W32.Blaster.Worm

View previous topic View next topic Go down

W32.Blaster.Worm

Post by shreksdog on Wed Aug 31, 2011 6:39 am

Hi. I got hit by a bluescreen saying something about a "physical unloading of C drive", or something of that nature. I paniced and turned the computer off. when I restarted it I was asked to verify my windows, which I foolishly did. then there was a new icon on my desktop for "Security Protection" this progressively stopped me opening all .exe files until almost nothing worked, and it kept telling me that they were infected with W32.Blaster.worm and that I should run this "Security Protection" to safeguard my computer. I didn't run the program, but it seems to have shut down my microsoft security centre. I didn't know what to do, then all of a sudden all the programs came back online and seem to be operating as usual, except I know they aren't. I have followed the steps and attached the txt files as instructed. Please help me get this crap off my comp and advise me of the best way to keep it off.

Regards,

Tony

OTL Text wont load, says it's invalid, I have cut and paste below


OTL logfile created on: 31/08/2011 2:06:18 PM - Run 1
OTL by OldTimer - Version 3.2.26.7 Folder = C:\Documents and Settings\Student\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1.99 Gb Total Physical Memory | 1.44 Gb Available Physical Memory | 72.26% Memory free
3.84 Gb Paging File | 3.42 Gb Available in Paging File | 89.11% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 32.23 Gb Total Space | 22.20 Gb Free Space | 68.88% Space Free | Partition Type: NTFS
Drive D: | 42.30 Gb Total Space | 42.01 Gb Free Space | 99.30% Space Free | Partition Type: NTFS
Drive E: | 4.38 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: STUDENT-5367903 | User Name: Student | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/08/31 14:05:27 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Student\Desktop\OTL.com
PRC - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2009/10/29 20:41:20 | 001,021,256 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
PRC - [2009/03/12 12:53:46 | 000,254,036 | ---- | M] (IDT, Inc.) -- c:\Program Files\IDT\IntelXPV_v103\WDM\stacsv.exe
PRC - [2008/11/10 04:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/14 15:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - [2011/05/23 13:20:02 | 000,435,016 | ---- | M] (TuneUp Software) [On_Demand | Stopped] -- C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe -- (TuneUp.Defrag)
SRV - [2011/04/27 15:39:26 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/10/29 20:41:20 | 001,021,256 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
SRV - [2009/10/29 20:38:10 | 000,030,024 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\WINDOWS\system32\uxtuneup.dll -- (UxTuneUp)
SRV - [2009/03/12 12:53:46 | 000,254,036 | ---- | M] (IDT, Inc.) [Auto | Running] -- c:\Program Files\IDT\IntelXPV_v103\WDM\stacsv.exe -- (STacSV)
SRV - [2008/11/10 04:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)


========== Driver Services (SafeList) ==========

DRV - [2011/08/31 12:41:07 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6047B299-4CD9-4F41-9D48-4C9B5E5EACBB}\MpKsld0da1a43.sys -- (MpKsld0da1a43)
DRV - [2009/10/14 07:24:44 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
DRV - [2009/03/12 12:53:46 | 001,550,613 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2008/08/05 05:56:27 | 000,038,528 | R--- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IAMTXP.sys -- (IAMTXP) Driver for Intel(R)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTNavAssist.dll (Yahoo! Inc.)
IE - HKCU\..\URLSearchHook: {9c0ae33a-d9dd-435c-9527-8a446285c568} - C:\Program Files\Softonic-Australia_\prxtbSoft.dll (Conduit Ltd.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=12.0.1.666: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=12.0.1.666: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=12.0.1.666: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=12.0.1.666: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=12.0.1.666: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.65\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2011/08/29 14:23:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{4E45387C-3AA4-42F1-BAF1-14B4F3FA2244}: C:\Documents and Settings\Student\Local Settings\Application Data\{4E45387C-3AA4-42F1-BAF1-14B4F3FA2244} [2011/08/31 12:13:30 | 000,000,000 | ---D | M]


Hosts file not found
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (Softonic-Australia_ Toolbar) - {9c0ae33a-d9dd-435c-9527-8a446285c568} - C:\Program Files\Softonic-Australia_\prxtbSoft.dll (Conduit Ltd.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Conduit Engine ) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Softonic-Australia_ Toolbar) - {9c0ae33a-d9dd-435c-9527-8a446285c568} - C:\Program Files\Softonic-Australia_\prxtbSoft.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo!7 Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Softonic-Australia_ Toolbar) - {9C0AE33A-D9DD-435C-9527-8A446285C568} - C:\Program Files\Softonic-Australia_\prxtbSoft.dll (Conduit Ltd.)
O4 - HKLM..\Run: [MSC] C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Ujucelisuz] C:\WINDOWS\uheqeluw.dll (Winbond Electronics Corp.)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_16)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 61.9.242.33 61.9.226.33
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/05/23 01:08:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{f804ce8c-84e1-11e0-bbbb-00167629540e}\Shell\AutoRun\command - "" = BACKUP\RESTORE\kingstone.exe
O33 - MountPoints2\{f804ce8c-84e1-11e0-bbbb-00167629540e}\Shell\open\command - "" = BACKUP\RESTORE\kingstone.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: UxTuneUp - C:\WINDOWS\system32\uxtuneup.dll (TuneUp Software)
NetSvcs: WmdmPmSp - File not found


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: MsMpSvc - C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: MsMpSvc - C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Security Update for Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.ac3acm - C:\WINDOWS\System32\ac3acm.acm (fccHandler)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.lameacm - C:\WINDOWS\System32\lameACM.acm (http://www.mp3dev.org/)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.3iv2 - C:\WINDOWS\System32\3ivxVfWCodec.dll (3ivx.com)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\divx.dll (DivXNetworks, Inc.)
Drivers32: VIDC.HFYU - C:\WINDOWS\System32\huffyuv.dll (Disappearing Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax ()
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll ()
Drivers32: VIDC.VP31 - C:\WINDOWS\System32\vp31vfw.dll (On2.com)
Drivers32: VIDC.VP60 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: VIDC.VP61 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: VIDC.VP62 - C:\WINDOWS\System32\vp6vfw.dll (On2.com)
Drivers32: VIDC.wmv3 - C:\WINDOWS\System32\WMV9VCM.dll (Microsoft Corporation)
Drivers32: vidc.XVID - C:\WINDOWS\System32\xvidvfw.dll ()

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/08/31 14:05:14 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Student\Desktop\OTL.com
[2011/08/31 12:19:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/08/31 12:18:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/08/31 12:15:57 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Student\Recent
[2011/08/31 12:13:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Student\Local Settings\Application Data\{4E45387C-3AA4-42F1-BAF1-14B4F3FA2244}
[2011/08/31 12:08:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2011/08/31 12:05:31 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2011/08/29 14:23:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2011/08/29 14:23:14 | 000,198,832 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2011/08/29 14:23:06 | 000,272,896 | ---- | C] (Progressive Networks) -- C:\WINDOWS\System32\pncrt.dll
[2011/08/29 14:23:06 | 000,006,656 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll
[2011/08/29 14:23:06 | 000,005,632 | ---- | C] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll
[2011/08/29 14:23:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Real
[2011/08/29 14:22:59 | 000,000,000 | ---D | C] -- C:\Program Files\Real
[2011/08/29 14:22:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Student\Application Data\Real
[2011/08/29 14:22:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2011/08/27 01:23:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Skype
[2011/08/26 13:46:03 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2011/08/26 13:45:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Student\Local Settings\Application Data\Softonic-Australia_
[2011/08/26 13:45:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Student\Local Settings\Application Data\ConduitEngine
[2011/08/26 13:45:58 | 000,000,000 | ---D | C] -- C:\Program Files\ConduitEngine
[2011/08/26 13:45:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Student\Local Settings\Application Data\Conduit
[2011/08/26 13:45:54 | 000,000,000 | ---D | C] -- C:\Program Files\Softonic-Australia_
[2011/08/16 18:00:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
[2011/08/08 22:12:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2011/08/05 22:55:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Yahoo! Messenger
[2011/08/04 22:00:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Student\Local Settings\Application Data\Temp
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/08/31 14:05:27 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Student\Desktop\OTL.com
[2011/08/31 14:05:00 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/08/31 13:46:18 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-299502267-1417001333-1606980848-1003.job
[2011/08/31 13:46:18 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-299502267-1417001333-1606980848-1003.job
[2011/08/31 13:06:23 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/08/31 12:34:57 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/08/31 12:30:32 | 000,000,490 | ---- | M] () -- C:\WINDOWS\tasks\Automatic troubleshooting.job
[2011/08/31 12:29:48 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/08/31 12:29:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/08/31 12:25:13 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/08/31 12:19:40 | 000,000,793 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Security Protection.lnk
[2011/08/31 12:10:52 | 000,012,540 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/08/31 12:10:52 | 000,012,540 | ---- | M] () -- C:\WINDOWS\System32\wpa.bak
[2011/08/29 14:23:30 | 000,001,601 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Free Movies & Games.lnk
[2011/08/29 14:23:30 | 000,000,929 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer.lnk
[2011/08/29 14:23:14 | 000,198,832 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\rmoc3260.dll
[2011/08/29 14:23:06 | 000,272,896 | ---- | M] (Progressive Networks) -- C:\WINDOWS\System32\pncrt.dll
[2011/08/29 14:23:06 | 000,006,656 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5016.dll
[2011/08/29 14:23:06 | 000,005,632 | ---- | M] (RealNetworks, Inc.) -- C:\WINDOWS\System32\pndx5032.dll
[2011/08/27 01:23:37 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/08/26 13:46:20 | 000,009,216 | ---- | M] () -- C:\Documents and Settings\Student\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/08/26 13:45:49 | 003,284,480 | ---- | M] () -- C:\Documents and Settings\Student\Desktop\CT3031786_Softonic-Australia_.exe
[2011/08/26 13:45:25 | 000,194,885 | ---- | M] () -- C:\Documents and Settings\Student\Desktop\hjsplit.zip
[2011/08/25 08:58:50 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/08/16 18:00:14 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/08/15 15:27:15 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/08/09 22:33:37 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/08/08 22:13:22 | 000,001,791 | ---- | M] () -- C:\Documents and Settings\Student\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/08/05 22:55:36 | 000,000,818 | ---- | M] () -- C:\Documents and Settings\Student\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2011/08/05 22:55:36 | 000,000,800 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/08/31 12:25:13 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/08/31 12:06:02 | 000,000,793 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Security Protection.lnk
[2011/08/29 14:23:45 | 000,000,290 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-299502267-1417001333-1606980848-1003.job
[2011/08/29 14:23:45 | 000,000,282 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-299502267-1417001333-1606980848-1003.job
[2011/08/29 14:23:30 | 000,001,601 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Free Movies & Games.lnk
[2011/08/29 14:23:30 | 000,000,929 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RealPlayer.lnk
[2011/08/27 01:23:37 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/08/26 13:45:16 | 003,284,480 | ---- | C] () -- C:\Documents and Settings\Student\Desktop\CT3031786_Softonic-Australia_.exe
[2011/08/26 13:45:16 | 000,194,885 | ---- | C] () -- C:\Documents and Settings\Student\Desktop\hjsplit.zip
[2011/08/10 09:34:32 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/08/08 22:12:17 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2011/08/08 22:12:17 | 000,001,791 | ---- | C] () -- C:\Documents and Settings\Student\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/08/05 22:55:36 | 000,000,818 | ---- | C] () -- C:\Documents and Settings\Student\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Messenger.lnk
[2011/08/05 22:55:36 | 000,000,800 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Yahoo! Messenger.lnk
[2011/06/08 10:34:51 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\Student\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/07 01:09:58 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2011/05/29 17:55:36 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/05/23 14:52:32 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/05/23 13:22:11 | 001,163,264 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2011/05/23 13:22:11 | 001,040,384 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2011/05/23 13:22:11 | 000,421,888 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2011/05/23 13:22:11 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2011/05/23 13:22:11 | 000,157,696 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2011/05/23 13:22:11 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\vorbisfile.dll
[2011/05/23 13:22:11 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2011/05/23 13:22:10 | 000,679,936 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2011/05/23 13:22:10 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2011/05/23 13:22:07 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\cpuinf32.dll
[2011/05/23 13:17:10 | 000,000,236 | -H-- | C] () -- C:\Program Files\Common Files\dx.reg
[2011/05/23 13:17:09 | 000,680,454 | ---- | C] () -- C:\WINDOWS\System32\msvcrtnew.dll
[2011/05/23 13:17:08 | 000,888,326 | ---- | C] () -- C:\WINDOWS\System32\kernel32new.dll
[2011/05/23 13:17:08 | 000,208,899 | ---- | C] () -- C:\WINDOWS\System32\d3d10_1core.dll
[2011/05/23 13:17:08 | 000,188,419 | ---- | C] () -- C:\WINDOWS\System32\d3d10core.dll
[2011/05/23 13:17:08 | 000,171,526 | ---- | C] () -- C:\WINDOWS\System32\dxgi.dll
[2011/05/23 13:17:08 | 000,159,750 | ---- | C] () -- C:\WINDOWS\System32\d3d10_1.dll
[2011/05/23 13:17:08 | 000,039,942 | ---- | C] () -- C:\WINDOWS\System32\dwmapi.dll
[2011/05/23 13:17:07 | 001,029,126 | ---- | C] () -- C:\WINDOWS\System32\d3d10.dll
[2011/05/23 13:17:07 | 000,376,832 | ---- | C] () -- C:\WINDOWS\System32\M2000Twn.dll
[2011/05/23 13:17:04 | 000,728,858 | ---- | C] () -- C:\Program Files\Common Files\unins000.exe
[2011/05/23 13:17:04 | 000,002,535 | ---- | C] () -- C:\Program Files\Common Files\unins000.dat
[2011/05/23 10:00:47 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2011/05/23 08:53:45 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/05/23 08:52:37 | 000,131,688 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/05/23 01:10:48 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/05/23 01:05:05 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/04/14 15:00:00 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2008/04/14 15:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2008/04/14 15:00:00 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2008/04/14 15:00:00 | 000,311,604 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2008/04/14 15:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2008/04/14 15:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2008/04/14 15:00:00 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2008/04/14 15:00:00 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2008/04/14 15:00:00 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll
[2008/04/14 15:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2008/04/14 15:00:00 | 000,039,992 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2008/04/14 15:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2008/04/14 15:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2008/04/14 15:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2008/04/14 15:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2005/04/15 19:52:33 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2005/04/15 19:52:33 | 000,004,627 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat

========== Custom Scans ==========


< %APPDATA%\Microsoft\*.* >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %USERPROFILE%\Desktop\*.exe >
[2011/08/26 13:45:49 | 003,284,480 | ---- | M] () -- C:\Documents and Settings\Student\Desktop\CT3031786_Softonic-Australia_.exe
[2007/07/20 16:56:46 | 008,290,999 | ---- | M] () -- C:\Documents and Settings\Student\Desktop\EVEREST Recop.Info.Drivers.exe

< %PROGRAMFILES%\Common Files\*.* >
[2008/03/09 07:25:10 | 000,000,236 | -H-- | M] () -- C:\Program Files\Common Files\dx.reg
[2011/05/23 13:17:10 | 000,002,535 | ---- | M] () -- C:\Program Files\Common Files\unins000.dat
[2011/05/23 13:16:52 | 000,728,858 | ---- | M] () -- C:\Program Files\Common Files\unins000.exe

< %systemroot%\winn32\*.* >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.exe >

< %ProgramFiles%\TinyProxy. >

< %systemroot%\system32\*.* /lockedfiles >
[10 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.* /lockedfiles >

< %PROGRAMFILES%\*. >
[2011/05/23 11:32:59 | 000,000,000 | ---D | M] -- C:\Program Files\Adobe
[2011/08/16 18:00:06 | 000,000,000 | ---D | M] -- C:\Program Files\CCleaner
[2011/08/29 14:23:25 | 000,000,000 | ---D | M] -- C:\Program Files\Common Files
[2011/05/23 01:04:57 | 000,000,000 | ---D | M] -- C:\Program Files\ComPlus Applications
[2011/08/26 13:46:03 | 000,000,000 | ---D | M] -- C:\Program Files\Conduit
[2011/08/26 13:46:01 | 000,000,000 | ---D | M] -- C:\Program Files\ConduitEngine
[2011/08/08 22:12:00 | 000,000,000 | ---D | M] -- C:\Program Files\Google
[2011/05/23 09:56:35 | 000,000,000 | ---D | M] -- C:\Program Files\IDT
[2011/05/23 09:56:22 | 000,000,000 | -H-D | M] -- C:\Program Files\InstallShield Installation Information
[2011/05/23 09:33:20 | 000,000,000 | ---D | M] -- C:\Program Files\Intel
[2011/08/11 23:50:30 | 000,000,000 | ---D | M] -- C:\Program Files\Internet Explorer
[2011/05/23 13:14:31 | 000,000,000 | ---D | M] -- C:\Program Files\Java
[2011/05/23 13:22:15 | 000,000,000 | ---D | M] -- C:\Program Files\K-Lite Codec Pack
[2011/05/23 13:41:29 | 000,000,000 | ---D | M] -- C:\Program Files\Messenger
[2011/05/29 17:42:36 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft
[2011/05/23 14:51:53 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft ActiveSync
[2011/05/23 01:08:43 | 000,000,000 | ---D | M] -- C:\Program Files\microsoft frontpage
[2011/06/16 23:25:52 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Office
[2011/08/10 09:29:05 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Security Client
[2011/06/16 14:13:46 | 000,000,000 | ---D | M] -- C:\Program Files\Microsoft Silverlight
[2011/05/23 13:33:09 | 000,000,000 | ---D | M] -- C:\Program Files\Movie Maker
[2011/06/16 23:25:38 | 000,000,000 | ---D | M] -- C:\Program Files\MSECache
[2011/05/29 17:15:28 | 000,000,000 | ---D | M] -- C:\Program Files\MSN
[2011/05/23 01:04:32 | 000,000,000 | ---D | M] -- C:\Program Files\MSN Gaming Zone
[2011/05/29 19:03:46 | 000,000,000 | ---D | M] -- C:\Program Files\MSXML 4.0
[2011/05/23 14:42:01 | 000,000,000 | ---D | M] -- C:\Program Files\Nero
[2011/05/23 01:06:25 | 000,000,000 | ---D | M] -- C:\Program Files\NetMeeting
[2011/05/23 01:04:44 | 000,000,000 | ---D | M] -- C:\Program Files\Online Services
[2011/05/23 13:21:17 | 000,000,000 | ---D | M] -- C:\Program Files\Orban
[2011/05/23 13:33:33 | 000,000,000 | ---D | M] -- C:\Program Files\Outlook Express
[2011/08/29 14:23:28 | 000,000,000 | ---D | M] -- C:\Program Files\Real
[2011/08/27 01:23:37 | 000,000,000 | R--D | M] -- C:\Program Files\Skype
[2011/08/26 13:45:58 | 000,000,000 | ---D | M] -- C:\Program Files\Softonic-Australia_
[2011/05/23 13:20:01 | 000,000,000 | ---D | M] -- C:\Program Files\TuneUp Utilities 2010
[2011/05/23 01:16:43 | 000,000,000 | -H-D | M] -- C:\Program Files\Uninstall Information
[2011/05/29 17:42:31 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live
[2011/05/29 17:42:19 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Live SkyDrive
[2011/06/04 12:47:09 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Connect 2
[2011/06/04 18:48:41 | 000,000,000 | ---D | M] -- C:\Program Files\Windows Media Player
[2011/05/23 01:04:22 | 000,000,000 | ---D | M] -- C:\Program Files\Windows NT
[2011/05/23 01:07:01 | 000,000,000 | -H-D | M] -- C:\Program Files\WindowsUpdate
[2011/05/23 09:35:06 | 000,000,000 | ---D | M] -- C:\Program Files\WinRAR
[2011/05/23 01:08:43 | 000,000,000 | ---D | M] -- C:\Program Files\xerox
[2011/05/29 17:50:11 | 000,000,000 | ---D | M] -- C:\Program Files\Yahoo!


< MD5 for: AGP440.SYS >
[2008/04/14 15:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 15:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 15:00:00 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys

< MD5 for: DISK.SYS >
[2008/04/14 15:00:00 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:disk.sys
[2008/04/14 15:00:00 | 000,036,352 | ---- | M] (Microsoft Corporation) MD5=044452051F3E02E7963599FC8F4F3E25 -- C:\WINDOWS\system32\drivers\disk.sys

< MD5 for: IASTOR.SYS >
[2009/06/04 18:43:16 | 000,330,264 | ---- | M] (Intel Corporation) MD5=D483687EACE0C065EE772481A96E05F5 -- C:\WINDOWS\Dell\Intel\IaStor.sys

< MD5 for: NETLOGON.DLL >
[2008/04/14 15:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 15:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2011-08-24 09:15:46

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --show-icons [2011/08/30 15:50:36 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-icons [2011/08/30 15:50:36 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/08/30 15:50:36 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2011/08/30 15:50:36 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/06/23 20:05:37 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/06/23 20:05:37 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/06/23 20:05:37 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: %programfiles%\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --show-icons [2011/08/30 15:50:36 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --hide-icons [2011/08/30 15:50:36 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Program Files\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/08/30 15:50:36 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Program Files\Google\Chrome\Application\chrome.exe" [2011/08/30 15:50:36 | 001,017,912 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\system32\ie4uinit.exe" -reinstall [2011/06/23 20:05:37 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -hide [2011/06/23 20:05:37 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\system32\ie4uinit.exe" -show [2011/06/23 20:05:37 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: %programfiles%\Internet Explorer\iexplore.exe [2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation)

< >

< End of report >


shreksdog
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-08
OS OS : XP
Points Points : 27227
# Likes # Likes : 0

View user profile

Back to top Go down

Extras report

Post by shreksdog on Wed Aug 31, 2011 6:43 am

sorry, forgot to add extras report. again it says file is not valid. cut and pasted below.


OTL Extras logfile created on: 31/08/2011 2:06:18 PM - Run 1
OTL by OldTimer - Version 3.2.26.7 Folder = C:\Documents and Settings\Student\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

1.99 Gb Total Physical Memory | 1.44 Gb Available Physical Memory | 72.26% Memory free
3.84 Gb Paging File | 3.42 Gb Available in Paging File | 89.11% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 32.23 Gb Total Space | 22.20 Gb Free Space | 68.88% Space Free | Partition Type: NTFS
Drive D: | 42.30 Gb Total Space | 42.01 Gb Free Space | 99.30% Space Free | Partition Type: NTFS
Drive E: | 4.38 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: STUDENT-5367903 | User Name: Student | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 16
"{28C2DED6-325B-4CC7-983A-1777C8F7FBAB}" = RealUpgrade 1.1
"{293C9DF5-7669-4826-BBB2-E1F182D71033}" = Nero 7 Ultra Edition
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7770E71B-2D43-4800-9CB3-5B6CAAEBEBEA}" = RealNetworks - Microsoft Visual C++ 2008 Runtime
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{a0fe116e-9a8a-466f-aee0-625cb7c207e3}" = Microsoft Visual C++ 2005 Redistributable - KB2467175
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Click to Call with Skype
"{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}" = TuneUp Utilities
"{D5558268-0050-4B95-AD5E-426960E1EFE1}" = Intel(R) Network Connections 15.3.68.0
"{DB0A8A2A-4EA7-4FE3-802E-8A6DEE32696C}_is1" = Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F4F7F393-A8E8-42CC-8C2E-7A999B48B2AE}_is1" = DirectX10 NCT Release 2
"{FE3997D3-6B56-4AC4-A99C-9DDFC45359BF}" = TuneUp Utilities Language Pack (en-US)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"CCleaner" = CCleaner
"conduitEngine" = Conduit Engine
"Google Chrome" = Google Chrome
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"KLiteCodecPack_is1" = K-Lite Codec Pack 2.47 Full
"Microsoft Security Client" = Microsoft Security Essentials
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSNINST" = ninemsn Internet Software
"RealPlayer 12.0" = RealPlayer
"Softonic-Australia_ Toolbar" = Softonic-Australia_ Toolbar
"TuneUp Utilities" = TuneUp Utilities
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo!7 Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Software Update" = Yahoo! Software Update

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Game Organizer" = EasyBits GO

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 16/06/2011 9:52:08 AM | Computer Name = STUDENT-5367903 | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 10.0.6866.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 16/06/2011 8:59:26 PM | Computer Name = STUDENT-5367903 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80072f78, P2 endsearch, P3 search, P4 3.0.8107.0,
P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 22/06/2011 11:51:43 AM | Computer Name = STUDENT-5367903 | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 28/06/2011 10:44:37 PM | Computer Name = STUDENT-5367903 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0, P2 moaccapability, P3 3.0.8107.0, P4
1, P5 0, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 30/06/2011 7:45:07 PM | Computer Name = STUDENT-5367903 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module nesplitter.ax, version 4.10.5.0, fault address 0x0001721a.

[ System Events ]
Error - 31/08/2011 12:08:24 AM | Computer Name = STUDENT-5367903 | Source = Service Control Manager | ID = 7031
Description = The Print Spooler service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 31/08/2011 12:11:43 AM | Computer Name = STUDENT-5367903 | Source = Service Control Manager | ID = 7031
Description = The Print Spooler service terminated unexpectedly. It has done this
2 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 31/08/2011 12:11:47 AM | Computer Name = STUDENT-5367903 | Source = System Error | ID = 1003
Description = Error code c00010b2, parameter1 00000000, parameter2 00000000, parameter3
00000000, parameter4 00000000.

Error - 31/08/2011 12:14:43 AM | Computer Name = STUDENT-5367903 | Source = Service Control Manager | ID = 7034
Description = The Print Spooler service terminated unexpectedly. It has done this
3 time(s).

Error - 31/08/2011 12:19:01 AM | Computer Name = STUDENT-5367903 | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.111.1016.0 Update Source: %%859 Update Stage:
%%852 Source Path: [You must be registered and logged in to see this link.] Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.7604.0 Error
code: 0x80072efe Error description: The connection with the server was terminated
abnormally

Error - 31/08/2011 12:19:40 AM | Computer Name = STUDENT-5367903 | Source = Service Control Manager | ID = 7034
Description = The Print Spooler service terminated unexpectedly. It has done this
4 time(s).

Error - 31/08/2011 12:30:25 AM | Computer Name = STUDENT-5367903 | Source = Service Control Manager | ID = 7031
Description = The Print Spooler service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 31/08/2011 12:33:24 AM | Computer Name = STUDENT-5367903 | Source = Service Control Manager | ID = 7031
Description = The Print Spooler service terminated unexpectedly. It has done this
2 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 31/08/2011 12:36:24 AM | Computer Name = STUDENT-5367903 | Source = Service Control Manager | ID = 7034
Description = The Print Spooler service terminated unexpectedly. It has done this
3 time(s).

Error - 31/08/2011 12:42:04 AM | Computer Name = STUDENT-5367903 | Source = Microsoft Antimalware | ID = 1119
Description = %%860 has encountered a critical error when taking action on malware
or other potentially unwanted software. For more information please see the following:
[You must be registered and logged in to see this link.]

Name:
Trojan:DOS/Alureon.A ID: 2147636949 Severity: Severe Category: Trojan Path: rootkit:_Alureon->Mbr::Alureon

Detection
Origin: %%844 Detection Type: %%822 Detection Source: %%820 User: NT AUTHORITY\SYSTEM

Process
Name: Unknown Action: %%808 Action Status: To finish removing malware and other
potentially unwanted software, restart the computer. To see how to finish removing
malware and other potentially unwanted software, see the support article on the
Microsoft Security website. Error Code: 0x800704ec Error description: Windows cannot
open this program because it has been prevented by a software restriction policy.
For more information, open Event Viewer or contact your system administrator. Signature
Version: AV: 1.111.1106.0, AS: 1.111.1106.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7604.0,
NIS: 0.0.0.0


< End of report >

shreksdog
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-08
OS OS : XP
Points Points : 27227
# Likes # Likes : 0

View user profile

Back to top Go down

checkup.txt

Post by shreksdog on Wed Aug 31, 2011 6:49 am

Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

TuneUp Utilities
TuneUp Utilities Language Pack (en-US)
CCleaner
Java(TM) 6 Update 16
Out of date Java installed!
Adobe Flash Player
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````

shreksdog
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-08
OS OS : XP
Points Points : 27227
# Likes # Likes : 0

View user profile

Back to top Go down

Re: W32.Blaster.Worm

Post by shreksdog on Wed Aug 31, 2011 10:17 am

Now my Microsoft Security Essentials is telling me I have "Trojan:DOS/Alureon.A" and of course it can't get rid of it, and it keeps coming up as a file to be deleted, and when I don't everything frinds to a halt..

shreksdog
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-08
OS OS : XP
Points Points : 27227
# Likes # Likes : 0

View user profile

Back to top Go down

Re: W32.Blaster.Worm

Post by Gabethebabe on Fri Sep 02, 2011 7:57 am

Hi there shreksdog!

I am Gabethebabe and I will be helping you with this issue. Before we start some general remarks/rules:
  • Whilst I´m helping you, please follow my instructions carefully and do not experiment on your own or accept help from other persons.
  • Feel free to ask questions! Especially if my instructions are not clear. I´m here to help, not confuse you.
  • I will try and respond quickly, but please understand I do have a real life (job, wife, 3 kids, kinky hobbies).
  • Stick with me till the end. If your computer starts running better, doesn´t mean it is clean yet!

====================

  • Please run OTL.exe again
  • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

Code:
:otl
O4 - HKLM..\Run: [Ujucelisuz] C:\WINDOWS\uheqeluw.dll (Winbond Electronics Corp.)
O33 - MountPoints2\{f804ce8c-84e1-11e0-bbbb-00167629540e}\Shell\AutoRun\command - "" = BACKUP\RESTORE\kingstone.exe
O33 - MountPoints2\{f804ce8c-84e1-11e0-bbbb-00167629540e}\Shell\open\command - "" = BACKUP\RESTORE\kingstone.exe

:files
C:\WINDOWS\uheqeluw.dll
C:\Documents and Settings\Student\Local Settings\Application Data\{4E45387C-3AA4-42F1-BAF1-14B4F3FA2244}
C:\Documents and Settings\All Users\Desktop\Security Protection.lnk

:commands
[resethosts]
[reboot]
  • Then click the Run Fix button at the top (Not the Run Scan!).
  • Allow it to run. It may take some time and you may see some things happen to your desktop - this is normal.
  • If it asks to reboot the computer, allow it to reboot.
  • If the program freezes, and the computer fails to reboot - let me know.
  • Finally, post the contents of the log. (Located at C:\_OTL\Moved Files)


====================

  • Double click aswMBR.exe to run the tool
  • Click the Scan button to start the scan
  • Once the scan finishes click Fix to fix the infected MBR
  • Reboot the computer
  • After the reboot, re-run aswMBR
  • Once the scan finishes click Save log to save the log to your desktop
  • Copy and paste the contents of this log (aswMBR.txt) into your next reply.


Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: W32.Blaster.Worm

Post by shreksdog on Fri Sep 02, 2011 8:37 am

Hi Gabe, the fix button wasn't active, I clicked fixMBR, I hope I was supposede to do that... reports attached
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Ujucelisuz not found.
File C:\WINDOWS\uheqeluw.dll not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f804ce8c-84e1-11e0-bbbb-00167629540e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f804ce8c-84e1-11e0-bbbb-00167629540e}\ not found.
File BACKUP\RESTORE\kingstone.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f804ce8c-84e1-11e0-bbbb-00167629540e}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f804ce8c-84e1-11e0-bbbb-00167629540e}\ not found.
File BACKUP\RESTORE\kingstone.exe not found.
========== FILES ==========
File\Folder C:\WINDOWS\uheqeluw.dll not found.
C:\Documents and Settings\Student\Local Settings\Application Data\{4E45387C-3AA4-42F1-BAF1-14B4F3FA2244}\chrome\content folder moved successfully.
C:\Documents and Settings\Student\Local Settings\Application Data\{4E45387C-3AA4-42F1-BAF1-14B4F3FA2244}\chrome folder moved successfully.
C:\Documents and Settings\Student\Local Settings\Application Data\{4E45387C-3AA4-42F1-BAF1-14B4F3FA2244} folder moved successfully.
File\Folder C:\Documents and Settings\All Users\Desktop\Security Protection.lnk not found.
========== COMMANDS ==========
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.26.7 log created on 09022011_161652


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-08-31 14:17:03
-----------------------------
14:17:03.500 OS Version: Windows 5.1.2600 Service Pack 3
14:17:03.500 Number of processors: 2 586 0x407
14:17:03.500 ComputerName: STUDENT-5367903 UserName: Student
14:17:04.093 Initialize success
14:17:54.625 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
14:17:54.625 Disk 0 Vendor: WDC_WD800JD-00LSA0 06.01D06 Size: 76319MB BusType: 3
14:17:54.625 Device \Driver\atapi -> DriverStartIo 89d5231b
14:17:56.640 Disk 0 MBR read successfully
14:17:56.640 Disk 0 MBR scan
14:17:56.640 Disk 0 TDL4@MBR code has been found
14:17:56.640 Disk 0 Windows XP default MBR code found via API
14:17:56.640 Disk 0 MBR hidden
14:17:56.640 Disk 0 MBR [TDL4] **ROOTKIT**
14:17:56.640 Disk 0 trace - called modules:
14:17:56.640 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89d524d0]<<
14:17:56.640 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89dcfab8]
14:17:56.640 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000005f[0x89e54420]
14:17:56.640 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x89de2b00]
14:17:56.640 \Driver\atapi[0x89df0a08] -> IRP_MJ_CREATE -> 0x89d524d0
14:17:56.640 Scan finished successfully
14:18:09.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Student\Desktop\MBR.dat"
14:18:09.343 The log file has been saved successfully to "C:\Documents and Settings\Student\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-02 16:33:43
-----------------------------
16:33:43.531 OS Version: Windows 5.1.2600 Service Pack 3
16:33:43.531 Number of processors: 2 586 0x407
16:33:43.531 ComputerName: STUDENT-5367903 UserName: Student
16:33:53.046 Initialize success
16:34:08.734 The log file has been saved successfully to "C:\Documents and Settings\Student\Desktop\aswMBR.txt"


I appreciate your help....

Tony

shreksdog
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-08
OS OS : XP
Points Points : 27227
# Likes # Likes : 0

View user profile

Back to top Go down

Re: W32.Blaster.Worm

Post by Gabethebabe on Fri Sep 02, 2011 9:58 am

Hi Tony, can you rerun the aswMBR scan and if a "Disk 0 MBR [TDL4] **ROOTKIT**" warning appears, try and fix again?

Directly after that do:

  • Download TDSSKiller by Kaspersky from [You must be registered and logged in to see this link.] and save it to your desktop
  • Doubleclick TDSSKiller.exe to run the tool
  • Click the Start Scan button
  • After the scan has finished, click the Close button
  • Click the Report button and copy/paste the contents of it into your next reply
  • The report can also be found in the root of your Windows drive (most likely C:\).


Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: W32.Blaster.Worm

Post by shreksdog on Fri Sep 02, 2011 11:20 am

no rootkit warning appeared. log below....

2011/09/02 19:18:27.0640 0688 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/09/02 19:18:28.0765 0688 ================================================================================
2011/09/02 19:18:28.0765 0688 SystemInfo:
2011/09/02 19:18:28.0765 0688
2011/09/02 19:18:28.0765 0688 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/02 19:18:28.0765 0688 Product type: Workstation
2011/09/02 19:18:28.0765 0688 ComputerName: STUDENT-5367903
2011/09/02 19:18:28.0765 0688 UserName: Student
2011/09/02 19:18:28.0765 0688 Windows directory: C:\WINDOWS
2011/09/02 19:18:28.0765 0688 System windows directory: C:\WINDOWS
2011/09/02 19:18:28.0765 0688 Processor architecture: Intel x86
2011/09/02 19:18:28.0765 0688 Number of processors: 2
2011/09/02 19:18:28.0765 0688 Page size: 0x1000
2011/09/02 19:18:28.0765 0688 Boot type: Normal boot
2011/09/02 19:18:28.0765 0688 ================================================================================
2011/09/02 19:18:30.0093 0688 Initialize success
2011/09/02 19:18:35.0078 1736 ================================================================================
2011/09/02 19:18:35.0078 1736 Scan started
2011/09/02 19:18:35.0078 1736 Mode: Manual;
2011/09/02 19:18:35.0078 1736 ================================================================================
2011/09/02 19:18:35.0875 1736 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/02 19:18:35.0906 1736 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/02 19:18:35.0968 1736 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/02 19:18:36.0031 1736 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/02 19:18:36.0156 1736 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/09/02 19:18:36.0218 1736 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/02 19:18:36.0281 1736 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/02 19:18:36.0328 1736 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/02 19:18:36.0375 1736 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/02 19:18:36.0421 1736 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2011/09/02 19:18:36.0453 1736 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2011/09/02 19:18:36.0468 1736 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2011/09/02 19:18:36.0484 1736 AVGIDSShim (07eba0c11fa1d73b82ecc3255ddfe34d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2011/09/02 19:18:36.0531 1736 Avgldx86 (f4dbbc8d3c5338693da23c59a50f8abc) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2011/09/02 19:18:36.0546 1736 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2011/09/02 19:18:36.0609 1736 Avgrkx86 (4def59ff7d09b9ce59739102b49fd526) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2011/09/02 19:18:36.0656 1736 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2011/09/02 19:18:36.0718 1736 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/02 19:18:36.0765 1736 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/02 19:18:36.0812 1736 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/02 19:18:36.0875 1736 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/02 19:18:36.0921 1736 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/02 19:18:37.0078 1736 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/02 19:18:37.0140 1736 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/02 19:18:37.0187 1736 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/02 19:18:37.0218 1736 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/02 19:18:37.0265 1736 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/02 19:18:37.0312 1736 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/02 19:18:37.0359 1736 e1express (6de32a9123ef60f9d423e9163af0e305) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/09/02 19:18:37.0500 1736 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/02 19:18:37.0531 1736 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/02 19:18:37.0546 1736 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/02 19:18:37.0578 1736 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/02 19:18:37.0625 1736 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/09/02 19:18:37.0656 1736 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/02 19:18:37.0671 1736 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/02 19:18:37.0718 1736 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/02 19:18:37.0765 1736 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/02 19:18:37.0796 1736 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/02 19:18:37.0859 1736 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/02 19:18:37.0953 1736 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/02 19:18:38.0125 1736 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/09/02 19:18:38.0296 1736 IAMTXP (b5c4f150e37c4580bc44e9074d671263) C:\WINDOWS\system32\DRIVERS\IAMTXP.sys
2011/09/02 19:18:38.0343 1736 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/02 19:18:38.0421 1736 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/02 19:18:38.0437 1736 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/09/02 19:18:38.0468 1736 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/02 19:18:38.0500 1736 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/02 19:18:38.0515 1736 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/02 19:18:38.0578 1736 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/02 19:18:38.0609 1736 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/02 19:18:38.0640 1736 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/02 19:18:38.0687 1736 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/02 19:18:38.0718 1736 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/09/02 19:18:38.0750 1736 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/02 19:18:38.0781 1736 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/02 19:18:38.0843 1736 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/02 19:18:38.0890 1736 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/02 19:18:38.0906 1736 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/02 19:18:38.0937 1736 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/09/02 19:18:38.0968 1736 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/02 19:18:39.0015 1736 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/09/02 19:18:39.0062 1736 MpKsl9c8ef3f3 (5f53edfead46fa7adb78eee9ecce8fdf) C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE62DBAF-5C90-4700-A529-F4C72793E0C9}\MpKsl9c8ef3f3.sys
2011/09/02 19:18:39.0109 1736 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/02 19:18:39.0156 1736 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/02 19:18:39.0203 1736 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/02 19:18:39.0250 1736 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/02 19:18:39.0296 1736 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/02 19:18:39.0328 1736 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/02 19:18:39.0359 1736 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/02 19:18:39.0375 1736 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/02 19:18:39.0421 1736 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/02 19:18:39.0468 1736 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/02 19:18:39.0500 1736 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/02 19:18:39.0546 1736 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/02 19:18:39.0562 1736 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/02 19:18:39.0593 1736 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/02 19:18:39.0609 1736 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/02 19:18:39.0671 1736 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/09/02 19:18:39.0703 1736 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/02 19:18:39.0750 1736 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/02 19:18:39.0796 1736 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/02 19:18:39.0828 1736 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/02 19:18:39.0843 1736 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/02 19:18:39.0890 1736 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/09/02 19:18:39.0906 1736 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/02 19:18:39.0921 1736 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/02 19:18:39.0937 1736 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/02 19:18:39.0984 1736 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/02 19:18:40.0093 1736 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/02 19:18:40.0125 1736 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/02 19:18:40.0281 1736 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/02 19:18:40.0296 1736 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/02 19:18:40.0328 1736 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/02 19:18:40.0421 1736 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/02 19:18:40.0453 1736 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/02 19:18:40.0500 1736 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/02 19:18:40.0515 1736 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/02 19:18:40.0546 1736 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/02 19:18:40.0578 1736 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/02 19:18:40.0609 1736 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/02 19:18:40.0656 1736 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/02 19:18:40.0703 1736 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/02 19:18:40.0828 1736 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/02 19:18:40.0953 1736 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/02 19:18:40.0968 1736 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/02 19:18:40.0984 1736 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/02 19:18:41.0062 1736 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/02 19:18:41.0109 1736 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/02 19:18:41.0187 1736 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/02 19:18:41.0281 1736 STHDA (228519217a88c2f6b0cf8c022e6d669c) C:\WINDOWS\system32\drivers\sthda.sys
2011/09/02 19:18:41.0312 1736 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/02 19:18:41.0359 1736 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/02 19:18:41.0453 1736 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/02 19:18:41.0515 1736 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/02 19:18:41.0546 1736 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/02 19:18:41.0593 1736 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/02 19:18:41.0625 1736 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/02 19:18:41.0734 1736 TuneUpUtilitiesDrv (f2107c9d85ec0df116939ccce06ae697) C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys
2011/09/02 19:18:41.0765 1736 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/02 19:18:41.0828 1736 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/02 19:18:41.0890 1736 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/09/02 19:18:41.0921 1736 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/02 19:18:41.0953 1736 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/02 19:18:42.0000 1736 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/02 19:18:42.0031 1736 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/02 19:18:42.0093 1736 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/02 19:18:42.0125 1736 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/02 19:18:42.0171 1736 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/02 19:18:42.0234 1736 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/02 19:18:42.0281 1736 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/02 19:18:42.0328 1736 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/02 19:18:42.0390 1736 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/02 19:18:42.0468 1736 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/02 19:18:42.0500 1736 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/02 19:18:42.0546 1736 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/09/02 19:18:42.0656 1736 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR3
2011/09/02 19:18:42.0671 1736 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk2\DR4
2011/09/02 19:18:42.0687 1736 Boot (0x1200) (f40b661a84788e98e67024aaa62d4e9d) \Device\Harddisk0\DR0\Partition0
2011/09/02 19:18:42.0718 1736 Boot (0x1200) (4b8e128162a9ebf28d031992347998a4) \Device\Harddisk0\DR0\Partition1
2011/09/02 19:18:42.0734 1736 Boot (0x1200) (3b709ed9c97d3a0af3695a487650941c) \Device\Harddisk1\DR3\Partition0
2011/09/02 19:18:42.0734 1736 Boot (0x1200) (8b2f7bfe2c51dc4cf85f88838de40655) \Device\Harddisk2\DR4\Partition0
2011/09/02 19:18:42.0750 1736 ================================================================================
2011/09/02 19:18:42.0750 1736 Scan finished
2011/09/02 19:18:42.0750 1736 ================================================================================
2011/09/02 19:18:42.0781 2060 Detected object count: 0
2011/09/02 19:18:42.0781 2060 Actual detected object count: 0

shreksdog
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-08
OS OS : XP
Points Points : 27227
# Likes # Likes : 0

View user profile

Back to top Go down

Re: W32.Blaster.Worm

Post by Gabethebabe on Fri Sep 02, 2011 11:29 am

Also not in a fresh aswMBR scan log?

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: W32.Blaster.Worm

Post by shreksdog on Fri Sep 02, 2011 11:38 am

did i do something wrong?? what do you mean "not in a fresh aswMBR scan log?

shreksdog
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-08
OS OS : XP
Points Points : 27227
# Likes # Likes : 0

View user profile

Back to top Go down

Re: W32.Blaster.Worm

Post by Gabethebabe on Fri Sep 02, 2011 11:44 am

I´m a bit lazy writing sometimes Goofy

I meant to say to rerun aswMBR, scan and post the log to check if the infection is gone there as well (a Disk 0 MBR [TDL4] **ROOTKIT** line means it is not)

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: W32.Blaster.Worm

Post by shreksdog on Fri Sep 02, 2011 11:50 am

Looks like it's clear... see below.

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-08-31 14:17:03
-----------------------------
14:17:03.500 OS Version: Windows 5.1.2600 Service Pack 3
14:17:03.500 Number of processors: 2 586 0x407
14:17:03.500 ComputerName: STUDENT-5367903 UserName: Student
14:17:04.093 Initialize success
14:17:54.625 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
14:17:54.625 Disk 0 Vendor: WDC_WD800JD-00LSA0 06.01D06 Size: 76319MB BusType: 3
14:17:54.625 Device \Driver\atapi -> DriverStartIo 89d5231b
14:17:56.640 Disk 0 MBR read successfully
14:17:56.640 Disk 0 MBR scan
14:17:56.640 Disk 0 TDL4@MBR code has been found
14:17:56.640 Disk 0 Windows XP default MBR code found via API
14:17:56.640 Disk 0 MBR hidden
14:17:56.640 Disk 0 MBR [TDL4] **ROOTKIT**
14:17:56.640 Disk 0 trace - called modules:
14:17:56.640 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89d524d0]<<
14:17:56.640 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89dcfab8]
14:17:56.640 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000005f[0x89e54420]
14:17:56.640 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x89de2b00]
14:17:56.640 \Driver\atapi[0x89df0a08] -> IRP_MJ_CREATE -> 0x89d524d0
14:17:56.640 Scan finished successfully
14:18:09.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Student\Desktop\MBR.dat"
14:18:09.343 The log file has been saved successfully to "C:\Documents and Settings\Student\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-02 16:33:43
-----------------------------
16:33:43.531 OS Version: Windows 5.1.2600 Service Pack 3
16:33:43.531 Number of processors: 2 586 0x407
16:33:43.531 ComputerName: STUDENT-5367903 UserName: Student
16:33:53.046 Initialize success
16:34:08.734 The log file has been saved successfully to "C:\Documents and Settings\Student\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-02 19:49:07
-----------------------------
19:49:07.593 OS Version: Windows 5.1.2600 Service Pack 3
19:49:07.593 Number of processors: 2 586 0x407
19:49:07.593 ComputerName: STUDENT-5367903 UserName: Student
19:49:08.515 Initialize success
19:49:11.656 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
19:49:11.656 Disk 0 Vendor: WDC_WD800JD-00LSA0 06.01D06 Size: 76319MB BusType: 3
19:49:13.687 Disk 0 MBR read successfully
19:49:13.687 Disk 0 MBR scan
19:49:13.687 Disk 0 Windows XP default MBR code
19:49:13.687 Disk 0 scanning sectors +156296385
19:49:13.765 Disk 0 scanning C:\WINDOWS\system32\drivers
19:49:18.281 Service scanning
19:49:18.656 Service MpKsl9c8ef3f3 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AE62DBAF-5C90-4700-A529-F4C72793E0C9}\MpKsl9c8ef3f3.sys **LOCKED** 32
19:49:19.390 Modules scanning
19:49:23.953 Disk 0 trace - called modules:
19:49:23.984 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
19:49:23.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89decab8]
19:49:23.984 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000065[0x89e14030]
19:49:23.984 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x89deed98]
19:49:23.984 Scan finished successfully
19:49:37.218 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Student\Desktop\MBR.dat"
19:49:37.218 The log file has been saved successfully to "C:\Documents and Settings\Student\Desktop\aswMBR.txt"



shreksdog
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-08
OS OS : XP
Points Points : 27227
# Likes # Likes : 0

View user profile

Back to top Go down

Re: W32.Blaster.Worm

Post by Gabethebabe on Fri Sep 02, 2011 1:33 pm

Clean! Mr. TDL4 has left the building, which is good news.

How is your computer running now?

====================

Please download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.].

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
  • If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
  • Click OK to either and let MBAM proceed with the disinfection process.
  • If asked to restart the computer, please do so immediately.

Post the contents of the MBAM log in your next reply, please.

Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: W32.Blaster.Worm

Post by shreksdog on Sat Sep 03, 2011 4:58 am

Hi Gabe, I ran Malwarebytes a couple of times, but it had to shut dowmn for some unknown reason... 3rd time lucky, ran through, found and deleted 6 files, log below.

Malwarebytes' Anti-Malware 1.51.1.1800
[You must be registered and logged in to see this link.]

Database version: 7640

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/09/2011 12:50:25 PM
mbam-log-2011-09-03 (12-50-25).txt

Scan type: Quick scan
Objects scanned: 172417
Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Student\local settings\Temp\47.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\d3d10_1.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Student\application data\Adobe\shed\thr1.chm (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\Student\application data\Adobe\plugs\mmc17096671.txt (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Student\application data\Adobe\plugs\mmc17096781.txt (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Student\application data\Adobe\plugs\mmc242.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

shreksdog
Novice
Novice

Posts Posts : 31
Joined Joined : 2009-07-08
OS OS : XP
Points Points : 27227
# Likes # Likes : 0

View user profile

Back to top Go down

Re: W32.Blaster.Worm

Post by Gabethebabe on Sat Sep 03, 2011 1:53 pm

Excellent. As far as I can see, your computer is CLEAN.



====================

Time to uninstall used tools.

  • Double click OTL.exe to run it again and click the CleanUp button.
  • If we used any other tools and they still remain on your desktop, please delete them manually.

====================

You need to install the latest version of Java. Having the latest version is important to take advantage of fixes that have eliminated security vulnerabilities.
  • Go to Start > Control Panel
  • Double-click on Add or Remove Programs
  • Look for entries that say Java, Java RunTime Environment or J2SE.
  • Uninstall all of them that are not named Java (TM) 6 Update 27

After doing this, you can go to [You must be registered and logged in to see this link.], click on Free Java Download and proceed from there to install the latest version of Java (currently Version 6 Update 27).

After installing Java, go to Start > Control Panel > Java to open the Java Control Panel.
Under the General tab, Temporary Internet Files click Settings, then click Delete Files.
Select both options and click OK to delete the Java cache.

====================

You have an old version installed of Adobe Reader. This old version has security issues.
I recommend that you uninstall Adobe Reader through Start > Control Panel > Add or Remove Programs.
After that you should install a PDF reader that is more secure.
Please note that Adobe Reader has a history of security issues and is a prime target for malware writers due to its popularity. You might want to consider installing a non-Adobe PDF reader. Your choice!
  • [You must be registered and logged in to see this link.]. The last and most safest version of Adobe Reader.
  • [You must be registered and logged in to see this link.]. Very small and very light PDF viewer.
  • [You must be registered and logged in to see this link.]. Also available in 64-bit version if you have a 64-bit OS. Can be installed as portable.

====================

Do you have any more questions or do you want to see my ALORTKYCC (Awesome List Or Recommendations To Keep Your Computer Clean)?


Gabethebabe
Top Dog
Top Dog

Posts Posts : 1568
Joined Joined : 2010-03-07
Gender Gender : Male
OS OS : Win7
Points Points : 38218
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum