC57C000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 55):
0 System Idle Process
4 System
772 C:\WINDOWS\system32\smss.exe
852 csrss.exe
876 C:\WINDOWS\system32\winlogon.exe
920 C:\WINDOWS\system32\services.exe
932 C:\WINDOWS\system32\lsass.exe
1076 C:\WINDOWS\system32\svchost.exe
1156 svchost.exe
1196 C:\WINDOWS\system32\svchost.exe
1252 C:\WINDOWS\system32\S24EvMon.exe
1440 svchost.exe
1484 C:\WINDOWS\system32\ZCfgSvc.exe
1660 C:\WINDOWS\explorer.exe
1756 svchost.exe
1808 C:\WINDOWS\system32\1XConfig.exe
204 C:\WINDOWS\system32\svchost.exe
240 C:\WINDOWS\system32\spoolsv.exe
744 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
792 C:\Program Files\Ahead\InCD\InCD.exe
1096 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1084 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
1516 C:\Program Files\Messenger\msmsgs.exe
1568 C:\WINDOWS\system32\ctfmon.exe
1708 C:\Documents and Settings\Jordan\Local Settings\Application Data\Google\Update\1.2.183.39\GoogleCrashHandler.exe
340 C:\WINDOWS\system32\svchost.exe
380 svchost.exe
1376 C:\WINDOWS\system32\svchost.exe
1272 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
504 C:\Program Files\Bonjour\mDNSResponder.exe
604 C:\Program Files\Ahead\InCD\incdsrv.exe
1244 C:\Program Files\Java\jre6\bin\jqs.exe
732 iexplore.exe
632 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
2152 C:\Program Files\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe
2272 C:\WINDOWS\system32\nvsvc32.exe
2312 C:\WINDOWS\system32\RegSrvc.exe
2472 C:\WINDOWS\system32\svchost.exe
3424 C:\Program Files\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe
3520 C:\WINDOWS\system32\wuauclt.exe
3696 alg.exe
2680 C:\Program Files\Common Files\Java\Java Update\jucheck.exe
4060 C:\Program Files\iPod\bin\iPodService.exe
3416 C:\Program Files\iTunes\iTunesHelper.exe
3320 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
5880 iexplore.exe
1388 C:\Program Files\Internet Explorer\iexplore.exe
4692 C:\Program Files\Internet Explorer\iexplore.exe
6136 C:\Documents and Settings\Jordan\My Documents\Downloads\OTL (1).com
1900 C:\WINDOWS\NOTEPAD.EXE
5524 C:\WINDOWS\NOTEPAD.EXE
4340 C:\Program Files\Internet Explorer\iexplore.exe
2652 C:\Program Files\Internet Explorer\iexplore.exe
2368 C:\Documents and Settings\Jordan\Desktop\MBRCheck.exe
5216 <unknown>

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: HTS726060M9AT00, Rev: MH4OA6AA

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 680C3DFB3AF5C02B7E098CA7B25CA73D63745DC5


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

albsutherja
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-11-03
Gender Gender : Male
OS OS : Windows XP Proffesional
Protection Protection : Norton Antivirus
Points Points : 22313
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by Belahzur on Thu Nov 04, 2010 10:23 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

C:combofix.txt

Post by albsutherja on Thu Nov 04, 2010 11:27 pm

ComboFix 10-11-03.04 - Jordan 11/04/2010 18:12:57.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1180 [GMT -5:00]
Running from: c:\documents and settings\Jordan\Desktop\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-10-04 to 2010-11-04 )))))))))))))))))))))))))))))))
.

2010-11-02 03:18 . 2010-11-02 03:18 -------- d-----w- c:\program files\iPod
2010-11-02 03:13 . 2010-11-02 03:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2010-11-02 03:13 . 2010-11-02 03:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2010-11-02 03:13 . 2010-11-02 03:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2010-11-02 03:13 . 2010-11-02 03:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2010-11-02 03:13 . 2010-11-02 03:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2010-11-02 03:13 . 2010-11-02 03:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2010-11-02 03:13 . 2010-11-02 03:13 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2010-11-02 03:12 . 2010-11-02 03:13 -------- d-----w- c:\program files\QuickTime
2010-10-29 22:52 . 2010-11-02 03:08 -------- d-----w- c:\documents and settings\Jordan\Application Data\FrostWire
2010-10-29 01:45 . 2010-10-29 01:46 -------- d-----w- c:\program files\TuneUpMedia
2010-10-29 01:45 . 2010-11-03 01:09 -------- d-----w- c:\documents and settings\Jordan\Application Data\TuneUpMedia
2010-10-29 01:45 . 2010-10-29 01:45 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUpMedia
2010-10-29 01:42 . 2010-11-02 03:21 -------- d-----w- c:\documents and settings\Jordan\Application Data\Azureus
2010-10-26 21:01 . 2010-10-26 21:01 -------- d-----w- c:\documents and settings\Jordan\Application Data\LolClient
2010-10-26 04:22 . 2010-10-26 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-10-25 22:00 . 2010-10-25 22:00 -------- d-----w- C:\Riot Games
2010-10-25 19:57 . 2010-10-26 22:46 -------- d-----w- c:\documents and settings\Jordan\Local Settings\Application Data\PMB Files
2010-10-25 19:57 . 2010-10-25 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2010-10-25 19:57 . 2010-10-25 19:57 -------- d-----w- c:\program files\Pando Networks
2010-10-25 19:54 . 2010-10-25 19:54 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-10-13 21:57 . 2010-10-13 21:57 -------- d-----w- c:\program files\Symantec
2010-10-13 21:57 . 2010-10-13 21:57 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-13 21:57 . 2010-10-13 21:57 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-10-13 21:56 . 2010-10-13 21:56 -------- d-----w- c:\windows\system32\drivers\NIS
2010-10-13 21:56 . 2010-10-13 21:56 -------- d-----w- c:\program files\Norton Internet Security
2010-10-13 21:56 . 2010-10-13 21:56 -------- d-----w- c:\program files\Windows Sidebar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Jordan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-01-17 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"nwiz"="nwiz.exe" [2004-10-26 921600]
"ZCfgSvc.exe"="c:\windows\system32\ZCfgSvc.exe" [2005-07-05 639040]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2004-07-08 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-07-08 1232946]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-28 202256]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2005-07-05 07:33 188482 ----a-w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58368:TCP"= 58368:TCP:Pando Media Booster
"58368:UDP"= 58368:UDP:Pando Media Booster
"8380:TCP"= 8380:TCP:League of Legends Launcher
"8380:UDP"= 8380:UDP:League of Legends Launcher
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1201000.025\SymDS.sys [10/13/2010 4:57 PM 339504]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1201000.025\SymEFA.sys [10/13/2010 4:57 PM 666672]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20101029.001\BHDrvx86.sys [11/1/2010 7:24 PM 692272]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1201000.025\Ironx86.sys [10/13/2010 4:57 PM 134704]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 7:00 AM 14336]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe [10/13/2010 4:57 PM 126904]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/13/2010 6:14 PM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20101103.001\IDSXpx86.sys [10/19/2010 3:36 PM 341880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-10-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2010-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1078145449-1060284298-1003Core.job
- c:\documents and settings\Jordan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-17 20:50]

2010-11-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-343818398-1078145449-1060284298-1003UA.job
- c:\documents and settings\Jordan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-17 20:50]

2010-11-04 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-11-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-11-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-343818398-1078145449-1060284298-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-11-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-11-04 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-343818398-1078145449-1060284298-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-11-04 18:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NIS]
"ImagePath"=""c:\program files\Norton Internet Security\Engine\18.1.0.37\ccSvcHst.exe" /s "NIS" /m "c:\program files\Norton Internet Security\Engine\18.1.0.37\diMaster.dll" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a7,c5,64,70,bf,95,c3,42,84,01,96,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a7,c5,64,70,bf,95,c3,42,84,01,96,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\LgNotify.dll
.
Completion time: 2010-11-04 18:25:34
ComboFix-quarantined-files.txt 2010-11-04 23:25

Pre-Run: 21,321,580,544 bytes free
Post-Run: 21,689,139,200 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 2385F09BF9EDD932A925D82F8E27EDFC

albsutherja
Novice
Novice

Posts Posts : 5
Joined Joined : 2010-11-03
Gender Gender : Male
OS OS : Windows XP Proffesional
Protection Protection : Norton Antivirus
Points Points : 22313
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Whistler Bootkit

Post by Dr Jay on Mon Nov 08, 2010 3:51 am

Please [You must be registered and logged in to see this link.] SINO by [You must be registered and logged in to see this link.].

  • Save SINO to a place you can remember and run SINO.exe. (If you downloaded the ZIP version you will need to extract it first)
  • Then please check the following checkboxes:
    Code:
    Boot Check
    Tasklist
    Startup Items
    Event Log
    Ping
    Netstat
    Hosts file
    Routing Table
  • Once checked, hit the Run Scan! button and wait for the program to finish the scan.

  • A notepad window will pop up. Please copy all of the content into your next reply.

Note: If you try to interact with the program once it’s started scanning it might appear to hang. The scan however will continue.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13719
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302143
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum