Cybergate RAT

View previous topic View next topic Go down

Cybergate RAT

Post by RSMike on Fri 25 Feb 2011, 12:46 pm

So when I turned on my laptop it booted up normally up until the "Welcome... logging you in". Then instead of loading my desktop, my screen went black and a little window popped up that said something like "Personal Preferences (can't remember the rest)... c:\directory\cybergate\install\server.exe"

So I did Ctrl+Alt+Delete and force closed the window and so it closed, and then nothing else happened. It just stayed on a black screen. So I logged off of my user, logged back on, same thing happened again, so I turned off my computer. Turned it back on, loaded normally, and once I got to my desktop I ran a virus check and got this:



So I clicked remove all, it said it removed them all successfully and told me to restart so I did. When my computer reloaded I ran another virus scan just to make sure it was gone and it wasn't... all the exact same malicious software was there.

Sorry that was such a long story, I'm no tech expert so I included all details of what happened even if they aren't relevant lol. I posted on another non-computer forum and some people told me that I had a RAT Cybergate virus and they referred me to your website as it could be quite serious.

RSMike

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-25
Operating System : Windows 7

View user profile

Back to top Go down

Re: Cybergate RAT

Post by RSMike on Fri 25 Feb 2011, 12:47 pm

OTL logfile created on: 24/02/2011 8:36:32 PM - Run 1
OTL by OldTimer - Version 3.2.21.0 Folder = C:\Users\Michael2\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 81.00% Memory free
7.00 Gb Paging File | 7.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 455.63 Gb Total Space | 261.51 Gb Free Space | 57.39% Space Free | Partition Type: NTFS

Computer Name: MICHAELSLAPTOP | User Name: Michael2 | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/24 20:33:42 | 000,577,024 | ---- | M] (OldTimer Tools) -- C:\Users\Michael2\Desktop\OTL.com
PRC - [2010/11/08 17:40:10 | 001,839,776 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2010/08/10 21:43:42 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe


========== Modules (SafeList) ==========

MOD - [2011/02/24 20:33:42 | 000,577,024 | ---- | M] (OldTimer Tools) -- C:\Users\Michael2\Desktop\OTL.com
MOD - [2010/08/21 00:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2011/01/05 20:14:54 | 003,129,432 | ---- | M] () [Auto | Stopped] -- c:\Program Files (x86)\Common Files\Akamai\netsession_win_dbc0250.dll -- (Akamai)
SRV - [2011/01/05 11:59:50 | 000,037,664 | ---- | M] (Apple Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/11/24 19:57:27 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/11/17 20:43:06 | 000,428,912 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\SNAC64.EXE -- (SNAC)
SRV - [2010/11/12 07:14:04 | 003,249,768 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2010/11/08 17:40:10 | 001,839,776 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2010/09/07 16:05:51 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2010/08/10 21:43:42 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2010/08/10 21:43:42 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2010/04/24 01:10:34 | 000,209,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe -- (sftvsa)
SRV - [2010/04/24 01:10:28 | 000,483,688 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe -- (sftlist)
SRV - [2010/03/18 13:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/18 10:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009/08/31 00:59:30 | 000,362,992 | ---- | M] (Sonic Solutions) [Auto | Stopped] -- C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe -- (Roxio Upnp Server 10)
SRV - [2009/08/31 00:59:18 | 000,313,840 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe -- (Roxio UPnP Renderer 10)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/03/12 17:36:24 | 000,086,016 | ---- | M] () [Auto | Stopped] -- C:\Program Files (x86)\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe -- (mi-raysat_3dsmax2010_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/02/06 14:41:05 | 000,173,616 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2010/09/17 13:10:32 | 000,482,352 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\srtspl64.sys -- (SRTSPL)
DRV:64bit: - [2010/09/17 13:10:32 | 000,449,072 | ---- | M] (Symantec Corporation) [File_System | System | Stopped] -- C:\Windows\SysNative\drivers\srtsp64.sys -- (SRTSP)
DRV:64bit: - [2010/09/17 13:10:32 | 000,032,304 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Windows\SysNative\drivers\srtspx64.sys -- (SRTSPX)
DRV:64bit: - [2010/07/12 13:36:10 | 000,055,856 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2010/04/24 01:10:32 | 000,022,376 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Sftvollh.sys -- (Sftvol)
DRV:64bit: - [2010/04/24 01:10:28 | 000,269,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Sftplaylh.sys -- (Sftplay)
DRV:64bit: - [2010/04/24 01:10:28 | 000,025,960 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Sftredirlh.sys -- (Sftredir)
DRV:64bit: - [2010/04/24 01:10:20 | 000,721,768 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Sftfslh.sys -- (Sftfs)
DRV:64bit: - [2010/01/27 15:10:59 | 006,106,624 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2009/12/16 15:03:59 | 000,244,736 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\IntcDAud.sys -- (IntcDAud) Intel(R)
DRV:64bit: - [2009/12/16 15:03:42 | 000,151,936 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\Impcd.sys -- (Impcd)
DRV:64bit: - [2009/12/16 15:03:04 | 007,778,176 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2009/12/14 15:06:07 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (HECIx64) Intel(R)
DRV:64bit: - [2009/11/20 17:09:48 | 000,537,112 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iaStor.sys -- (iaStor)
DRV:64bit: - [2009/11/17 23:30:21 | 000,052,264 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btusbflt.sys -- (btusbflt)
DRV:64bit: - [2009/11/12 15:16:19 | 000,395,264 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\yk62x64.sys -- (yukonw7)
DRV:64bit: - [2009/11/12 15:06:44 | 001,542,656 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2009/11/06 15:27:30 | 000,093,696 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rimssne64.sys -- (rimspci)
DRV:64bit: - [2009/11/04 04:59:59 | 000,253,488 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\Apfiltr.sys -- (ApfiltrService)
DRV:64bit: - [2009/10/08 21:47:00 | 000,109,056 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\sdbus.sys -- (sdbus)
DRV:64bit: - [2009/09/15 15:09:08 | 000,075,776 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\risdsne64.sys -- (risdsnpe)
DRV:64bit: - [2009/08/19 15:09:21 | 000,011,392 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SFEP.sys -- (SFEP)
DRV:64bit: - [2009/07/24 07:55:10 | 000,011,264 | ---- | M] (Primax Ltd) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NMgamingms.sys -- (NMgamingmsFltr)
DRV:64bit: - [2009/07/13 20:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 20:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/05/18 13:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2007/08/31 14:15:34 | 000,079,872 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\emAudio64.sys -- (emAudio)
DRV:64bit: - [2007/06/21 17:51:46 | 000,215,808 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\emDevice64.sys -- (DCamUSBEMPIA)
DRV:64bit: - [2007/06/21 17:51:32 | 000,006,400 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\emFilter64.sys -- (FiltUSBEMPIA)
DRV:64bit: - [2007/06/21 17:51:30 | 000,006,144 | ---- | M] (eMPIA Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\emScan64.sys -- (ScanUSBEMPIA)
DRV:64bit: - [2006/12/13 18:14:14 | 000,065,024 | ---- | M] (Aladdin Knowledge Systems Ltd.) [File_System | Auto | Stopped] -- C:\Windows\SysNative\drivers\aksdf.sys -- (aksdf)
DRV:64bit: - [2006/12/04 10:44:14 | 000,314,368 | ---- | M] (Aladdin Knowledge Systems Ltd.) [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\hardlock.sys -- (Hardlock)
DRV:64bit: - [2005/09/23 23:18:34 | 000,261,120 | ---- | M] (Pinnacle Systems GmbH) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\MarvinBus64.sys -- (MarvinBus)
DRV - [2011/01/18 04:00:00 | 001,791,096 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20110223.002\EX64.SYS -- (NAVEX15)
DRV - [2011/01/18 04:00:00 | 000,117,880 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20110223.002\ENG64.SYS -- (NAVENG)
DRV - [2010/10/18 01:00:00 | 000,475,696 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
DRV - [2010/10/18 01:00:00 | 000,132,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/09/17 13:10:32 | 000,482,352 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\srtspl64.sys -- (SRTSPL)
DRV - [2010/09/17 13:10:32 | 000,449,072 | ---- | M] (Symantec Corporation) [File_System | System | Stopped] -- C:\Windows\SysWOW64\drivers\srtsp64.sys -- (SRTSP)
DRV - [2010/09/17 13:10:32 | 000,032,304 | ---- | M] (Symantec Corporation) [Kernel | System | Stopped] -- C:\Windows\SysWOW64\drivers\srtspx64.sys -- (SRTSPX)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [You must be registered and logged in to see this link.] [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [You must be registered and logged in to see this link.] [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "Murder Toys Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT2673338&SearchSource=3&q={searchTerms}"
FF - prefs.js..browser.startup.homepage: "http://www.google.ca/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {a8864317-e18b-4292-99d9-e6e65ab905d3}:3.1.0.12
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:3.2.5.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.6.6.20090220
FF - prefs.js..extensions.enabledItems: {75656794-AB59-4712-BFBC-5D816D56F3BC}:1.1.6


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2011/02/05 14:05:20 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2011/01/29 16:04:53 | 000,000,000 | ---D | M]

[2011/02/06 15:26:29 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Michael\AppData\Roaming\Mozilla\Extensions
[2010/09/27 14:29:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Michael\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2011/02/23 15:28:40 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\wir80j3f.default\extensions
[2011/02/06 15:26:26 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\wir80j3f.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/02/06 15:26:26 | 000,000,000 | ---D | M] (HyperCam Toolbar) -- C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\wir80j3f.default\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}
[2011/02/15 16:45:34 | 000,000,000 | ---D | M] (Runescape Community Toolbar) -- C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\wir80j3f.default\extensions\{a8864317-e18b-4292-99d9-e6e65ab905d3}
[2011/02/06 15:26:29 | 000,000,000 | ---D | M] (Murder Toys Community Toolbar) -- C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\wir80j3f.default\extensions\{e9ddc636-f9b4-43db-9795-fba05b2d0e22}
[2011/02/06 15:26:25 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\wir80j3f.default\extensions\engine@conduit.com
[2011/02/06 15:23:23 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Michael2\AppData\Roaming\mozilla\Firefox\Profiles\xf1fgayo.default\extensions
[2010/11/23 13:20:22 | 000,000,925 | ---- | M] () -- C:\Users\Michael\AppData\Roaming\Mozilla\Firefox\Profiles\wir80j3f.default\searchplugins\conduit.xml
[2011/02/23 15:28:40 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2011/02/05 00:26:16 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/09/27 14:07:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/09/26 16:38:59 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/26 14:32:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2010/12/19 15:23:05 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/02/19 13:38:26 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/02/02 21:40:24 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/11/23 20:56:50 | 000,000,034 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 activate.adobe.com
O2:64bit: - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - File not found
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (SMTTB2009 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files (x86)\HyperCam Toolbar\tbcore3.dll ()
O3 - HKLM\..\Toolbar: (HyperCam Toolbar) - {338B4DFE-2E2C-4338-9E41-E176D497299E} - C:\Program Files (x86)\HyperCam Toolbar\tbcore3.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (HyperCam Toolbar) - {338B4DFE-2E2C-4338-9E41-E176D497299E} - C:\Program Files (x86)\HyperCam Toolbar\tbcore3.dll ()
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ccApp] C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [runnn] C:\Users\Michael2\AppData\Roaming\runnn\runnn.exe ()
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKCU..\Run: [RESTART_STICKY_NOTES] File not found
O4 - HKCU..\Run: [runnn] C:\Users\Michael2\AppData\Roaming\runnn\runnn.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Policies = C:\Users\Michael2\AppData\Roaming\install\server.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Policies = C:\Users\Michael2\AppData\Roaming\install\server.exe ()
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\SysWow64\GPhotos.scr (Google Inc.)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} [You must be registered and logged in to see this link.] (BitDefender QuickScan Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} [You must be registered and logged in to see this link.] (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_24)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_24)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.1.1
O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - Reg Error: Key error. File not found
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18:64bit: - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - Reg Error: Key error. File not found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - Reg Error: Key error. - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\VESWinlogon: DllName - VESWinlogon.dll - C:\Windows\SysWow64\VESWinlogon.dll (Sony Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/24 20:33:39 | 000,577,024 | ---- | C] (OldTimer Tools) -- C:\Users\Michael2\Desktop\OTL.com
[2011/02/23 19:52:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\ESET
[2011/02/23 19:33:19 | 000,000,000 | ---D | C] -- C:\Users\Michael2\AppData\Roaming\QuickScan
[2011/02/23 18:38:41 | 000,000,000 | ---D | C] -- C:\directory
[2011/02/23 17:54:25 | 000,000,000 | ---D | C] -- C:\Users\Michael2\AppData\Roaming\Malwarebytes
[2011/02/23 17:34:03 | 000,000,000 | ---D | C] -- C:\Users\Michael2\AppData\Roaming\runnn
[2011/02/22 15:05:47 | 000,442,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsPrint.dll
[2011/02/22 15:05:46 | 000,662,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsPrint.dll
[2011/02/22 15:05:46 | 000,475,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\XpsGdiConverter.dll
[2011/02/22 15:05:45 | 000,288,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\XpsGdiConverter.dll
[2011/02/20 11:28:28 | 000,000,000 | ---D | C] -- C:\Users\Michael2\Desktop\C4D
[2011/02/19 13:38:37 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2011/02/19 13:38:24 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2011/02/19 13:38:24 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2011/02/19 13:38:24 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2011/02/15 23:24:04 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\Publish Providers
[2011/02/15 23:23:49 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\Sony
[2011/02/15 23:23:49 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\Sony
[2011/02/15 23:02:33 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\DivX
[2011/02/13 14:18:01 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\PACE Anti-Piracy
[2011/02/13 14:18:01 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\PACE Anti-Piracy
[2011/02/13 14:05:48 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\WinRAR
[2011/02/13 13:34:40 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Microsoft Application Virtualization Client
[2011/02/13 13:34:13 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\TP
[2011/02/13 11:54:00 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\Autodesk
[2011/02/13 11:53:53 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\Autodesk
[2011/02/12 15:34:00 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\Apple
[2011/02/12 15:32:57 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2011/02/12 15:07:50 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Adobe
[2011/02/08 15:13:48 | 000,599,040 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeeds.dll
[2011/02/08 15:13:44 | 000,703,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeeds.dll
[2011/02/08 15:13:42 | 000,256,000 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\iepeers.dll
[2011/02/08 15:13:41 | 000,185,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\iepeers.dll
[2011/02/08 15:13:41 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2011/02/08 15:13:41 | 000,067,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2011/02/08 15:13:39 | 000,057,856 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\licmgr10.dll
[2011/02/08 15:13:39 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\licmgr10.dll
[2011/02/08 15:13:38 | 000,012,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msfeedssync.exe
[2011/02/08 15:13:38 | 000,012,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msfeedssync.exe
[2011/02/08 15:13:37 | 000,482,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\html.iec
[2011/02/08 15:13:36 | 000,386,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\html.iec
[2011/02/08 14:52:20 | 000,264,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\upnp.dll
[2011/02/08 14:52:19 | 000,204,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\upnp.dll
[2011/02/08 14:52:10 | 000,100,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\davclnt.dll
[2011/02/08 14:52:10 | 000,062,976 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wscapi.dll
[2011/02/08 14:52:08 | 000,080,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\davclnt.dll
[2011/02/08 14:52:08 | 000,051,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wscapi.dll
[2011/02/08 14:52:08 | 000,015,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\slwga.dll
[2011/02/08 14:52:08 | 000,014,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\slwga.dll
[2011/02/08 14:52:05 | 000,214,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winsrv.dll
[2011/02/08 14:52:03 | 000,265,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\dxgmms1.sys
[2011/02/08 14:52:02 | 000,144,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cdd.dll
[2011/02/08 14:51:58 | 000,852,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\jscript.dll
[2011/02/08 14:51:57 | 000,612,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\vbscript.dll
[2011/02/08 14:51:54 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\jscript.dll
[2011/02/08 14:51:51 | 005,510,528 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2011/02/08 14:51:50 | 001,739,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntdll.dll
[2011/02/08 14:51:48 | 003,957,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2011/02/08 14:51:48 | 003,901,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2011/02/08 14:51:46 | 000,366,080 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysNative\atmfd.dll
[2011/02/08 14:51:45 | 000,294,400 | ---- | C] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\atmfd.dll
[2011/02/08 14:51:44 | 000,046,080 | ---- | C] (Adobe Systems) -- C:\Windows\SysNative\atmlib.dll
[2011/02/08 14:51:44 | 000,034,304 | ---- | C] (Adobe Systems) -- C:\Windows\SysWow64\atmlib.dll
[2011/02/06 22:51:49 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\skypePM
[2011/02/06 22:51:17 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\Skype
[2011/02/06 19:31:58 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\mIRC
[2011/02/06 19:26:20 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\Ventrilo
[2011/02/06 16:58:17 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\TechSmith
[2011/02/06 15:23:20 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\Mozilla
[2011/02/06 15:23:20 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\Mozilla
[2011/02/06 15:22:40 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\Apple Computer
[2011/02/06 15:22:35 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\Adobe
[2011/02/06 15:22:33 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\Adobe
[2011/02/06 15:22:18 | 000,000,000 | R--D | C] -- C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[2011/02/06 15:22:18 | 000,000,000 | R--D | C] -- C:\Users\Michael\Searches
[2011/02/06 15:22:18 | 000,000,000 | R--D | C] -- C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2011/02/06 15:22:07 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\Identities
[2011/02/06 15:22:01 | 000,000,000 | R--D | C] -- C:\Users\Michael\Contacts
[2011/02/06 15:21:59 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\Symantec
[2011/02/06 15:18:45 | 000,000,000 | ---D | C] -- C:\Users\Michael2\Desktop\My Shared Folder
[2011/02/06 15:17:40 | 000,000,000 | R--D | C] -- C:\Users\Michael2\Documents\My Stationery
[2011/02/06 15:17:40 | 000,000,000 | ---D | C] -- C:\Users\Michael2\Documents\Pinnacle Studio
[2011/02/06 15:17:40 | 000,000,000 | ---D | C] -- C:\Users\Michael2\Documents\Camtasia Studio
[2011/02/06 15:17:40 | 000,000,000 | ---D | C] -- C:\Users\Michael2\Documents\Adobe
[2011/02/06 15:17:34 | 000,000,000 | ---D | C] -- C:\Users\Michael2\Documents\3dsMax
[2011/02/06 15:16:00 | 000,000,000 | -H-D | C] -- C:\Users\Michael2\Application Data\Microsoft\Internet Explorer\Quick Launch\User Pinned
[2011/02/06 15:15:55 | 000,000,000 | -HSD | C] -- C:\Users\Michael\AppData\Local\Temporary Internet Files
[2011/02/06 15:15:55 | 000,000,000 | -HSD | C] -- C:\Users\Michael\Templates
[2011/02/06 15:15:55 | 000,000,000 | -HSD | C] -- C:\Users\Michael\Start Menu
[2011/02/06 15:15:55 | 000,000,000 | -HSD | C] -- C:\Users\Michael\SendTo
[2011/02/06 15:15:55 | 000,000,000 | -HSD | C] -- C:\Users\Michael\Recent
[2011/02/06 15:15:55 | 000,000,000 | -HSD | C] -- C:\Users\Michael\PrintHood
[2011/02/06 15:15:55 | 000,000,000 | -HSD | C] -- C:\Users\Michael\NetHood
[2011/02/06 15:15:55 | 000,000,000 | -HSD | C] -- C:\Users\Michael2\Documents\My Videos
[2011/02/06 15:15:55 | 000,000,000 | -HSD | C] -- C:\Users\Michael2\Documents\My Pictures
[2011/02/06 15:15:55 | 000,000,000 | -HSD | C] -- C:\Users\Michael2\Documents\My Music
[2011/02/06 15:15:55 | 000,000,000 | -HSD | C] -- C:\Users\Michael\My Documents
[2011/02/06 15:15:55 | 000,000,000 | -HSD | C] -- C:\Users\Michael\Local Settings
[2011/02/06 15:15:55 | 000,000,000 | -HSD | C] -- C:\Users\Michael\AppData\Local\History
[2011/02/06 15:15:55 | 000,000,000 | -HSD | C] -- C:\Users\Michael\Cookies
[2011/02/06 15:15:55 | 000,000,000 | -HSD | C] -- C:\Users\Michael\Application Data
[2011/02/06 15:15:55 | 000,000,000 | -HSD | C] -- C:\Users\Michael\AppData\Local\Application Data
[2011/02/06 15:15:54 | 000,000,000 | --SD | C] -- C:\Users\Michael\AppData\Roaming\Microsoft
[2011/02/06 15:15:54 | 000,000,000 | R--D | C] -- C:\Users\Michael2\Videos
[2011/02/06 15:15:54 | 000,000,000 | R--D | C] -- C:\Users\Michael\Saved Games
[2011/02/06 15:15:54 | 000,000,000 | R--D | C] -- C:\Users\Michael2\Pictures
[2011/02/06 15:15:54 | 000,000,000 | R--D | C] -- C:\Users\Michael2\Music
[2011/02/06 15:15:54 | 000,000,000 | R--D | C] -- C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
[2011/02/06 15:15:54 | 000,000,000 | R--D | C] -- C:\Users\Michael\Links
[2011/02/06 15:15:54 | 000,000,000 | R--D | C] -- C:\Users\Michael\Favorites
[2011/02/06 15:15:54 | 000,000,000 | R--D | C] -- C:\Users\Michael\Downloads
[2011/02/06 15:15:54 | 000,000,000 | R--D | C] -- C:\Users\Michael\My Documents
[2011/02/06 15:15:54 | 000,000,000 | R--D | C] -- C:\Users\Michael\Desktop
[2011/02/06 15:15:54 | 000,000,000 | R--D | C] -- C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
[2011/02/06 15:15:54 | 000,000,000 | -H-D | C] -- C:\Users\Michael\AppData
[2011/02/06 15:15:54 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\Temp
[2011/02/06 15:15:54 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Local\Microsoft
[2011/02/06 15:15:54 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\Media Center Programs
[2011/02/06 15:15:54 | 000,000,000 | ---D | C] -- C:\Users\Michael\AppData\Roaming\Macromedia
[2011/02/06 14:40:53 | 000,173,616 | ---- | C] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
[2011/02/06 14:40:46 | 000,000,000 | ---D | C] -- C:\Program Files\Symantec
[2011/02/06 14:40:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Symantec Shared
[2011/02/06 14:40:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Symantec Endpoint Protection
[2011/02/06 14:39:24 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Symantec
[2011/02/06 14:35:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Ida
[2011/02/05 17:39:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Picasa 3
[2011/02/05 17:02:08 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\%LOCALAPPDATA%
[2011/02/05 15:34:50 | 000,000,000 | -HSD | C] -- C:\Windows\SysNative\%APPDATA%
[2011/02/05 15:33:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2011/02/05 15:33:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/02/05 15:33:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/02/05 15:33:52 | 000,024,152 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2011/02/05 15:33:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2011/02/05 14:05:12 | 000,000,000 | -HSD | C] -- C:\Windows\SysWow64\%APPDATA%
[2011/02/05 00:26:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2011/02/05 00:26:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Skype
[2011/02/05 00:26:00 | 000,000,000 | R--D | C] -- C:\Program Files (x86)\Skype
[2011/02/05 00:25:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Skype
[2011/01/29 16:08:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2011/01/29 16:08:34 | 000,126,312 | ---- | C] (GEAR Software Inc.) -- C:\Windows\SysNative\GEARAspi64.dll
[2011/01/29 16:08:34 | 000,107,368 | ---- | C] (GEAR Software Inc.) -- C:\Windows\SysWow64\GEARAspi.dll
[2011/01/29 16:08:34 | 000,034,152 | ---- | C] (GEAR Software Inc.) -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys
[2011/01/29 16:08:34 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\DRVSTORE
[2011/01/29 16:07:53 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/01/29 16:07:52 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/01/29 16:07:52 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2011/01/29 16:07:52 | 000,000,000 | ---D | C] -- C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
[2011/01/29 16:06:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Apple
[2011/01/29 16:06:38 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/01/29 16:06:38 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Bonjour
[2011/01/29 16:04:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
[2011/01/29 16:04:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2010/03/28 08:24:14 | 000,156,592 | ---- | C] (Beepa P/L) -- C:\Program Files (x86)\fraps64.dll

========== Files - Modified Within 30 Days ==========

[2011/02/24 20:33:42 | 000,577,024 | ---- | M] (OldTimer Tools) -- C:\Users\Michael2\Desktop\OTL.com
[2011/02/24 20:25:24 | 000,779,016 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2011/02/24 20:25:24 | 000,664,108 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2011/02/24 20:25:24 | 000,124,586 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2011/02/24 20:20:54 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/02/24 20:20:44 | 2955,485,184 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/23 19:25:19 | 000,009,576 | -H-- | M] () -- C:\Users\Michael2\AppData\Roaming\logs.dat
[2011/02/23 18:48:09 | 000,014,144 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/02/23 18:48:09 | 000,014,144 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/02/23 18:40:51 | 000,006,144 | ---- | M] () -- C:\Users\Michael2\AppData\Roaming\runnn.exe
[2011/02/23 17:37:03 | 000,006,144 | ---- | M] () -- C:\Users\Michael2\AppData\Roaming\run.bat
[2011/02/23 15:36:06 | 000,001,456 | ---- | M] () -- C:\Users\Michael2\AppData\Local\Adobe Save for Web 12.0 Prefs
[2011/02/23 15:29:08 | 000,000,046 | ---- | M] () -- C:\Users\Michael2\jagex_runescape_preferences.dat
[2011/02/23 15:29:03 | 000,000,117 | ---- | M] () -- C:\Users\Michael2\jagex_runescape_preferences2.dat
[2011/02/21 02:08:53 | 000,047,656 | ---- | M] () -- C:\Users\Michael2\Documents\Eric prank call.mp3.sfk
[2011/02/21 02:07:35 | 004,093,871 | ---- | M] () -- C:\Users\Michael2\Documents\eric prank call.wmv
[2011/02/21 02:00:29 | 000,552,541 | ---- | M] () -- C:\Users\Michael2\Documents\Eric prank call.mp3
[2011/02/19 03:18:03 | 000,004,608 | ---- | M] () -- C:\Users\Michael2\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/16 14:53:50 | 000,787,064 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2011/02/15 23:17:57 | 000,000,349 | ---- | M] () -- C:\Users\Public\Documents\PCLECHAL.INI
[2011/02/15 23:17:48 | 000,001,154 | ---- | M] () -- C:\Users\Public\Desktop\Pinnacle Studio 12.lnk
[2011/02/13 14:18:01 | 000,000,021 | ---- | M] () -- C:\Windows\SurCode.INI
[2011/02/13 11:55:53 | 000,001,401 | ---- | M] () -- C:\Users\Michael2\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/02/09 15:09:22 | 005,024,176 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2011/02/06 22:51:19 | 000,002,515 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[2011/02/06 16:56:44 | 000,000,376 | ---- | M] () -- C:\Windows\ODBC.INI
[2011/02/06 14:41:05 | 000,173,616 | ---- | M] (Symantec Corporation) -- C:\Windows\SysNative\drivers\SYMEVENT64x86.SYS
[2011/02/06 14:41:05 | 000,007,440 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
[2011/02/06 14:41:05 | 000,000,855 | ---- | M] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
[2011/02/05 15:33:56 | 000,001,073 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/05 00:52:31 | 000,000,056 | -H-- | M] () -- C:\Windows\SysWow64\ezsidmv.dat
[2011/02/02 21:40:39 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaws.exe
[2011/02/02 21:40:38 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\javaw.exe
[2011/02/02 21:40:36 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\java.exe
[2011/02/02 21:40:23 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\SysWow64\deployJava1.dll
[2011/01/26 01:53:10 | 000,265,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\drivers\dxgmms1.sys
[2011/01/26 01:31:20 | 000,144,384 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\cdd.dll

========== Files Created - No Company Name ==========

[2011/02/23 18:24:56 | 000,006,144 | ---- | C] () -- C:\Users\Michael2\AppData\Roaming\runnn.exe
[2011/02/23 17:34:05 | 000,006,144 | ---- | C] () -- C:\Users\Michael2\AppData\Roaming\run.bat
[2011/02/21 02:08:52 | 000,047,656 | ---- | C] () -- C:\Users\Michael2\Documents\Eric prank call.mp3.sfk
[2011/02/21 02:06:32 | 004,093,871 | ---- | C] () -- C:\Users\Michael2\Documents\eric prank call.wmv
[2011/02/21 02:00:28 | 000,552,541 | ---- | C] () -- C:\Users\Michael2\Documents\Eric prank call.mp3
[2011/02/20 15:47:40 | 000,001,456 | ---- | C] () -- C:\Users\Michael\AppData\Local\Adobe Save for Web 12.0 Prefs
[2011/02/15 23:15:47 | 000,004,608 | ---- | C] () -- C:\Users\Michael\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/13 11:55:53 | 000,001,401 | ---- | C] () -- C:\Users\Michael2\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2011/02/06 15:22:32 | 000,001,373 | ---- | C] () -- C:\Users\Michael2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
[2011/02/06 15:22:24 | 000,001,407 | ---- | C] () -- C:\Users\Michael2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
[2011/02/06 15:19:46 | 000,000,117 | ---- | C] () -- C:\Users\Michael\jagex_runescape_preferences2.dat
[2011/02/06 15:19:46 | 000,000,046 | ---- | C] () -- C:\Users\Michael\jagex_runescape_preferences.dat
[2011/02/06 15:19:46 | 000,000,024 | ---- | C] () -- C:\Users\Michael\jagexappletviewer.preferences
[2011/02/06 15:19:46 | 000,000,000 | ---- | C] () -- C:\Users\Michael\jagex__preferences3.dat
[2011/02/06 15:18:59 | 000,024,576 | ---- | C] () -- C:\Users\Michael2\Desktop\Cover letter - Tim Horton's.doc
[2011/02/06 15:18:59 | 000,006,708 | ---- | C] () -- C:\Users\Michael2\Desktop\Resume.rtf
[2011/02/06 15:18:59 | 000,001,160 | ---- | C] () -- C:\Users\Michael2\Desktop\Adobe After Effects CS5.lnk
[2011/02/06 15:18:59 | 000,001,064 | ---- | C] () -- C:\Users\Michael2\Desktop\Vegas Pro 10.0.lnk
[2011/02/06 15:17:54 | 000,025,088 | ---- | C] () -- C:\Users\Michael2\Documents\YT text.doc
[2011/02/06 15:17:54 | 000,025,088 | ---- | C] () -- C:\Users\Michael2\Documents\Thesis.doc
[2011/02/06 15:17:53 | 000,830,976 | ---- | C] () -- C:\Users\Michael2\Documents\Saint Jan Sarkander slide show.ppt
[2011/02/06 15:17:53 | 000,028,160 | ---- | C] () -- C:\Users\Michael2\Documents\Speech.doc
[2011/02/06 15:17:53 | 000,021,504 | ---- | C] () -- C:\Users\Michael2\Documents\Saint Jan Sarkander.doc
[2011/02/06 15:17:52 | 012,366,336 | ---- | C] () -- C:\Users\Michael2\Documents\Saint Jan Sarkander slide show -2.ppt
[2011/02/06 15:17:52 | 000,031,744 | ---- | C] () -- C:\Users\Michael2\Documents\Hamlet Essay.doc
[2011/02/06 15:17:52 | 000,030,720 | ---- | C] () -- C:\Users\Michael2\Documents\Military Occupations.doc
[2011/02/06 15:17:52 | 000,029,696 | ---- | C] () -- C:\Users\Michael2\Documents\Sacrement of the Anointing of the Sick.doc
[2011/02/06 15:17:52 | 000,028,160 | ---- | C] () -- C:\Users\Michael2\Documents\RMC App - Essay.doc
[2011/02/06 15:17:52 | 000,027,648 | ---- | C] () -- C:\Users\Michael2\Documents\References.doc
[2011/02/06 15:17:52 | 000,026,112 | ---- | C] () -- C:\Users\Michael2\Documents\Sacrement of the Anointing of the Sick notes.doc
[2011/02/06 15:17:52 | 000,026,112 | ---- | C] () -- C:\Users\Michael2\Documents\Reader's Response.doc
[2011/02/06 15:17:52 | 000,002,508 | ---- | C] () -- C:\Users\Michael2\Documents\Register Vegas Pro.htm
[2011/02/06 15:17:51 | 000,035,328 | ---- | C] () -- C:\Users\Michael2\Documents\Contraception and the Church[1][1].doc
[2011/02/06 15:17:51 | 000,026,624 | ---- | C] () -- C:\Users\Michael2\Documents\Hamlet Essay - notes.doc
[2011/02/06 15:17:51 | 000,023,040 | ---- | C] () -- C:\Users\Michael2\Documents\Cover letter - Tim Horton's.doc
[2011/02/06 15:17:51 | 000,020,480 | ---- | C] () -- C:\Users\Michael2\Documents\CW Promo Video.doc
[2011/02/06 15:17:45 | 241,220,784 | ---- | C] () -- C:\Users\Michael2\Documents\clip0003.avi
[2011/02/06 15:17:45 | 000,055,464 | ---- | C] () -- C:\Users\Michael2\Documents\clip0002.avi.sfk
[2011/02/06 15:17:41 | 199,398,846 | ---- | C] () -- C:\Users\Michael2\Documents\clip0002.avi
[2011/02/06 15:15:54 | 000,000,290 | ---- | C] () -- C:\Users\Michael2\Application Data\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk
[2011/02/06 15:15:54 | 000,000,272 | ---- | C] () -- C:\Users\Michael2\Application Data\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk
[2011/02/06 14:40:53 | 000,007,440 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.CAT
[2011/02/06 14:40:53 | 000,000,855 | ---- | C] () -- C:\Windows\SysNative\drivers\SYMEVENT64x86.INF
[2011/02/05 15:33:56 | 000,001,073 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/02/05 00:52:31 | 000,000,056 | -H-- | C] () -- C:\Windows\SysWow64\ezsidmv.dat
[2011/02/05 00:26:02 | 000,002,515 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2010/12/16 23:36:52 | 000,000,021 | ---- | C] () -- C:\Windows\SurCode.INI
[2010/11/18 19:36:59 | 000,787,064 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/10/06 17:03:00 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2010/09/27 14:13:22 | 000,000,268 | ---- | C] () -- C:\Windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2010/04/26 16:09:50 | 000,208,896 | ---- | C] () -- C:\Windows\SysWow64\iglhsip32.dll
[2010/04/26 16:09:50 | 000,143,360 | ---- | C] () -- C:\Windows\SysWow64\iglhcp32.dll
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2006/02/03 23:32:29 | 000,009,576 | -H-- | C] () -- C:\Users\Michael2\AppData\Roaming\logs.dat
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\SysWow64\OUTLPERF.INI

*will be continued on next post*

RSMike

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-25
Operating System : Windows 7

View user profile

Back to top Go down

Re: Cybergate RAT

Post by RSMike on Fri 25 Feb 2011, 12:48 pm

========== Custom Scans ==========


< %systemroot%\Fonts\*.com >
[2009/07/14 00:32:31 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2009/07/14 00:32:31 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2009/07/14 00:32:31 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2009/07/14 00:32:31 | 000,043,318 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/06/10 15:49:50 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2009/07/13 23:54:24 | 000,000,174 | -HS- | M] () -- C:\Program Files (x86)\desktop.ini
[2010/03/28 08:24:14 | 000,156,592 | ---- | M] (Beepa P/L) -- C:\Program Files (x86)\fraps64.dll

< %APPDATA%\Update\*.* >

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2011/02/13 11:55:53 | 000,000,221 | -HS- | M] () -- C:\Users\Michael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >
[2010/08/04 09:59:30 | 003,184,800 | ---- | M] (mIRC Co. Ltd.) -- C:\Users\Michael2\Desktop\mirc.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >
[2009/06/10 16:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\addins\FXSEXT.ecf

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\*.exe >
[2010/12/10 15:00:26 | 000,107,480 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\Mozilla Firefox\crashreporter.exe
[2010/12/10 15:00:26 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe
[2010/12/10 15:00:27 | 000,016,856 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
[2010/12/10 15:00:27 | 000,245,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files (x86)\Mozilla Firefox\updater.exe

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2011/02/06 15:22:31 | 000,000,402 | -HS- | M] () -- C:\Users\Michael\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\system32\*.exe /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %systemroot%\system32\*.sys >

< %systemroot%\system32\drivers\*.dll >

< %systemroot%\system32\drivers\*.ini >

< %systemroot%\system32\drivers\*.exe >

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >

< %SYSTEMDRIVE%\*.* >
[2011/02/24 20:20:44 | 2955,485,184 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/06 19:34:08 | 000,306,156 | ---- | M] () -- C:\lv.log
[2010/11/18 14:21:43 | 000,343,317 | ---- | M] () -- C:\P1005.log
[2011/02/24 20:20:49 | 3940,651,008 | -HS- | M] () -- C:\pagefile.sys
[2010/11/24 18:52:40 | 000,000,015 | ---- | M] () -- C:\plugin.ini
[2010/05/06 19:03:32 | 000,002,269 | ---- | M] () -- C:\RHDSetup.log
[2010/11/24 18:52:32 | 000,000,208 | ---- | M] () -- C:\startvrlservice_log.txt

< %PROGRAMFILES%\*. >
[2010/11/24 07:12:26 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\2d3
[2010/09/25 19:31:22 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\AccuWeather.com Cirrus
[2010/11/23 21:21:54 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Adobe
[2010/11/23 21:07:36 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Adobe Media Player
[2010/11/18 14:04:39 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Apple Software Update
[2010/09/26 15:13:28 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ArcSoft
[2010/10/29 22:01:40 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Ares
[2010/11/24 19:57:32 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Autodesk
[2011/01/29 16:06:38 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Bonjour
[2011/01/23 03:38:20 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ColorDetector100
[2011/02/19 13:38:37 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Common Files
[2010/11/30 19:36:30 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\DivX
[2010/09/25 20:03:33 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Downloaded Installations
[2011/02/23 19:52:02 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\ESET
[2010/10/25 21:09:22 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Fraps
[2011/02/05 17:39:31 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Google
[2011/01/24 16:10:30 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\HyCam2
[2011/01/24 16:10:46 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\HyperCam Toolbar
[2011/02/06 15:24:40 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Ida
[2011/01/06 22:06:35 | 000,000,000 | -H-D | M] -- C:\Program Files (x86)\InstallShield Installation Information
[2010/09/26 15:13:30 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Intel
[2011/02/09 15:07:17 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Internet Explorer
[2011/01/29 16:08:22 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\iTunes
[2011/02/19 13:38:23 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Java
[2010/10/27 22:21:21 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\LimeWire
[2011/02/05 15:33:57 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/10/06 17:01:55 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft ActiveSync
[2011/02/16 14:53:49 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Application Virtualization Client
[2011/02/13 13:34:40 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft Office
[2010/11/18 19:31:40 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Microsoft.NET
[2011/02/06 19:37:53 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\mIRC
[2011/02/06 15:36:22 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Movies
[2011/02/06 03:14:36 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox
[2011/02/06 15:36:51 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\MSBuild
[2010/09/23 22:39:22 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Multimedia Mouse Driver V5
[2010/11/23 21:07:25 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\My Company Name
[2010/05/06 19:22:53 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\NortonInstaller
[2010/11/27 14:02:40 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Pinnacle
[2011/01/29 16:04:52 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\QuickTime
[2010/05/06 19:03:14 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Realtek
[2009/07/14 00:32:38 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Reference Assemblies
[2010/05/06 19:45:37 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Roxio
[2010/10/23 19:52:56 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Screenshots
[2011/02/05 00:26:16 | 000,000,000 | R--D | M] -- C:\Program Files (x86)\Skype
[2010/11/10 15:56:07 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Sony
[2011/02/06 14:40:21 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Symantec
[2010/09/26 15:20:38 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\TechSmith
[2010/05/06 19:03:32 | 000,000,000 | -H-D | M] -- C:\Program Files (x86)\Temp
[2009/07/13 23:57:06 | 000,000,000 | -H-D | M] -- C:\Program Files (x86)\Uninstall Information
[2010/09/27 14:13:25 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Ventrilo
[2010/05/06 22:55:45 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Defender
[2010/12/15 15:06:07 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Mail
[2010/11/25 03:26:29 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Media Player
[2009/07/14 00:32:38 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows NT
[2010/05/06 22:55:45 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Photo Viewer
[2009/07/14 00:32:40 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Portable Devices
[2010/05/06 22:55:45 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Windows Sidebar
[2010/11/22 18:11:37 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\WinRAR

< %appdata%\*.* >
[2011/02/23 19:25:19 | 000,009,576 | -H-- | M] () -- C:\Users\Michael2\AppData\Roaming\logs.dat
[2011/02/23 17:37:03 | 000,006,144 | ---- | M] () -- C:\Users\Michael2\AppData\Roaming\run.bat
[2011/02/23 18:40:51 | 000,006,144 | ---- | M] () -- C:\Users\Michael2\AppData\Roaming\runnn.exe


< MD5 for: AGP440.SYS >
[2009/07/13 20:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\SysNative\drivers\AGP440.sys
[2009/07/13 20:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\SysNative\DriverStore\FileRepository\machine.inf_amd64_neutral_9e6bb86c3b39a3e9\AGP440.sys
[2009/07/13 20:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_1607dee2d861e021\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/13 20:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\drivers\atapi.sys
[2009/07/13 20:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysNative\DriverStore\FileRepository\mshdc.inf_amd64_neutral_a69a58a4286f0b22\atapi.sys
[2009/07/13 20:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/13 20:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009/07/13 20:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
[2009/07/13 20:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\SysNative\cngaudit.dll
[2009/07/13 20:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_4458dccc49458461\cngaudit.dll

< MD5 for: DISK.SYS >
[2009/07/13 20:47:48 | 000,073,280 | ---- | M] (Microsoft Corporation) MD5=9819EEE8B5EA3784EC4AF3B137A5244C -- C:\Windows\SysNative\drivers\disk.sys
[2009/07/13 20:47:48 | 000,073,280 | ---- | M] (Microsoft Corporation) MD5=9819EEE8B5EA3784EC4AF3B137A5244C -- C:\Windows\SysNative\DriverStore\FileRepository\disk.inf_amd64_neutral_10ce25bbc5a9cc43\disk.sys
[2009/07/13 20:47:48 | 000,073,280 | ---- | M] (Microsoft Corporation) MD5=9819EEE8B5EA3784EC4AF3B137A5244C -- C:\Windows\winsxs\amd64_disk.inf_31bf3856ad364e35_6.1.7600.16385_none_55bb738b8ddd8a01\disk.sys

< MD5 for: IASTOR.SYS >
[2009/11/20 17:09:48 | 000,537,112 | ---- | M] (Intel Corporation) MD5=073A606333B6F7BBF20AA856DF7F0997 -- C:\Windows\SysNative\drivers\iaStor.sys

< MD5 for: IASTORV.SYS >
[2009/07/13 20:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\SysNative\drivers\iaStorV.sys
[2009/07/13 20:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\SysNative\DriverStore\FileRepository\iastorv.inf_amd64_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/13 20:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_0b06441fa1790136\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/13 20:41:52 | 000,692,736 | ---- | M] (Microsoft Corporation) MD5=956D030D375F207B22FB111E06EF9C35 -- C:\Windows\SysNative\netlogon.dll
[2009/07/13 20:41:52 | 000,692,736 | ---- | M] (Microsoft Corporation) MD5=956D030D375F207B22FB111E06EF9C35 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_59aca8ea51aaeefe\netlogon.dll
[2009/07/13 20:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\SysWOW64\netlogon.dll
[2009/07/13 20:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_6401533c860bb0f9\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/07/13 20:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\SysNative\drivers\nvstor.sys
[2009/07/13 20:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\SysNative\DriverStore\FileRepository\nvraid.inf_amd64_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/13 20:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_95cfb4ced8afab0e\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/13 20:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\SysWOW64\scecli.dll
[2009/07/13 20:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9e577e55272d37b4\scecli.dll
[2009/07/13 20:41:53 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=398712DDDAEFB85EDF61DF6A07B65C79 -- C:\Windows\SysNative\scecli.dll
[2009/07/13 20:41:53 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=398712DDDAEFB85EDF61DF6A07B65C79 -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9402d402f2cc75b9\scecli.dll

< MD5 for: USBSTOR.SYS >
[2009/07/13 19:06:34 | 000,089,600 | ---- | M] (Microsoft Corporation) MD5=080D3820DA6C046BE82FC8B45A893E83 -- C:\Windows\SysNative\drivers\USBSTOR.SYS
[2009/07/13 19:06:34 | 000,089,600 | ---- | M] (Microsoft Corporation) MD5=080D3820DA6C046BE82FC8B45A893E83 -- C:\Windows\SysNative\DriverStore\FileRepository\usbstor.inf_amd64_neutral_c301b770e0bfb179\USBSTOR.SYS
[2009/07/13 19:06:34 | 000,089,600 | ---- | M] (Microsoft Corporation) MD5=080D3820DA6C046BE82FC8B45A893E83 -- C:\Windows\winsxs\amd64_usbstor.inf_31bf3856ad364e35_6.1.7600.16385_none_a47b405db18421ea\USBSTOR.SYS

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 1104 bytes -> C:\ProgramData\Microsoft:jDS1Vnia5cJ4dpmiy9RTnner
@Alternate Data Stream - 1101 bytes -> C:\Users\Michael2\AppData\Local\Temp:TXHfrEfoulmEP6XE64Li33b0vqhr
@Alternate Data Stream - 104 bytes -> C:\ProgramData\TEMP:D1B5B4F1
@Alternate Data Stream - 1007 bytes -> C:\Users\Michael2\AppData\Local\Temp:oYGvyWQygzhHhPPrgwb
@Alternate Data Stream - 1001 bytes -> C:\ProgramData\Microsoft:bbaeSCMEl6sgfzJwGGMcreKXZl

< End of report >

RSMike

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-25
Operating System : Windows 7

View user profile

Back to top Go down

Re: Cybergate RAT

Post by RSMike on Fri 25 Feb 2011, 12:49 pm

OTL Extras logfile created on: 24/02/2011 8:36:32 PM - Run 1
OTL by OldTimer - Version 3.2.21.0 Folder = C:\Users\Michael2\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 81.00% Memory free
7.00 Gb Paging File | 7.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 455.63 Gb Total Space | 261.51 Gb Free Space | 57.39% Space Free | Partition Type: NTFS

Computer Name: MICHAELSLAPTOP | User Name: Michael2 | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.html[@ = ChromeHTML] -- Reg Error: Key error. File not found
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" File not found
http [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" File not found
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1" File not found
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l File not found
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1"
http [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1"
https [open] -- "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -- "%1"
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Bridge] -- C:\Program Files (x86)\Adobe\Adobe Bridge CS5\Bridge.exe "%L" (Adobe Systems, Inc.)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0DA20600-6130-443B-9D4B-F30520315FA6}" = Bonjour Print Services
"{1E9FC118-651D-4934-97BE-E53CAE5C7D45}" = Microsoft_VC80_MFCLOC_x86_x64
"{4569AD91-47F4-4D9E-8FC9-717EC32D7AE1}" = Microsoft_VC80_CRT_x86_x64
"{6DE721A5-5E89-4D74-994C-652BB3C0672E}" = Pinnacle Video Driver
"{77B8B4A5-EE79-4907-A318-2DA86325B8D7}" = iTunes
"{8557397C-A42D-486F-97B3-A2CBC2372593}" = Microsoft_VC90_ATL_x86_x64
"{8E34682C-8118-31F1-BC4C-98CD9675E1C2}" = Microsoft .NET Framework 4 Extended
"{90140000-006D-0409-1000-0000000FF1CE}" = Microsoft Office Click-to-Run 2010
"{925D058B-564A-443A-B4B2-7E90C6432E55}" = Microsoft_VC80_ATL_x86_x64
"{92A3CA0D-55CD-4C5D-BA95-5C2600C20F26}" = Microsoft_VC90_CRT_x86_x64
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Alps Pointing-device for VAIO
"{A472B9E4-0AFF-4F7B-B25D-F64F8E928AAB}" = Microsoft_VC90_MFC_x86_x64
"{B1FB7D5C-20CE-4CB6-8F39-306EFDA8290C}" = Symantec Endpoint Protection
"{C8C1BAD5-54E6-4146-AD07-3A8AD36569C3}" = Microsoft_VC80_MFC_x86_x64
"{DB9C43F7-0B0F-4E43-9E6B-F945C71C469E}" = VD64Inst
"{E489BCB7-D57D-4751-AAB6-589AF66E2F7F}" = Trapcode Particular
"{E4F5E48E-7155-4CF9-88CD-7F377EC9AC54}" = Bonjour
"{E5C95CA5-4565-4B9D-97ED-05088D775614}" = Apple Mobile Device Support
"{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"3BA80AB4C7E9F8497C115C844953A3D4BEB84D21" = Windows Driver Package - Broadcom HIDClass (07/28/2009 6.2.0.9800)
"930E4792BDAEAFB62A9514EE7578775658A5D07C" = Windows Driver Package - Broadcom Bluetooth (09/09/2009 6.2.0.9405)
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{00721C5E-5B17-494C-95E5-208415864F62}" =
"{024521CF-C07E-4F8E-8481-0D75695E03AF}" = PxMergeModule
"{033E378E-6AD3-4AD5-BDEB-CBD69B31046C}" = Microsoft_VC90_ATL_x86
"{08D2E121-7F6A-43EB-97FD-629B44903403}" = Microsoft_VC90_CRT_x86
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Central Data
"{0D2DBE8A-43D0-7830-7AE7-CA6C99A832E7}" = Adobe Community Help
"{0F3647F8-E51D-4FCC-8862-9A8D0C5ACF25}" = Microsoft_VC80_ATL_x86
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Central Tools
"{26A24AE4-039D-4CA4-87B4-2F83216020F0}" = Java(TM) 6 Update 20
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 24
"{317AC0C7-FEBF-0409-87A3-4FC70D0ED900}" = Autodesk 3ds Max 2010 32-bit
"{37B03AA0-B125-4649-900C-F26E1081F163}" = Camtasia Studio 7
"{39E1BE73-158F-4C3E-95B9-721BBFEE974E}" = Ida
"{3B78608F-D09A-11DF-A54E-0013D3D69929}" = Vegas Pro 10.0
"{3D347E6D-5A03-4342-B5BA-6A771885F379}" = Autodesk Backburner 2008.1
"{40719211-D09A-11DF-BA30-0013D3D69929}" = MSVCRT Redists
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{537BF16E-7412-448C-95D8-846E85A1D817}" = Roxio Easy Media Creator 10 LJ
"{53BC789D-073D-47B6-AA9F-DE05990AF07A}" = Adobe Creative Suite 5 Production Premium
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{596BED91-A1D8-4DF1-8CD1-1C777F7588AC}" = VAIO DVD Menu Data
"{5D87C09F-512F-474A-A306-0FE3B89C396F}" = RuneScape Launcher 1.0.4
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{635FED5B-2C6D-49BE-87E6-7A6FCD22BC5A}" = Microsoft_VC90_MFC_x86
"{6754AE0D-B2E1-45E4-835F-FDFEC373DE8A}" = VAIO Hardware Diagnostics
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6E9EF98E-259E-416D-B5F8-0ABDB99942CE}" = Adobe Flash Player 10 ActiveX
"{70991E0A-1108-437E-BA7D-085702C670C0}" =
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Central Audio
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{8DE50158-80AA-4FF2-9E9F-0A7C46F71FCD}" = VAIO Media plus
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{92D58719-BBC1-4CC3-A08B-56C9E884CC2C}" = Microsoft_VC80_CRT_x86
"{95140000-0070-0000-0000-0000000FF1CE}" = Microsoft Office 2010
"{96D0B6C6-5A72-4B47-8583-A87E55F5FE81}" =
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A78FE97A-C0C8-49CE-89D0-EDD524A17392}" = PDF Settings CS5
"{A9495514-098A-4869-A464-C455857BC464}" = Multimedia Mouse Driver
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.1
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Central Copy
"{BC41C09D-FAA9-4346-9FE6-1E0017BC551A}" = Adobe Flash Player 10 Plugin
"{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars
"{D041EB9E-890A-4098-8F94-51DA194AC72A}" = Pinnacle Studio 12
"{D1A19B02-817E-4296-A45B-07853FD74D57}" = Microsoft_VC80_MFC_x86
"{D92BBB52-82FF-42ED-8A3C-4E062F944AB7}" = Microsoft_VC80_MFCLOC_x86
"{DE3A9DC5-9A5D-6485-9662-347162C7E4CA}" = Adobe Media Player
"{DE8AAC73-6D8D-483E-96EA-CAEDDADB9079}" = ArcSoft WebCam Companion 3
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.1
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Central Core
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Graphics Media Accelerator Driver
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FB77DB0C-6951-47B6-9D80-A0FDBEE0334C}" =
"{FE51662F-D8F6-43B5-99D9-D4894AF00F83}" = Roxio Easy Media Creator Home
"Adobe AIR" = Adobe AIR
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Akamai" = Akamai NetSession Interface
"Ares" = Ares 2.1.7
"Autodesk FBX Plugin 2009.4 - 3ds Max 2010" = Autodesk FBX Plugin 2009.4 - 3ds Max 2010
"boujou 4.1_is1" = boujou 4.1.0
"chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Community Help
"Color Detector 1.0_is1" = Color Detector 1.0
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"DivX Setup.divx.com" = DivX Setup
"ESET Online Scanner" = ESET Online Scanner v3
"HASP Device Drivers" = HASP Device Drivers
"HyperCam 2" = HyperCam 2
"HyperCam Toolbar" = HyperCam Toolbar
"InstallShield_{A9495514-098A-4869-A464-C455857BC464}" = Multimedia Mouse Driver
"InstallShield_{E489BCB7-D57D-4751-AAB6-589AF66E2F7F}" = Trapcode Particular
"LimeWire" = LimeWire 5.5.16
"LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"mIRC" = mIRC
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"Office14.Click2Run" = Microsoft Office Click-to-Run 2010
"Picasa 3" = Picasa 3
"WinRAR archiver" = WinRAR archiver

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 05/02/2011 4:29:09 PM | Computer Name = MichaelsLaptop | Source = Microsoft-Windows-User Profiles Service | ID = 1505
Description = Windows cannot load the user's profile but has logged you on with
the default profile for the system. DETAIL - Access is denied.

Error - 05/02/2011 4:40:43 PM | Computer Name = MichaelsLaptop | Source = Microsoft-Windows-User Profiles Service | ID = 1505
Description = Windows cannot load the user's profile but has logged you on with
the default profile for the system. DETAIL - Access is denied.

Error - 05/02/2011 4:42:55 PM | Computer Name = MichaelsLaptop | Source = Microsoft-Windows-User Profiles Service | ID = 1505
Description = Windows cannot load the user's profile but has logged you on with
the default profile for the system. DETAIL - Access is denied.

Error - 05/02/2011 5:21:18 PM | Computer Name = MichaelsLaptop | Source = Microsoft-Windows-User Profiles Service | ID = 1505
Description = Windows cannot load the user's profile but has logged you on with
the default profile for the system. DETAIL - Access is denied.

Error - 05/02/2011 5:37:01 PM | Computer Name = MichaelsLaptop | Source = Microsoft-Windows-User Profiles Service | ID = 1505
Description = Windows cannot load the user's profile but has logged you on with
the default profile for the system. DETAIL - Access is denied.

Error - 05/02/2011 5:48:47 PM | Computer Name = MichaelsLaptop | Source = Microsoft-Windows-User Profiles Service | ID = 1505
Description = Windows cannot load the user's profile but has logged you on with
the default profile for the system. DETAIL - Access is denied.

Error - 06/02/2011 3:13:25 PM | Computer Name = MichaelsLaptop | Source = Application Error | ID = 1000
Description = Faulting application name: ProtectionUtilSurrogate.exe, version: 11.0.4202.48,
time stamp: 0x4a0a5dfc Faulting module name: ole32.dll, version: 6.1.7600.16624,
time stamp: 0x4c297c56 Exception code: 0xc0000005 Fault offset: 0x00012ba9 Faulting
process id: 0xb34 Faulting application start time: 0x01cbc630ccd0b535 Faulting application
path: C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
Faulting
module path: C:\Windows\syswow64\ole32.dll Report Id: 2ba72b13-3225-11e0-b5d3-c44619c1555d

Error - 06/02/2011 3:14:23 PM | Computer Name = MichaelsLaptop | Source = Automatic LiveUpdate Scheduler | ID = 101
Description =

Error - 06/02/2011 4:23:30 PM | Computer Name = MichaelsLaptop | Source = Application Hang | ID = 1002
Description = The program Explorer.EXE version 6.1.7600.16450 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: a7c Start
Time: 01cbc63b7d734c6c Termination Time: 31 Application Path: C:\Windows\Explorer.EXE

Report
Id: effb2d05-322e-11e0-93c2-c44619c1555d

Error - 06/02/2011 4:44:13 PM | Computer Name = MichaelsLaptop | Source = SescLU | ID = 13
Description = LiveUpdate returned a non-critical error. Available content updates
may have failed to install.

[ System Events ]
Error - 06/02/2011 7:33:53 PM | Computer Name = MichaelsLaptop | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Roxio
Upnp Server 10 service to connect.

Error - 09/02/2011 4:09:49 PM | Computer Name = MichaelsLaptop | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Roxio
Upnp Server 10 service to connect.

Error - 12/02/2011 2:11:54 PM | Computer Name = MichaelsLaptop | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Roxio
Upnp Server 10 service to connect.

Error - 12/02/2011 4:04:09 PM | Computer Name = MichaelsLaptop | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Roxio
Upnp Server 10 service to connect.

Error - 12/02/2011 6:58:17 PM | Computer Name = MichaelsLaptop | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Roxio
Upnp Server 10 service to connect.

Error - 13/02/2011 11:29:55 AM | Computer Name = MichaelsLaptop | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Roxio
Upnp Server 10 service to connect.

Error - 13/02/2011 12:31:10 PM | Computer Name = MichaelsLaptop | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Roxio
Upnp Server 10 service to connect.

Error - 13/02/2011 11:48:53 PM | Computer Name = MichaelsLaptop | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Roxio
Upnp Server 10 service to connect.

Error - 16/02/2011 3:56:20 PM | Computer Name = MichaelsLaptop | Source = Service Control Manager | ID = 7009
Description = A timeout was reached (30000 milliseconds) while waiting for the Roxio
Upnp Server 10 service to connect.

Error - 19/02/2011 4:56:38 PM | Computer Name = MichaelsLaptop | Source = Service Control Manager | ID = 7034
Description = The Bonjour Service service terminated unexpectedly. It has done
this 1 time(s).


< End of report >

RSMike

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-25
Operating System : Windows 7

View user profile

Back to top Go down

Re: Cybergate RAT

Post by RSMike on Fri 25 Feb 2011, 12:55 pm

Also, I'm in safemode with networking right now as advised from my friend on another website.

The virus was out of pure stupidity on my part.. i downloaded this file:

[You must be registered and logged in to see this link.]

And thats what gave it to me.

RSMike

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-25
Operating System : Windows 7

View user profile

Back to top Go down

Re: Cybergate RAT

Post by Belahzur on Sat 26 Feb 2011, 12:57 pm

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    O4 - HKLM..\Run: [runnn] C:\Users\Michael2\AppData\Roaming\runnn\runnn.exe ()
    O4 - HKCU..\Run: [runnn] C:\Users\Michael2\AppData\Roaming\runnn\runnn.exe ()
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: Policies = C:\Users\Michael2\AppData\Roaming\install\server.exe ()
    [2011/02/23 17:37:03 | 000,006,144 | ---- | M] () -- C:\Users\Michael2\AppData\Roaming\run.bat



  • Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Cybergate RAT

Post by RSMike on Sat 26 Feb 2011, 1:39 pm

========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\runnn deleted successfully.
C:\Users\Michael2\AppData\Roaming\runnn\runnn.exe moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\runnn deleted successfully.
File C:\Users\Michael2\AppData\Roaming\runnn\runnn.exe not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\Policies deleted successfully.
C:\Users\Michael2\AppData\Roaming\install\server.exe moved successfully.
C:\Users\Michael2\AppData\Roaming\run.bat moved successfully.

OTL by OldTimer - Version 3.2.21.0 log created on 02252011_213759



I'm no expert, but I noticed it didn't mention anything about the C:\directory\CyberGate\install\server.exe file which is the RAT virus.

RSMike

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-25
Operating System : Windows 7

View user profile

Back to top Go down

Re: Cybergate RAT

Post by Belahzur on Sun 27 Feb 2011, 12:32 pm

Hello.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com


Rename ComboFix.exe to commy.exe before you save it to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  • Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Cybergate RAT

Post by RSMike on Sun 27 Feb 2011, 1:50 pm

ComboFix 11-02-25.02 - Michael2 26/02/2011 21:28:48.1.4 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.2.1033.18.3758.3079 [GMT -5:00]
Running from: c:\users\Michael2\Desktop\commy.exe
Command switches used :: /stepdel
AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\directory\CyberGate
c:\windows\SysWow64\UNWISE.EXE
c:\directory\CyberGate\install\server.exe
c:\program files (x86)\HyperCam Toolbar\tbHElper.dll
c:\users\Michael2\AppData\Roaming\logs.dat
c:\users\Michael2\AppData\Roaming\runnn.exe
c:\windows\system32\arp.exe . . . . Failed to delete
c:\windows\system32\slwga.dll . . . . Failed to delete
c:\windows\system32\systemcpl.dll . . . . Failed to delete
c:\windows\SysWow64\arp.exe

.
((((((((((((((((((((((((( Files Created from 2011-01-27 to 2011-02-27 )))))))))))))))))))))))))))))))
.

2011-02-27 02:24 . 2011-02-27 02:26 -------- d-----w- C:\commy
2011-02-26 02:37 . 2011-02-26 02:37 -------- d-----w- C:\_OTL
2011-02-24 00:52 . 2011-02-24 00:52 -------- d-----w- c:\program files (x86)\ESET
2011-02-23 23:38 . 2011-02-27 02:29 -------- d-----w- C:\directory
2011-02-23 17:26 . 2010-09-14 06:45 367104 ----a-w- c:\windows\system32\wcncsvc.dll
2011-02-23 17:26 . 2010-09-14 06:07 276992 ----a-w- c:\windows\SysWow64\wcncsvc.dll
2011-02-22 20:05 . 2011-01-07 07:31 442880 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2011-02-22 20:05 . 2011-01-07 08:07 662528 ----a-w- c:\windows\system32\XpsPrint.dll
2011-02-22 20:05 . 2011-01-07 08:07 475648 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 20:05 . 2011-01-07 07:31 288256 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2011-02-19 18:38 . 2011-02-19 18:38 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-02-13 18:34 . 2011-02-16 19:53 -------- d-----w- c:\program files (x86)\Microsoft Application Virtualization Client
2011-02-12 20:07 . 2011-02-12 20:20 -------- d-----w- c:\windows\SysWow64\Adobe
2011-02-08 19:52 . 2010-12-18 06:11 714752 ----a-w- c:\windows\system32\kerberos.dll
2011-02-08 19:51 . 2011-01-05 06:20 612352 ----a-w- c:\windows\system32\vbscript.dll
2011-02-08 19:51 . 2011-01-05 05:37 428032 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-02-08 19:51 . 2010-10-27 05:18 5510528 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-08 19:51 . 2010-10-27 05:16 1739176 ----a-w- c:\windows\system32\ntdll.dll
2011-02-08 19:51 . 2010-10-27 04:40 1293120 ----a-w- c:\windows\SysWow64\ntdll.dll
2011-02-08 19:51 . 2010-10-27 04:43 3901824 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-02-08 19:51 . 2010-10-27 04:43 3957120 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-02-08 19:51 . 2011-01-07 05:49 366080 ----a-w- c:\windows\system32\atmfd.dll
2011-02-08 19:51 . 2011-01-07 05:33 294400 ----a-w- c:\windows\SysWow64\atmfd.dll
2011-02-08 19:51 . 2011-01-07 08:06 46080 ----a-w- c:\windows\system32\atmlib.dll
2011-02-08 19:51 . 2011-01-07 07:27 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2011-02-06 20:15 . 2011-02-06 20:22 -------- d-----w- c:\users\Michael2
2011-02-06 19:40 . 2011-02-06 19:41 173616 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2011-02-06 19:40 . 2011-02-06 19:41 -------- d-----w- c:\program files\Symantec
2011-02-06 19:40 . 2011-02-06 19:40 -------- d-----w- c:\program files\Common Files\Symantec Shared
2011-02-06 19:39 . 2011-02-06 19:40 -------- d-----w- c:\program files (x86)\Symantec
2011-02-06 19:35 . 2011-02-06 20:24 -------- d-----w- c:\program files (x86)\Ida
2011-02-05 22:02 . 2011-02-05 22:02 -------- d-----w- c:\windows\system32\%LOCALAPPDATA%
2011-02-05 20:34 . 2011-02-05 20:34 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-02-05 20:33 . 2010-12-20 23:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-02-05 20:33 . 2011-02-05 20:33 -------- d-----w- c:\programdata\Malwarebytes
2011-02-05 20:33 . 2011-02-05 20:33 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-02-05 20:33 . 2010-12-20 23:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-05 19:05 . 2011-02-05 19:05 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2011-02-05 18:59 . 2011-02-05 18:59 -------- d-----w- c:\users\TEMP
2011-02-05 05:52 . 2011-02-05 05:52 -------- d-----w- c:\users\Michael\AppData\Roaming\skypePM
2011-02-05 05:26 . 2011-02-05 05:26 -------- d-----w- c:\program files (x86)\Common Files\Skype
2011-02-05 05:26 . 2011-02-05 08:51 -------- d-----w- c:\users\Michael\AppData\Roaming\Skype
2011-02-05 05:26 . 2011-02-05 05:26 -------- d-----r- c:\program files (x86)\Skype
2011-02-05 05:25 . 2011-02-05 05:25 -------- d-----w- c:\programdata\Skype
2011-01-29 21:08 . 2011-01-29 21:08 -------- dc----w- c:\windows\system32\DRVSTORE
2011-01-29 21:08 . 2009-05-18 18:17 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-01-29 21:08 . 2008-04-17 17:12 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
2011-01-29 21:08 . 2008-04-17 17:12 107368 ----a-w- c:\windows\SysWow64\GEARAspi.dll
2011-01-29 21:07 . 2011-01-29 21:07 -------- d-----w- c:\program files\iPod
2011-01-29 21:07 . 2011-01-29 21:08 -------- d-----w- c:\programdata\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2011-01-29 21:07 . 2011-01-29 21:08 -------- d-----w- c:\program files\iTunes
2011-01-29 21:07 . 2011-01-29 21:08 -------- d-----w- c:\program files (x86)\iTunes
2011-01-29 21:06 . 2011-01-29 21:06 -------- d-----w- c:\program files\Common Files\Apple
2011-01-29 21:06 . 2011-01-29 21:06 -------- d-----w- c:\program files\Bonjour
2011-01-29 21:06 . 2011-01-29 21:06 -------- d-----w- c:\program files (x86)\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-03 02:40 . 2010-09-26 20:52 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-01-13 10:20 . 2011-01-24 00:33 7844688 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A9222B18-1B80-4259-9D86-7F4E6370431B}\mpengine.dll
2010-12-02 03:35 . 2010-12-02 03:35 4280320 ----a-w- c:\windows\SysWow64\GPhotos.scr
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2010-03-28 13:24 . 2010-03-28 13:24 156592 ----a-w- c:\program files (x86)\fraps64.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2010-08-11 115560]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files (x86)\Roxio\Digital Home 10\RoxioUpnpService10.exe [2009-08-31 362992]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
R3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-12-14 56344]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files (x86)\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2009-08-31 313840]
R3 SwitchBoard;SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-24 1255736]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-07-12 55856]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 aksdf;aksdf;c:\windows\system32\DRIVERS\aksdf.sys [2006-12-13 65024]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\program files (x86)\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-03-12 86016]
S2 rimspci;rimspci;c:\windows\system32\drivers\rimssne64.sys [2009-11-06 93696]
S2 risdsnpe;risdsnpe;c:\windows\system32\drivers\risdsne64.sys [2009-09-15 75776]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2009-11-18 52264]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-10-18 132656]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2009-12-16 151936]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-12-16 244736]
S3 NMgamingmsFltr;USB Optical Mouse;c:\windows\system32\drivers\NMgamingms.sys [2009-07-24 11264]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2009-08-19 11392]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-04-24 721768]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-04-24 269672]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-04-24 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-04-24 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [2009-11-12 395264]


[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Michael2\AppData\Roaming\Mozilla\Firefox\Profiles\wir80j3f.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: RuneScape Community Toolbar: {a8864317-e18b-4292-99d9-e6e65ab905d3} - %profile%\extensions\{a8864317-e18b-4292-99d9-e6e65ab905d3}
FF - Ext: Conduit Engine : [You must be registered and logged in to see this link.] - %profile%\extensions\engine@conduit.com
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: HyperCamToolbar: {75656794-AB59-4712-BFBC-5D816D56F3BC} - %profile%\extensions\{75656794-AB59-4712-BFBC-5D816D56F3BC}
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

Notify-VESWinlogon - VESWinlogon.dll
SafeBoot-Symantec Antvirus
HKLM_Wow6432Node-ActiveSetup-{CG08B0E5JF-4FCB-11CF-AAA5-00401C6XX500} - c:\users\Michael2\AppData\Roaming\install\server.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-HASP Device Drivers - c:\windows\system32\UNWISE.EXE


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:e7,0d,8f,c3,13,e4,e8,9b,70,ae,40,ab,d2,61,4d,02,14,7e,d9,aa,34,
eb,5d,d7,b5,93,6e,fc,89,71,3f,d1,c0,7c,87,12,8f,10,f6,0f,2c,f1,28,4d,c8,12,\

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10g_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10g.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:e7,0d,8f,c3,13,e4,e8,9b,70,ae,40,ab,d2,61,4d,02,14,7e,d9,aa,34,
eb,5d,d7,b5,93,6e,fc,89,71,3f,d1,c0,7c,87,12,8f,10,f6,0f,2c,f1,28,4d,c8,12,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
.
**************************************************************************
.
Completion time: 2011-02-26 21:39:11 - machine was rebooted
ComboFix-quarantined-files.txt 2011-02-27 02:39

Pre-Run: 280,627,220,480 bytes free
Post-Run: 281,493,794,816 bytes free

- - End Of File - - D4C8C133DD224729D7C551727BE8D663

RSMike

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-25
Operating System : Windows 7

View user profile

Back to top Go down

Re: Cybergate RAT

Post by Belahzur on Mon 28 Feb 2011, 12:41 pm

Hello.

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Cybergate RAT

Post by RSMike on Mon 28 Feb 2011, 11:24 pm

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=4d268e74d1229740b4faceb9ef8e8633
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-24 01:38:26
# local_time=2011-02-23 08:38:26 (-0500, Eastern Standard Time)
# country="Canada"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=5893 16776638 100 94 1789124 50052340 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=174393
# found=2
# cleaned=2
# scan_time=2615
C:\Users\Michael\AppData\Roaming\OpenCandy\OpenCandy_1228C21FF30545E6B8AB44B7D9DDC49A\PPIRegistryReviverSetup.exe a variant of Win32/SlowPCfighter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Users\Michael\AppData\Roaming\OpenCandy\OpenCandy_1228C21FF30545E6B8AB44B7D9DDC49A\PPIRegistryReviver_p21v1.exe a variant of Win32/SlowPCfighter application (deleted - quarantined) 00000000000000000000000000000000 C
# version=7
# iexplore.exe=8.00.7600.16385 (win7_rtm.090713-1255)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=4d268e74d1229740b4faceb9ef8e8633
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-02-28 06:07:56
# local_time=2011-02-28 01:07:56 (-0500, Eastern Standard Time)
# country="Canada"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=5893 16776638 100 94 2149749 50412965 0 0
# compatibility_mode=8192 67108863 100 0 277993 277993 0 0
# scanned=172124
# found=0
# cleaned=0
# scan_time=3761

RSMike

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-25
Operating System : Windows 7

View user profile

Back to top Go down

Re: Cybergate RAT

Post by Belahzur on Tue 01 Mar 2011, 12:38 pm

Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight the following:

    Adobe Reader 9.4.1
    Ares 2.1.7
    Java(TM) 6 Update 20
    LimeWire 5.5.16

  • Click on the Uninstall/Change button at the top.

Then download and install Adobe Reader X

How is the machine running now?


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Cybergate RAT

Post by RSMike on Tue 01 Mar 2011, 2:02 pm

Hmmm good to know, I'll remove those My laptop is running great! MBAM and Symantec scans are showing up clean, thank you so so much for your help. It's greatly appreciated. First time using GeekPolice and I'm very satisfied and will definitely share with my friends.

Cheers,
Mike

RSMike

Newbie Surfer
Newbie Surfer

Posts : 9
Joined : 2011-02-25
Operating System : Windows 7

View user profile

Back to top Go down

Re: Cybergate RAT

Post by Belahzur on Wed 02 Mar 2011, 12:54 pm

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

  • SpywareBlaster
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  • Spybot - Search & Destroy.
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
[You must be registered and logged in to see this link.]

Securing your computer

  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

  • Firefox may be downloaded from here: [You must be registered and logged in to see this link.]
  • Opera is available here: [You must be registered and logged in to see this link.]
  • Google Chrome is available here: Google Chrome
  • SRWare Iron is available here: SRWare Iron

Thank you for choosing GeekPolice. [You must be registered and logged in to see this link.]


@RealBelahzur - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur

Manager | Tech Officer
Manager | Tech Officer

Posts : 34917
Joined : 2008-08-04
Operating System : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Cybergate RAT

Post by Sponsored content Today at 2:26 am


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum