Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Win32: Qandr Rootkit  (Read 2943 times)

0 Members and 1 Guest are viewing this topic.

venom7513

    Topic Starter


    Newbie

    Win32: Qandr Rootkit
    « on: June 30, 2010, 12:09:55 PM »
    I was browsing the web when my Google Chrome crashed (buffer overrun?) and my Avast! Anti virus began movie 40-50 files to my chest. All of witch were in the Drivers folder. It identified all of them as Win32: Qandr Rootkit.

    It, at first, looked like it got it however I am stiff unable to start Google Chrome and inside of Firefox (what I am using now) I receive random advertisement tabs.

    I did a full scan in safe mode with Avast, nothing came up. I also installed a plethora of other "Rootkit removers" all of witch can find no threat.

    I ran DDS. Here is the output:

    DDS (Ver_10-03-17.01) - NTFSx86 
    Run by Alec Larsen at 12:54:07.97 on Wed 06/30/2010
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Starter   6.1.7600.0.1252.1.1033.18.987.260 [GMT -5:00]

    SP: Spyware Terminator *disabled* (Updated) {55EE49A8-16BE-4601-BBE6-607B7F7317DE}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_5576240ee6baaa25\STacSV.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
    C:\Windows\system32\vmnat.exe
    C:\Program Files\andLinux\colinux-daemon.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\andLinux\colinux-slirp-net-daemon.exe
    C:\Program Files\andLinux\colinux-net-daemon.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\conhost.exe
    C:\Program Files\VMware\VMware Player\vmware-authd.exe
    C:\Windows\system32\vmnetdhcp.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files\LiveZilla\LiveZilla.exe
    C:\Program Files\RocketDock\RocketDock.exe
    C:\Program Files\MagicDisc\MagicDisc.exe
    C:\Program Files\Pidgin\pidgin.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Sophos\Sophos Anti-Rootkit\sargui.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Windows\system32\sppsvc.exe
    C:\Windows\System32\svchost.exe -k secsvcs
    C:\Windows\system32\wuauclt.exe
    C:\Users\Alec Larsen\AppData\Local\Temp\rwjbcd.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\Program Files\Spyware Terminator\Spywareterminator.exe
    C:\Program Files\Spyware Terminator\SpywareTerminatorUpdate.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Users\Alec Larsen\Desktop\dds.scr
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\DllHost.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0566.0\msneshellx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0566.0\msneshellx.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
    uRun: [SpywareTerminatorUpdate] "c:\program files\spyware terminator\SpywareTerminatorUpdate.exe"
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [liveZilla] "c:\program files\livezilla\LiveZilla.exe" -minimize
    mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    StartupFolder: c:\users\alecla~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
    StartupFolder: c:\users\alecla~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\pidgin.lnk - c:\program files\pidgin\pidgin.exe
    uPolicies-system: TextValue = a7b9d9cffb24998fd4c097f505b2027a
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    LSP: c:\program files\vmware\vmware player\vsocklib.dll
    DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/US/TechConsole/x86/RescueControl.cab
    DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} - hxxp://win7pro.vlabcenter.com/ActiveX/VMRCActiveXClient1.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: igfxcui - igfxdev.dll

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-1-24 165456]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-24 17744]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-1-24 50256]
    R2 CoLinuxDriver;CoLinuxDriver;c:\program files\andlinux\linux.sys [2010-6-24 84992]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

    =============== Created Last 30 ================

    2010-06-30 17:52:19   142592   ----a-w-   c:\windows\system32\drivers\sp_rsdrv2.sys
    2010-06-29 23:33:24   0   d-----w-   c:\users\alecla~1\appdata\roaming\Malwarebytes
    2010-06-29 23:33:11   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
    2010-06-29 23:33:09   0   d-----w-   c:\programdata\Malwarebytes
    2010-06-29 23:33:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
    2010-06-29 23:33:08   0   d-----w-   c:\program files\Malwarebytes' Anti-Malware
    2010-06-29 19:02:28   38848   ----a-w-   c:\windows\avastSS.scr
    2010-06-29 18:46:48   0   d-----w-   c:\windows\system32\wbem\repository
    2010-06-29 18:41:52   65536   --sha-w-   c:\users\alec larsen\ntuser.dat{a0d37932-83ab-11df-9e92-005056c00008}.TM.blf
    2010-06-29 18:41:52   524288   --sha-w-   c:\users\alec larsen\ntuser.dat{a0d37932-83ab-11df-9e92-005056c00008}.TMContainer00000000000000000002.regtrans-ms
    2010-06-29 18:41:52   524288   --sha-w-   c:\users\alec larsen\ntuser.dat{a0d37932-83ab-11df-9e92-005056c00008}.TMContainer00000000000000000001.regtrans-ms
    2010-06-29 17:37:59   161106861   ----a-w-   c:\windows\MEMORY.DMP
    2010-06-28 00:47:19   0   d-----w-   c:\program files\IObit
    2010-06-28 00:19:22   0   d-----w-   c:\program files\MediaMall
    2010-06-28 00:19:22   0   d-----w-   c:\program files\common files\TV-Websites
    2010-06-28 00:19:08   0   d-----w-   c:\programdata\MediaMall
    2010-06-27 22:24:17   0   d-----w-   c:\program files\sterm
    2010-06-27 21:05:42   0   d-----w-   c:\program files\MSXML 4.0
    2010-06-27 20:53:36   0   d-----w-   c:\program files\Windows Installer Clean Up
    2010-06-27 19:56:57   0   d-----w-   c:\users\alecla~1\appdata\roaming\SoftGrid Client
    2010-06-27 04:41:05   86408   ----a-w-   c:\windows\system32\setupempdrv03.exe
    2010-06-27 04:41:05   8456   ----a-w-   c:\windows\system32\EuGdiDrv.sys
    2010-06-27 04:41:05   1718912   ----a-w-   c:\windows\system32\BootMan.exe
    2010-06-27 04:41:05   14848   ----a-w-   c:\windows\system32\EuEpmGdi.dll
    2010-06-27 04:41:05   14216   ----a-w-   c:\windows\system32\epmntdrv.sys
    2010-06-27 04:28:43   0   d-----w-   c:\programdata\LogMeIn
    2010-06-27 04:28:27   83360   ----a-w-   c:\windows\system32\LMIRfsClientNP.dll
    2010-06-27 04:28:27   47640   ----a-w-   c:\windows\system32\drivers\LMIRfsDriver.sys
    2010-06-27 04:28:27   29568   ----a-w-   c:\windows\system32\LMIport.dll
    2010-06-27 04:28:24   87424   ----a-w-   c:\windows\system32\LMIinit.dll
    2010-06-27 04:27:59   0   d-----w-   c:\program files\LogMeIn
    2010-06-26 21:32:58   0   d-----w-   c:\users\alecla~1\appdata\roaming\TP
    2010-06-26 17:28:58   0   d-----w-   c:\program files\MGTEK
    2010-06-26 17:28:58   0   d-----w-   c:\program files\common files\MGTEK
    2010-06-26 17:28:23   0   d-----w-   c:\programdata\MGTEK
    2010-06-26 17:08:24   0   d-----w-   c:\program files\NaturalSoft
    2010-06-26 16:58:37   0   d-----w-   c:\program files\Text2mp3
    2010-06-26 03:21:28   24576   ----a-w-   c:\windows\system32\anotherRunAs.exe
    2010-06-26 03:07:17   172032   ----a-w-   c:\windows\system32\runasloc.ocx
    2010-06-26 03:07:17   0   d-----w-   c:\program files\Steel RunAs
    2010-06-25 04:02:39   25856   ----a-w-   c:\windows\system32\drivers\tap0801co.sys
    2010-06-25 04:00:04   0   d-----w-   c:\program files\andLinux
    2010-06-23 20:13:28   99176   ----a-w-   c:\windows\system32\PresentationHostProxy.dll
    2010-06-23 20:13:28   49472   ----a-w-   c:\windows\system32\netfxperf.dll
    2010-06-23 20:13:28   297808   ----a-w-   c:\windows\system32\mscoree.dll
    2010-06-23 20:13:28   295264   ----a-w-   c:\windows\system32\PresentationHost.exe
    2010-06-23 20:13:28   1130824   ----a-w-   c:\windows\system32\dfshim.dll
    2010-06-23 04:26:04   0   d-----w-   C:\My Drivers
    2010-06-23 04:26:04   0   d-----w-   C:\Innovative Solutions
    2010-06-23 02:39:42   285696   ------w-   c:\windows\system32\Cncs232.dll
    2010-06-23 02:39:38   0   d-----w-   c:\windows\COREL
    2010-06-23 02:39:38   0   d-----w-   C:\MMFusion
    2010-06-23 02:12:16   0   d-----w-   c:\program files\NSIS
    2010-06-23 02:03:18   0   d-----w-   c:\program files\Install Creator
    2010-06-23 01:44:17   0   d-----w-   c:\users\alecla~1\appdata\roaming\Easeware
    2010-06-23 01:44:03   0   d-----w-   c:\program files\Easeware
    2010-06-23 00:53:30   0   d-----w-   c:\programdata\Innovative Solutions
    2010-06-23 00:53:14   0   d-----w-   c:\program files\Innovative Solutions
    2010-06-23 00:48:54   0   d-----w-   c:\program files\SystemRequirementsLab
    2010-06-23 00:44:17   1286456   ----a-w-   c:\windows\system32\ntdll.dll
    2010-06-23 00:44:15   641536   ----a-w-   c:\windows\system32\CPFilters.dll
    2010-06-23 00:44:13   199680   ----a-w-   c:\windows\system32\mpg2splt.ax
    2010-06-23 00:44:12   204288   ----a-w-   c:\windows\system32\MSNP.ax
    2010-06-20 02:52:52   2270208   ----a-w-   c:\windows\system32\copyurl.exe
    2010-06-18 23:38:18   0   d-----w-   C:\mounted_images
    2010-06-17 02:59:29   0   d-----w-   c:\program files\Super Fast Shutdown
    2010-06-17 01:12:32   0   d-----w-   c:\program files\Cain
    2010-06-17 00:47:32   52   ----a-w-   c:\windows\system32\winpeshl.ini
    2010-06-16 03:21:43   0   d-----w-   c:\program files\Windows Imaging
    2010-06-16 02:56:05   524288   --sha-w-   c:\users\alec larsen\ntuser.dat{a08aa64f-78f2-11df-b1e4-005056c00008}.TMContainer00000000000000000002.regtrans-ms
    2010-06-16 02:56:05   524288   --sha-w-   c:\users\alec larsen\ntuser.dat{a08aa64f-78f2-11df-b1e4-005056c00008}.TMContainer00000000000000000001.regtrans-ms
    2010-06-16 02:56:04   65536   --sha-w-   c:\users\alec larsen\ntuser.dat{a08aa64f-78f2-11df-b1e4-005056c00008}.TM.blf
    2010-06-16 02:37:35   0   d-----w-   c:\users\alecla~1\appdata\roaming\Spyware Terminator
    2010-06-16 02:37:32   0   d-----w-   c:\programdata\Spyware Terminator
    2010-06-16 02:37:30   0   d-----w-   c:\program files\Spyware Terminator
    2010-06-16 01:51:06   0   d-----w-   c:\program files\Windows AIK
    2010-06-16 01:44:28   0   d-----w-   c:\program files\Sophos
    2010-06-16 00:05:56   0   d-----w-   c:\program files\Microsoft Visual Studio 8
    2010-06-15 23:25:26   0   d-----w-   c:\program files\MSECache
    2010-06-15 18:51:26   0   d-----w-   c:\program files\UltraISO
    2010-06-15 18:09:19   0   d-----w-   c:\program files\EASEUS
    2010-06-13 05:00:36   0   d-----w-   c:\program files\Advantig
    2010-06-11 17:02:35   2326528   ----a-w-   c:\windows\system32\win32k.sys
    2010-06-11 17:02:34   67584   ----a-w-   c:\windows\system32\asycfilt.dll
    2010-06-11 17:02:23   977920   ----a-w-   c:\windows\system32\wininet.dll
    2010-06-11 17:02:14   293888   ----a-w-   c:\windows\system32\atmfd.dll
    2010-06-11 17:02:13   34304   ----a-w-   c:\windows\system32\atmlib.dll
    2010-06-11 04:26:25   0   d-----w-   c:\programdata\{7269BE79-5722-4259-B764-61F0045B02FF}
    2010-06-11 04:26:16   0   d-----w-   c:\program files\LiveZilla
    2010-06-07 04:11:02   0   d--h--w-   c:\users\alec larsen\.zenmap
    2010-06-07 03:50:43   0   d-----w-   c:\program files\Nmap
    2010-06-07 03:46:43   0   d-----w-   c:\program files\Metasploit
    2010-06-05 18:02:33   0   d-----w-   c:\program files\TweetDeck
    2010-06-04 22:32:45   0   d-----w-   c:\programdata\Recovery
    2010-06-04 19:49:14   12866560   ----a-w-   C:\shell32.dll
    2010-06-04 00:04:10   48836   ----a-w-   c:\users\alec larsen\AlecBeta.contact
    2010-06-03 21:43:23   0   d-----w-   c:\users\alecla~1\appdata\roaming\lyx16
    2010-06-03 04:03:31   0   d-----w-   c:\users\alecla~1\appdata\roaming\MiKTeX
    2010-06-03 03:28:47   0   d-----w-   c:\programdata\MiKTeX
    2010-06-03 03:24:30   0   d-----w-   c:\program files\MiKTeX 2.8
    2010-06-03 03:18:17   0   d-----w-   c:\programdata\Aspell
    2010-06-03 03:17:26   0   d-----w-   c:\program files\LyX16
    2010-06-03 03:13:08   0   d-----w-   c:\program files\LEd

    ==================== Find3M  ====================

    2010-06-28 20:32:56   50256   ----a-w-   c:\windows\system32\drivers\aswMonFlt.sys
    2010-06-01 02:53:03   380928   ----a-w-   C:\lame_enc.dll
    2010-05-21 19:14:28   221568   ----a-w-   c:\windows\system32\MpSigStub.exe
    2010-05-21 02:26:23   0   ---ha-w-   c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
    2010-05-14 23:06:37   41380   ----a-w-   c:\windows\fonts\Bauhaus.ttf
    2010-05-11 01:54:39   215628   ----a-w-   c:\windows\fonts\Fluox__.ttf
    2010-05-09 08:01:42   229224   ----a-w-   c:\windows\system32\drivers\VMM.sys
    2010-04-23 07:13:36   2048   ----a-w-   c:\windows\system32\tzres.dll
    2010-04-05 16:47:44   51556   ----a-w-   c:\windows\fonts\Fineliner Script.otf
    2010-04-04 03:18:32   133344   ----a-w-   c:\windows\fonts\BROKEN_GHOST.ttf
    2009-07-14 04:56:42   31548   ----a-w-   c:\windows\inf\perflib\0409\perfd.dat
    2009-07-14 04:56:42   31548   ----a-w-   c:\windows\inf\perflib\0409\perfc.dat
    2009-07-14 04:56:42   291294   ----a-w-   c:\windows\inf\perflib\0409\perfi.dat
    2009-07-14 04:56:42   291294   ----a-w-   c:\windows\inf\perflib\0409\perfh.dat
    2009-07-14 04:41:57   174   --sha-w-   c:\program files\desktop.ini
    2009-07-14 00:34:40   291294   ----a-w-   c:\windows\inf\perflib\0000\perfi.dat
    2009-07-14 00:34:40   291294   ----a-w-   c:\windows\inf\perflib\0000\perfh.dat
    2009-07-14 00:34:38   31548   ----a-w-   c:\windows\inf\perflib\0000\perfd.dat
    2009-07-14 00:34:38   31548   ----a-w-   c:\windows\inf\perflib\0000\perfc.dat
    2009-06-10 21:26:35   9633792   --sha-r-   c:\windows\fonts\StaticCache.dat
    2010-01-29 23:18:56   16384   --sha-w-   c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
    2010-01-29 23:18:56   32768   --sha-w-   c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
    2010-01-29 23:18:56   16384   --sha-w-   c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
    2010-01-29 23:18:56   245760   --sha-w-   c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
    2009-07-14 01:14:45   396800   --sha-w-   c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

    ============= FINISH: 12:59:27.88 ===============





    What can I do to fix this?

    kpac

    • Web moderator


    • Hacker

    • kpac®
    • Thanked: 184
      • Yes
      • Yes
      • Yes
    • Certifications: List
    • Computer: Specs
    • Experience: Expert
    • OS: Windows 7
    Re: Win32: Qandr Rootkit
    « Reply #1 on: June 30, 2010, 01:46:54 PM »
    Wrong forum.

    Crush

    • Malware Removal Specialist
    • Moderator


    • Beginner

      Thanked: 8
      Re: Win32: Qandr Rootkit
      « Reply #2 on: July 03, 2010, 10:47:02 AM »
      Hello, and welcome to Computer Hope Forums!

      I'm Crush but, you can call me Chris too :) and I will be helping you with your Malware issues

      Please note the following information about the malware forum:

      • Only members of the Malware Removal Specialist user group are allowed to give advice on removing malware from your computer. Do not follow the advice of anyone without that user title.
      • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
      • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
      • If you have already asked for help somewhere, please post the link to the topic you were helped.
      • We try our best to reply quickly, but for any reason we do not reply in two days, do this:


      Reply to this topic with the word BUMP.

      • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

      Now that we have that out of the way:

      Download OTL  to your Desktop

      • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
      • Under the Custom Scan box paste this in
      Code: [Select]
      netsvcs
      msconfig
      safebootminimal
      safebootnetwork
      activex
      drivers32
      %SYSTEMDRIVE%\*.exe
      %systemroot%\*. /mp /s
      c:\$recycle.bin\*.* /s
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      nvstor32.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      explorer.exe
      svchost.exe
      userinit.exe
      qmgr.dll
      ws2_32.dll
      proquota.exe
      imm32.dll
      kernel32.dll
      ndis.sys
      autochk.exe
      spoolsv.exe
      xmlprov.dll
      ntmssvc.dll
      mswsock.dll
      Beep.SYS
      ntfs.sys
      termsrv.dll
      sfcfiles.dll
      st3shark.sys
      ahcix86.sys
      srsvc.dll
      nvrd32.sys
      /md5stop
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles

        • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
          • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
          • Please copy (Edit>Select All, Edit>Copy) the contents of these files, one at a time
        "I am in fact, quite cool. My graphing calculator confirms this"