Jump to content


  • Posts

  • Joined

  • Last visited


0 Neutral
  1. Sorry - I've been away from my pc again. Thanks for your time helping me The Kaspersky report is below - it looks all good to me: KASPERSKY ONLINE SCANNER 7.0: scan reportKASPERSKY ONLINE SCANNER 7.0: scan report Monday, March 22, 2010 Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: Last database update: Monday, March 22, 2010 12:34:19 Records in database: 3846667 Scan settings scan using the following databaseextended Scan archivesyes Scan e-mail databasesyes Scan areaMy Computer C:\ D:\ E:\ F:\ G:\ H:\ I:\ Scan statistics Objects scanned83895 Threats found0 Infected objects found0 Suspicious objects found0 Scan duration02:42:24 No threats found. Scanned area is clean. Selected area has been scanned.
  2. Sorry, I have been out of the country for a week. See the OTL log as requested. Thanks NW OTL logfile created on: 12/03/2010 19:31:28 - Run 2 OTL by OldTimer - Version Folder = C:\Documents and Settings\DAD\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 1,023.00 Mb Total Physical Memory | 487.00 Mb Available Physical Memory | 48.00% Memory free 2.00 Gb Paging File | 2.00 Gb Available in Paging File | 75.00% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 70.29 Gb Total Space | 38.08 Gb Free Space | 54.18% Space Free | Partition Type: NTFS Drive D: | 14.33 Gb Total Space | 10.46 Gb Free Space | 72.98% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: DADKIDS Current User Name: DAD Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe PRC - [2009/12/11 18:41:15 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe PRC - [2009/12/11 18:41:15 | 000,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe PRC - [2009/12/03 03:50:39 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe PRC - [2009/12/03 03:50:38 | 000,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe PRC - [2009/12/03 03:50:31 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe PRC - [2009/12/03 03:50:30 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe PRC - [2009/09/24 14:41:58 | 000,434,176 | ---- | M] (Sony Ericsson Mobile Communications AB) -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe PRC - [2009/04/30 12:23:26 | 000,090,112 | ---- | M] () -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2006/03/01 19:50:06 | 000,626,810 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe PRC - [2006/03/01 00:05:54 | 002,364,976 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgre.exe PRC - [2006/03/01 00:00:34 | 001,992,240 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe PRC - [2006/02/06 22:39:36 | 000,262,144 | R--- | M] (LITE-ON TECHNOLOGY CORP.) -- C:\Program Files\Lenovo\Productivity Keyboard\Skdaemon.exe PRC - [2006/01/11 23:08:36 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE PRC - [2005/12/07 09:00:00 | 000,106,496 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE PRC - [2005/10/28 11:23:10 | 001,404,928 | ---- | M] (Belkin) -- C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe PRC - [2005/08/02 01:33:04 | 000,126,976 | ---- | M] () -- C:\Program Files\ThinkVantage\SystemUpdate\PipeServer.exe PRC - [2005/04/13 22:34:28 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe PRC - [2003/11/06 23:51:32 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\FSRremoS.EXE ========== Modules (SafeList) ========== MOD - [2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe ========== Win32 Services (SafeList) ========== SRV - [2009/12/03 03:50:31 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc) SRV - [2009/12/03 03:50:30 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd) SRV - [2009/12/03 02:13:32 | 000,032,256 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psasrv.exe -- (PsaSrv) SRV - [2009/04/30 12:23:26 | 000,090,112 | ---- | M] () [Auto | Running] -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe -- (OMSI download service) SRV - [2006/03/01 19:50:06 | 000,626,810 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper) SRV - [2005/12/22 02:34:58 | 000,077,824 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe -- (TVT Scheduler) SRV - [2005/12/22 02:20:56 | 001,384,448 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe -- (TVT Backup Service) SRV - [2005/08/02 01:32:40 | 000,040,960 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe -- (UCLauncherService) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = http://www.google.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://news.bbc.co.uk/ [binary data] IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D6 FD 9C 1C FA 83 CA 01 [binary data] IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll () IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local [2010/02/25 00:05:02 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions O1 HOSTS File: ([2010/02/24 23:01:36 | 000,380,253 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: localhost O1 - Hosts: www.007guard.com O1 - Hosts: 007guard.com O1 - Hosts: 008i.com O1 - Hosts: www.008k.com O1 - Hosts: 008k.com O1 - Hosts: www.00hq.com O1 - Hosts: 00hq.com O1 - Hosts: 010402.com O1 - Hosts: www.032439.com O1 - Hosts: 032439.com O1 - Hosts: www.0scan.com O1 - Hosts: 0scan.com O1 - Hosts: 1000gratisproben.com O1 - Hosts: www.1000gratisproben.com O1 - Hosts: 1001namen.com O1 - Hosts: www.1001namen.com O1 - Hosts: 100888290cs.com O1 - Hosts: www.100888290cs.com O1 - Hosts: www.100sexlinks.com O1 - Hosts: 100sexlinks.com O1 - Hosts: 10sek.com O1 - Hosts: www.10sek.com O1 - Hosts: www.1-2005-search.com O1 - Hosts: 1-2005-search.com O1 - Hosts: 13102 more lines... O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll () O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll () O3 - HKCU\..\Toolbar\ShellBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll () O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [cssauthe] C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe (Lenovo Group Limited) O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation) O4 - HKLM..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.) O4 - HKLM..\Run: [LPManager] C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE (Lenovo Group Limited) O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.) O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.) O4 - HKLM..\Run: [sKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\Skdaemon.exe (LITE-ON TECHNOLOGY CORP.) O4 - HKLM..\Run: [soundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe () O4 - HKCU..\Run: [sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe (Sony Ericsson Mobile Communications AB) O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe (Belkin) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O8 - Extra context menu item: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O8 - Extra context menu item: &Translate English Word - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O8 - Extra context menu item: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O8 - Extra context menu item: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O8 - Extra context menu item: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O8 - Extra context menu item: Translate Page into English - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.4.2/...all-142-win.cab (Java Plug-in 1.4.2) O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.2/...all-142-win.cab (Java Plug-in 1.4.2) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.) O24 - Desktop WallPaper: C:\Documents and Settings\DAD\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\DAD\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/12/03 02:34:50 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - comfile [open] -- "%1" %* O35 - exefile [open] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/09 21:12:00 | 000,000,000 | ---D | M] NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation) NetSvcs: WmdmPmSp - File not found CREATERESTOREPOINT Restore point Set: OTL Restore Point (16891891626803200) ========== Files/Folders - Created Within 14 Days ========== [2010/03/12 19:20:26 | 000,000,000 | ---D | C] -- C:\Program Files\iPod [2010/03/04 18:34:55 | 000,552,960 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe [2010/03/04 16:32:28 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2010/03/03 22:06:19 | 000,000,000 | RHSD | C] -- C:\cmdcons [2010/03/03 22:04:38 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2010/03/03 22:04:38 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2010/03/03 22:04:38 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2010/03/03 22:04:38 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2010/03/03 22:04:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2010/03/03 22:04:29 | 000,000,000 | ---D | C] -- C:\Combo-Fix [2010/03/03 22:04:16 | 000,000,000 | ---D | C] -- C:\Qoobox [2009/12/04 22:54:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft [2009/12/03 03:31:59 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft [2009/12/03 03:31:59 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft [2004/08/09 21:33:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 14 Days ========== [2010/03/12 19:25:06 | 000,002,055 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk [2010/03/12 17:04:03 | 057,018,777 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm [2010/03/12 16:45:01 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010/03/12 16:44:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/03/12 16:44:55 | 1073,270,784 | -HS- | M] () -- C:\hiberfil.sys [2010/03/12 16:43:42 | 009,175,040 | -H-- | M] () -- C:\Documents and Settings\DAD\NTUSER.DAT [2010/03/12 16:43:42 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\DAD\ntuser.ini [2010/03/12 16:43:35 | 007,469,944 | -H-- | M] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\IconCache.db [2010/03/12 13:48:40 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A277806A-F328-4CC4-9BA9-41C902613B3B}.job [2010/03/12 12:57:31 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe [2010/03/03 22:33:37 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2010/03/03 22:06:24 | 000,000,254 | RHS- | M] () -- C:\BOOT.INI [2010/03/03 19:34:02 | 000,010,973 | ---- | M] () -- C:\Documents and Settings\DAD\My Documents\1.docx [2010/02/27 18:29:37 | 000,018,944 | ---- | M] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/02/26 20:22:16 | 000,001,514 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/03/12 19:21:06 | 000,002,055 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk [2010/03/03 22:06:24 | 000,000,184 | ---- | C] () -- C:\Boot.bak [2010/03/03 22:06:21 | 000,260,272 | ---- | C] () -- C:\cmldr [2010/03/03 22:04:38 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe [2010/03/03 22:04:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2010/03/03 22:04:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2010/03/03 22:04:38 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2010/03/03 22:04:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2010/03/03 19:34:02 | 000,010,973 | ---- | C] () -- C:\Documents and Settings\DAD\My Documents\1.docx [2010/02/26 20:22:16 | 000,001,514 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk [2009/12/10 20:30:43 | 000,018,944 | ---- | C] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009/12/03 21:18:10 | 000,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini [2009/12/03 02:33:54 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\fusioncache.dat [2009/12/03 02:16:06 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2009/12/03 02:05:14 | 000,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys [2009/12/03 02:03:39 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll [2009/12/03 02:03:39 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll [2009/12/03 02:03:39 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll [2009/12/03 02:03:39 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll [2009/12/03 02:03:39 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll [2009/12/03 02:03:39 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll [2009/12/03 02:03:18 | 000,000,032 | ---- | C] () -- C:\WINDOWS\WININIT.INI [2009/12/03 01:58:25 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll [2009/12/03 01:57:38 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\FSRremoC.DLL [2009/12/03 01:57:38 | 000,005,528 | ---- | C] () -- C:\WINDOWS\System32\Setup2k.ini [2009/12/03 01:57:38 | 000,000,296 | ---- | C] () -- C:\WINDOWS\System32\presetup.ini [2006/02/03 00:37:10 | 000,004,676 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI [2006/01/19 20:46:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini [2006/01/10 21:38:30 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll [2005/07/12 22:44:42 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL [2004/08/09 21:34:32 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini [2004/03/24 00:38:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll [2002/04/11 18:47:52 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\msmscoin.dll ========== LOP Check ========== [2009/12/02 22:12:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar [2009/12/03 03:50:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9 [2009/12/10 00:11:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software [2009/12/03 02:01:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo [2010/02/18 11:30:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP [2009/12/03 02:35:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ThinkVantage [2009/12/25 09:53:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} [2010/02/24 22:24:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\AVG9 [2009/12/03 20:48:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\GetRightToGo [2009/12/03 02:04:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\IBM [2009/12/03 19:46:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\InterVideo [2009/12/03 19:50:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Leadertech [2009/12/06 19:06:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\LEGO Company [2009/12/06 20:13:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Lenovo [2009/12/09 16:54:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\MSNInstaller [2009/12/12 19:33:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Sony [2009/12/12 19:23:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Sony Setup [2009/12/03 02:35:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\ThinkVantage [2009/12/09 19:44:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\TrueSwitch [2010/03/12 13:48:40 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{A277806A-F328-4CC4-9BA9-41C902613B3B}.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.exe > < MD5 for: AGP440.SYS > [2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys [2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys [2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys [2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys [2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys [2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys [2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys [2004/08/04 07:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys < MD5 for: ATAPI.SYS > [2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys [2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys [2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys [2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys [2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys [2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys [2010/03/05 17:26:47 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys [2004/08/04 06:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys < MD5 for: EVENTLOG.DLL > [2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll [2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll [2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll [2004/08/04 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll < MD5 for: NETLOGON.DLL > [2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll [2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll [2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll [2009/02/06 18:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll [2009/02/06 18:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtUninstallKB975467_0$\netlogon.dll [2004/08/04 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389_0$\netlogon.dll < MD5 for: SCECLI.DLL > [2004/08/04 13:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll [2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll [2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll [2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll ========== Alternate Data Streams ========== @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 < End of report >
  3. Indigenus TDSS found a corrupt Atapi.sys file. Here is the log. 17:24:16:937 1460 TDSS rootkit removing tool Feb 27 2010 13:29:25 17:24:16:937 1460 ================================================================================ 17:24:16:937 1460 SystemInfo: 17:24:16:937 1460 OS Version: 5.1.2600 ServicePack: 3.0 17:24:16:937 1460 Product type: Workstation 17:24:16:937 1460 ComputerName: DADKIDS 17:24:16:937 1460 UserName: DAD 17:24:16:937 1460 Windows directory: C:\WINDOWS 17:24:16:937 1460 Processor architecture: Intel x86 17:24:16:937 1460 Number of processors: 1 17:24:16:937 1460 Page size: 0x1000 17:24:16:937 1460 Boot type: Normal boot 17:24:16:937 1460 ================================================================================ 17:24:16:937 1460 UnloadDriverW: NtUnloadDriver error 2 17:24:16:937 1460 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2 17:24:17:015 1460 Initialize success 17:24:17:015 1460 17:24:17:015 1460 Scanning Services ... 17:24:17:015 1460 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 17:24:17:015 1460 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 17:24:17:015 1460 wfopen_ex: Trying to KLMD file open 17:24:17:015 1460 wfopen_ex: File opened ok (Flags 2) 17:24:17:015 1460 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 17:24:17:031 1460 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 17:24:17:031 1460 wfopen_ex: Trying to KLMD file open 17:24:17:031 1460 wfopen_ex: File opened ok (Flags 2) 17:24:17:312 1460 GetAdvancedServicesInfo: Raw services enum returned 354 services 17:24:17:328 1460 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 17:24:17:328 1460 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 17:24:17:328 1460 17:24:17:328 1460 Scanning Kernel memory ... 17:24:17:328 1460 Devices to scan: 13 17:24:17:328 1460 17:24:17:328 1460 Driver Name: Disk 17:24:17:328 1460 IRP_MJ_CREATE : F75A2BB0 17:24:17:328 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 17:24:17:328 1460 IRP_MJ_CLOSE : F75A2BB0 17:24:17:328 1460 IRP_MJ_READ : F759CD1F 17:24:17:328 1460 IRP_MJ_WRITE : F759CD1F 17:24:17:328 1460 IRP_MJ_QUERY_INFORMATION : 804F355A 17:24:17:328 1460 IRP_MJ_SET_INFORMATION : 804F355A 17:24:17:328 1460 IRP_MJ_QUERY_EA : 804F355A 17:24:17:328 1460 IRP_MJ_SET_EA : 804F355A 17:24:17:328 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2 17:24:17:328 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 17:24:17:328 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 17:24:17:328 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A 17:24:17:328 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 17:24:17:328 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB 17:24:17:328 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28 17:24:17:328 1460 IRP_MJ_SHUTDOWN : F759D2E2 17:24:17:328 1460 IRP_MJ_LOCK_CONTROL : 804F355A 17:24:17:328 1460 IRP_MJ_CLEANUP : 804F355A 17:24:17:328 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A 17:24:17:328 1460 IRP_MJ_QUERY_SECURITY : 804F355A 17:24:17:328 1460 IRP_MJ_SET_SECURITY : 804F355A 17:24:17:328 1460 IRP_MJ_POWER : F759EC82 17:24:17:328 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E 17:24:17:328 1460 IRP_MJ_DEVICE_CHANGE : 804F355A 17:24:17:328 1460 IRP_MJ_QUERY_QUOTA : 804F355A 17:24:17:328 1460 IRP_MJ_SET_QUOTA : 804F355A 17:24:17:328 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code 17:24:17:328 1460 sion 17:24:17:343 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 17:24:17:343 1460 17:24:17:343 1460 Driver Name: Disk 17:24:17:343 1460 IRP_MJ_CREATE : F75A2BB0 17:24:17:343 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 17:24:17:343 1460 IRP_MJ_CLOSE : F75A2BB0 17:24:17:343 1460 IRP_MJ_READ : F759CD1F 17:24:17:343 1460 IRP_MJ_WRITE : F759CD1F 17:24:17:343 1460 IRP_MJ_QUERY_INFORMATION : 804F355A 17:24:17:343 1460 IRP_MJ_SET_INFORMATION : 804F355A 17:24:17:343 1460 IRP_MJ_QUERY_EA : 804F355A 17:24:17:343 1460 IRP_MJ_SET_EA : 804F355A 17:24:17:343 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2 17:24:17:343 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 17:24:17:343 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 17:24:17:343 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A 17:24:17:343 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 17:24:17:343 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB 17:24:17:343 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28 17:24:17:343 1460 IRP_MJ_SHUTDOWN : F759D2E2 17:24:17:343 1460 IRP_MJ_LOCK_CONTROL : 804F355A 17:24:17:343 1460 IRP_MJ_CLEANUP : 804F355A 17:24:17:343 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A 17:24:17:343 1460 IRP_MJ_QUERY_SECURITY : 804F355A 17:24:17:343 1460 IRP_MJ_SET_SECURITY : 804F355A 17:24:17:343 1460 IRP_MJ_POWER : F759EC82 17:24:17:343 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E 17:24:17:343 1460 IRP_MJ_DEVICE_CHANGE : 804F355A 17:24:17:343 1460 IRP_MJ_QUERY_QUOTA : 804F355A 17:24:17:343 1460 IRP_MJ_SET_QUOTA : 804F355A 17:24:17:343 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code 17:24:17:343 1460 sion 17:24:17:359 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 17:24:17:359 1460 17:24:17:359 1460 Driver Name: Disk 17:24:17:359 1460 IRP_MJ_CREATE : F75A2BB0 17:24:17:359 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 17:24:17:359 1460 IRP_MJ_CLOSE : F75A2BB0 17:24:17:359 1460 IRP_MJ_READ : F759CD1F 17:24:17:359 1460 IRP_MJ_WRITE : F759CD1F 17:24:17:359 1460 IRP_MJ_QUERY_INFORMATION : 804F355A 17:24:17:359 1460 IRP_MJ_SET_INFORMATION : 804F355A 17:24:17:359 1460 IRP_MJ_QUERY_EA : 804F355A 17:24:17:359 1460 IRP_MJ_SET_EA : 804F355A 17:24:17:359 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2 17:24:17:359 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 17:24:17:359 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 17:24:17:359 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A 17:24:17:359 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 17:24:17:359 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB 17:24:17:359 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28 17:24:17:359 1460 IRP_MJ_SHUTDOWN : F759D2E2 17:24:17:359 1460 IRP_MJ_LOCK_CONTROL : 804F355A 17:24:17:359 1460 IRP_MJ_CLEANUP : 804F355A 17:24:17:359 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A 17:24:17:359 1460 IRP_MJ_QUERY_SECURITY : 804F355A 17:24:17:359 1460 IRP_MJ_SET_SECURITY : 804F355A 17:24:17:359 1460 IRP_MJ_POWER : F759EC82 17:24:17:359 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E 17:24:17:359 1460 IRP_MJ_DEVICE_CHANGE : 804F355A 17:24:17:359 1460 IRP_MJ_QUERY_QUOTA : 804F355A 17:24:17:359 1460 IRP_MJ_SET_QUOTA : 804F355A 17:24:17:359 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code 17:24:17:359 1460 sion 17:24:17:359 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 17:24:17:359 1460 17:24:17:359 1460 Driver Name: Disk 17:24:17:359 1460 IRP_MJ_CREATE : F75A2BB0 17:24:17:359 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 17:24:17:359 1460 IRP_MJ_CLOSE : F75A2BB0 17:24:17:359 1460 IRP_MJ_READ : F759CD1F 17:24:17:359 1460 IRP_MJ_WRITE : F759CD1F 17:24:17:359 1460 IRP_MJ_QUERY_INFORMATION : 804F355A 17:24:17:359 1460 IRP_MJ_SET_INFORMATION : 804F355A 17:24:17:359 1460 IRP_MJ_QUERY_EA : 804F355A 17:24:17:359 1460 IRP_MJ_SET_EA : 804F355A 17:24:17:359 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2 17:24:17:359 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 17:24:17:359 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 17:24:17:359 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A 17:24:17:359 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 17:24:17:359 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB 17:24:17:359 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28 17:24:17:359 1460 IRP_MJ_SHUTDOWN : F759D2E2 17:24:17:359 1460 IRP_MJ_LOCK_CONTROL : 804F355A 17:24:17:359 1460 IRP_MJ_CLEANUP : 804F355A 17:24:17:359 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A 17:24:17:359 1460 IRP_MJ_QUERY_SECURITY : 804F355A 17:24:17:359 1460 IRP_MJ_SET_SECURITY : 804F355A 17:24:17:359 1460 IRP_MJ_POWER : F759EC82 17:24:17:359 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E 17:24:17:359 1460 IRP_MJ_DEVICE_CHANGE : 804F355A 17:24:17:359 1460 IRP_MJ_QUERY_QUOTA : 804F355A 17:24:17:359 1460 IRP_MJ_SET_QUOTA : 804F355A 17:24:17:359 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code 17:24:17:359 1460 sion 17:24:17:375 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 17:24:17:375 1460 17:24:17:375 1460 Driver Name: USBSTOR 17:24:17:375 1460 IRP_MJ_CREATE : F7901218 17:24:17:375 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 17:24:17:375 1460 IRP_MJ_CLOSE : F7901218 17:24:17:375 1460 IRP_MJ_READ : F790123C 17:24:17:375 1460 IRP_MJ_WRITE : F790123C 17:24:17:375 1460 IRP_MJ_QUERY_INFORMATION : 804F355A 17:24:17:375 1460 IRP_MJ_SET_INFORMATION : 804F355A 17:24:17:375 1460 IRP_MJ_QUERY_EA : 804F355A 17:24:17:375 1460 IRP_MJ_SET_EA : 804F355A 17:24:17:375 1460 IRP_MJ_FLUSH_BUFFERS : 804F355A 17:24:17:375 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 17:24:17:375 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 17:24:17:375 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A 17:24:17:375 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 17:24:17:375 1460 IRP_MJ_DEVICE_CONTROL : F7901180 17:24:17:375 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78FC9E6 17:24:17:375 1460 IRP_MJ_SHUTDOWN : 804F355A 17:24:17:375 1460 IRP_MJ_LOCK_CONTROL : 804F355A 17:24:17:375 1460 IRP_MJ_CLEANUP : 804F355A 17:24:17:375 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A 17:24:17:375 1460 IRP_MJ_QUERY_SECURITY : 804F355A 17:24:17:375 1460 IRP_MJ_SET_SECURITY : 804F355A 17:24:17:375 1460 IRP_MJ_POWER : F79005F0 17:24:17:375 1460 IRP_MJ_SYSTEM_CONTROL : F78FEA6E 17:24:17:375 1460 IRP_MJ_DEVICE_CHANGE : 804F355A 17:24:17:375 1460 IRP_MJ_QUERY_QUOTA : 804F355A 17:24:17:375 1460 IRP_MJ_SET_QUOTA : 804F355A 17:24:17:375 1460 siohd: 0 17:24:17:375 1460 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean 17:24:17:375 1460 17:24:17:375 1460 Driver Name: USBSTOR 17:24:17:375 1460 IRP_MJ_CREATE : F7901218 17:24:17:375 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 17:24:17:375 1460 IRP_MJ_CLOSE : F7901218 17:24:17:375 1460 IRP_MJ_READ : F790123C 17:24:17:375 1460 IRP_MJ_WRITE : F790123C 17:24:17:375 1460 IRP_MJ_QUERY_INFORMATION : 804F355A 17:24:17:375 1460 IRP_MJ_SET_INFORMATION : 804F355A 17:24:17:375 1460 IRP_MJ_QUERY_EA : 804F355A 17:24:17:375 1460 IRP_MJ_SET_EA : 804F355A 17:24:17:375 1460 IRP_MJ_FLUSH_BUFFERS : 804F355A 17:24:17:375 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 17:24:17:375 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 17:24:17:375 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A 17:24:17:375 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 17:24:17:375 1460 IRP_MJ_DEVICE_CONTROL : F7901180 17:24:17:375 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78FC9E6 17:24:17:375 1460 IRP_MJ_SHUTDOWN : 804F355A 17:24:17:375 1460 IRP_MJ_LOCK_CONTROL : 804F355A 17:24:17:375 1460 IRP_MJ_CLEANUP : 804F355A 17:24:17:375 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A 17:24:17:375 1460 IRP_MJ_QUERY_SECURITY : 804F355A 17:24:17:375 1460 IRP_MJ_SET_SECURITY : 804F355A 17:24:17:375 1460 IRP_MJ_POWER : F79005F0 17:24:17:375 1460 IRP_MJ_SYSTEM_CONTROL : F78FEA6E 17:24:17:375 1460 IRP_MJ_DEVICE_CHANGE : 804F355A 17:24:17:375 1460 IRP_MJ_QUERY_QUOTA : 804F355A 17:24:17:375 1460 IRP_MJ_SET_QUOTA : 804F355A 17:24:17:375 1460 siohd: 0 17:24:17:375 1460 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean 17:24:17:375 1460 17:24:17:375 1460 Driver Name: USBSTOR 17:24:17:375 1460 IRP_MJ_CREATE : F7901218 17:24:17:375 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 17:24:17:375 1460 IRP_MJ_CLOSE : F7901218 17:24:17:375 1460 IRP_MJ_READ : F790123C 17:24:17:375 1460 IRP_MJ_WRITE : F790123C 17:24:17:375 1460 IRP_MJ_QUERY_INFORMATION : 804F355A 17:24:17:375 1460 IRP_MJ_SET_INFORMATION : 804F355A 17:24:17:375 1460 IRP_MJ_QUERY_EA : 804F355A 17:24:17:375 1460 IRP_MJ_SET_EA : 804F355A 17:24:17:375 1460 IRP_MJ_FLUSH_BUFFERS : 804F355A 17:24:17:375 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 17:24:17:375 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 17:24:17:375 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A 17:24:17:375 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 17:24:17:375 1460 IRP_MJ_DEVICE_CONTROL : F7901180 17:24:17:375 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78FC9E6 17:24:17:375 1460 IRP_MJ_SHUTDOWN : 804F355A 17:24:17:375 1460 IRP_MJ_LOCK_CONTROL : 804F355A 17:24:17:375 1460 IRP_MJ_CLEANUP : 804F355A 17:24:17:375 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A 17:24:17:375 1460 IRP_MJ_QUERY_SECURITY : 804F355A 17:24:17:375 1460 IRP_MJ_SET_SECURITY : 804F355A 17:24:17:375 1460 IRP_MJ_POWER : F79005F0 17:24:17:375 1460 IRP_MJ_SYSTEM_CONTROL : F78FEA6E 17:24:17:375 1460 IRP_MJ_DEVICE_CHANGE : 804F355A 17:24:17:375 1460 IRP_MJ_QUERY_QUOTA : 804F355A 17:24:17:375 1460 IRP_MJ_SET_QUOTA : 804F355A 17:24:17:375 1460 siohd: 0 17:24:17:390 1460 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean 17:24:17:390 1460 17:24:17:390 1460 Driver Name: USBSTOR 17:24:17:390 1460 IRP_MJ_CREATE : F7901218 17:24:17:390 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 17:24:17:390 1460 IRP_MJ_CLOSE : F7901218 17:24:17:390 1460 IRP_MJ_READ : F790123C 17:24:17:390 1460 IRP_MJ_WRITE : F790123C 17:24:17:390 1460 IRP_MJ_QUERY_INFORMATION : 804F355A 17:24:17:390 1460 IRP_MJ_SET_INFORMATION : 804F355A 17:24:17:390 1460 IRP_MJ_QUERY_EA : 804F355A 17:24:17:390 1460 IRP_MJ_SET_EA : 804F355A 17:24:17:390 1460 IRP_MJ_FLUSH_BUFFERS : 804F355A 17:24:17:390 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 17:24:17:390 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 17:24:17:390 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A 17:24:17:390 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 17:24:17:390 1460 IRP_MJ_DEVICE_CONTROL : F7901180 17:24:17:390 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78FC9E6 17:24:17:390 1460 IRP_MJ_SHUTDOWN : 804F355A 17:24:17:390 1460 IRP_MJ_LOCK_CONTROL : 804F355A 17:24:17:390 1460 IRP_MJ_CLEANUP : 804F355A 17:24:17:390 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A 17:24:17:390 1460 IRP_MJ_QUERY_SECURITY : 804F355A 17:24:17:390 1460 IRP_MJ_SET_SECURITY : 804F355A 17:24:17:390 1460 IRP_MJ_POWER : F79005F0 17:24:17:390 1460 IRP_MJ_SYSTEM_CONTROL : F78FEA6E 17:24:17:390 1460 IRP_MJ_DEVICE_CHANGE : 804F355A 17:24:17:390 1460 IRP_MJ_QUERY_QUOTA : 804F355A 17:24:17:390 1460 IRP_MJ_SET_QUOTA : 804F355A 17:24:17:390 1460 siohd: 0 17:24:17:390 1460 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean 17:24:17:390 1460 17:24:17:390 1460 Driver Name: Disk 17:24:17:390 1460 IRP_MJ_CREATE : F75A2BB0 17:24:17:390 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 17:24:17:390 1460 IRP_MJ_CLOSE : F75A2BB0 17:24:17:390 1460 IRP_MJ_READ : F759CD1F 17:24:17:390 1460 IRP_MJ_WRITE : F759CD1F 17:24:17:390 1460 IRP_MJ_QUERY_INFORMATION : 804F355A 17:24:17:390 1460 IRP_MJ_SET_INFORMATION : 804F355A 17:24:17:390 1460 IRP_MJ_QUERY_EA : 804F355A 17:24:17:390 1460 IRP_MJ_SET_EA : 804F355A 17:24:17:390 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2 17:24:17:390 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 17:24:17:390 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 17:24:17:390 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A 17:24:17:390 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 17:24:17:390 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB 17:24:17:390 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28 17:24:17:390 1460 IRP_MJ_SHUTDOWN : F759D2E2 17:24:17:390 1460 IRP_MJ_LOCK_CONTROL : 804F355A 17:24:17:390 1460 IRP_MJ_CLEANUP : 804F355A 17:24:17:390 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A 17:24:17:390 1460 IRP_MJ_QUERY_SECURITY : 804F355A 17:24:17:390 1460 IRP_MJ_SET_SECURITY : 804F355A 17:24:17:390 1460 IRP_MJ_POWER : F759EC82 17:24:17:390 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E 17:24:17:390 1460 IRP_MJ_DEVICE_CHANGE : 804F355A 17:24:17:390 1460 IRP_MJ_QUERY_QUOTA : 804F355A 17:24:17:390 1460 IRP_MJ_SET_QUOTA : 804F355A 17:24:17:390 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code 17:24:17:390 1460 sion 17:24:17:390 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 17:24:17:390 1460 17:24:17:390 1460 Driver Name: Disk 17:24:17:390 1460 IRP_MJ_CREATE : F75A2BB0 17:24:17:390 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 17:24:17:390 1460 IRP_MJ_CLOSE : F75A2BB0 17:24:17:390 1460 IRP_MJ_READ : F759CD1F 17:24:17:390 1460 IRP_MJ_WRITE : F759CD1F 17:24:17:390 1460 IRP_MJ_QUERY_INFORMATION : 804F355A 17:24:17:390 1460 IRP_MJ_SET_INFORMATION : 804F355A 17:24:17:390 1460 IRP_MJ_QUERY_EA : 804F355A 17:24:17:390 1460 IRP_MJ_SET_EA : 804F355A 17:24:17:390 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2 17:24:17:390 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 17:24:17:390 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 17:24:17:390 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A 17:24:17:390 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 17:24:17:390 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB 17:24:17:390 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28 17:24:17:390 1460 IRP_MJ_SHUTDOWN : F759D2E2 17:24:17:390 1460 IRP_MJ_LOCK_CONTROL : 804F355A 17:24:17:390 1460 IRP_MJ_CLEANUP : 804F355A 17:24:17:390 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A 17:24:17:390 1460 IRP_MJ_QUERY_SECURITY : 804F355A 17:24:17:390 1460 IRP_MJ_SET_SECURITY : 804F355A 17:24:17:390 1460 IRP_MJ_POWER : F759EC82 17:24:17:390 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E 17:24:17:390 1460 IRP_MJ_DEVICE_CHANGE : 804F355A 17:24:17:390 1460 IRP_MJ_QUERY_QUOTA : 804F355A 17:24:17:390 1460 IRP_MJ_SET_QUOTA : 804F355A 17:24:17:390 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code 17:24:17:390 1460 sion 17:24:17:406 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 17:24:17:406 1460 17:24:17:406 1460 Driver Name: Disk 17:24:17:406 1460 IRP_MJ_CREATE : F75A2BB0 17:24:17:406 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 17:24:17:406 1460 IRP_MJ_CLOSE : F75A2BB0 17:24:17:406 1460 IRP_MJ_READ : F759CD1F 17:24:17:406 1460 IRP_MJ_WRITE : F759CD1F 17:24:17:406 1460 IRP_MJ_QUERY_INFORMATION : 804F355A 17:24:17:406 1460 IRP_MJ_SET_INFORMATION : 804F355A 17:24:17:406 1460 IRP_MJ_QUERY_EA : 804F355A 17:24:17:406 1460 IRP_MJ_SET_EA : 804F355A 17:24:17:406 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2 17:24:17:406 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 17:24:17:406 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 17:24:17:406 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A 17:24:17:406 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 17:24:17:406 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB 17:24:17:406 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28 17:24:17:406 1460 IRP_MJ_SHUTDOWN : F759D2E2 17:24:17:406 1460 IRP_MJ_LOCK_CONTROL : 804F355A 17:24:17:406 1460 IRP_MJ_CLEANUP : 804F355A 17:24:17:406 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A 17:24:17:406 1460 IRP_MJ_QUERY_SECURITY : 804F355A 17:24:17:406 1460 IRP_MJ_SET_SECURITY : 804F355A 17:24:17:406 1460 IRP_MJ_POWER : F759EC82 17:24:17:406 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E 17:24:17:406 1460 IRP_MJ_DEVICE_CHANGE : 804F355A 17:24:17:406 1460 IRP_MJ_QUERY_QUOTA : 804F355A 17:24:17:406 1460 IRP_MJ_SET_QUOTA : 804F355A 17:24:17:406 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code 17:24:17:406 1460 sion 17:24:17:406 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 17:24:17:406 1460 17:24:17:406 1460 Driver Name: atapi 17:24:17:406 1460 IRP_MJ_CREATE : F73EEB3A 17:24:17:406 1460 IRP_MJ_CREATE_NAMED_PIPE : F73EEB3A 17:24:17:406 1460 IRP_MJ_CLOSE : F73EEB3A 17:24:17:406 1460 IRP_MJ_READ : F73EEB3A 17:24:17:406 1460 IRP_MJ_WRITE : F73EEB3A 17:24:17:406 1460 IRP_MJ_QUERY_INFORMATION : F73EEB3A 17:24:17:406 1460 IRP_MJ_SET_INFORMATION : F73EEB3A 17:24:17:406 1460 IRP_MJ_QUERY_EA : F73EEB3A 17:24:17:406 1460 IRP_MJ_SET_EA : F73EEB3A 17:24:17:406 1460 IRP_MJ_FLUSH_BUFFERS : F73EEB3A 17:24:17:406 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : F73EEB3A 17:24:17:406 1460 IRP_MJ_SET_VOLUME_INFORMATION : F73EEB3A 17:24:17:406 1460 IRP_MJ_DIRECTORY_CONTROL : F73EEB3A 17:24:17:406 1460 IRP_MJ_FILE_SYSTEM_CONTROL : F73EEB3A 17:24:17:406 1460 IRP_MJ_DEVICE_CONTROL : F73EEB3A 17:24:17:406 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F73EEB3A 17:24:17:406 1460 IRP_MJ_SHUTDOWN : F73EEB3A 17:24:17:406 1460 IRP_MJ_LOCK_CONTROL : F73EEB3A 17:24:17:406 1460 IRP_MJ_CLEANUP : F73EEB3A 17:24:17:406 1460 IRP_MJ_CREATE_MAILSLOT : F73EEB3A 17:24:17:406 1460 IRP_MJ_QUERY_SECURITY : F73EEB3A 17:24:17:406 1460 IRP_MJ_SET_SECURITY : F73EEB3A 17:24:17:406 1460 IRP_MJ_POWER : F73EEB3A 17:24:17:406 1460 IRP_MJ_SYSTEM_CONTROL : F73EEB3A 17:24:17:406 1460 IRP_MJ_DEVICE_CHANGE : F73EEB3A 17:24:17:406 1460 IRP_MJ_QUERY_QUOTA : F73EEB3A 17:24:17:406 1460 IRP_MJ_SET_QUOTA : F73EEB3A 17:24:17:406 1460 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr 17:24:17:406 1460 TDL3_IrpHookDetect: New IrpHandler addr: 86F0B8C8 17:24:17:406 1460 ihd: 10, FFDF0308, 510, 134, 3, 120, 0 17:24:17:406 1460 Driver "atapi" Irp handler infected by TDSS rootkit ... 17:24:17:406 1460 cured 17:24:17:406 1460 siohd: 0 17:24:17:437 1460 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected 17:24:17:437 1460 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 17:24:17:437 1460 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys 17:24:17:437 1460 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3 17:24:17:671 1460 vfvi6 17:24:17:843 1460 !dsvbh1 17:24:19:500 1460 dsvbh2 17:24:19:515 1460 fdfb2 17:24:19:515 1460 Backup copy found, using it.. 17:24:19:562 1460 will be cured on next reboot 17:24:19:562 1460 17:24:19:562 1460 Driver Name: atapi 17:24:19:562 1460 IRP_MJ_CREATE : F73EEB3A 17:24:19:562 1460 IRP_MJ_CREATE_NAMED_PIPE : F73EEB3A 17:24:19:562 1460 IRP_MJ_CLOSE : F73EEB3A 17:24:19:562 1460 IRP_MJ_READ : F73EEB3A 17:24:19:562 1460 IRP_MJ_WRITE : F73EEB3A 17:24:19:562 1460 IRP_MJ_QUERY_INFORMATION : F73EEB3A 17:24:19:562 1460 IRP_MJ_SET_INFORMATION : F73EEB3A 17:24:19:562 1460 IRP_MJ_QUERY_EA : F73EEB3A 17:24:19:562 1460 IRP_MJ_SET_EA : F73EEB3A 17:24:19:562 1460 IRP_MJ_FLUSH_BUFFERS : F73EEB3A 17:24:19:562 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : F73EEB3A 17:24:19:562 1460 IRP_MJ_SET_VOLUME_INFORMATION : F73EEB3A 17:24:19:562 1460 IRP_MJ_DIRECTORY_CONTROL : F73EEB3A 17:24:19:562 1460 IRP_MJ_FILE_SYSTEM_CONTROL : F73EEB3A 17:24:19:562 1460 IRP_MJ_DEVICE_CONTROL : F73EEB3A 17:24:19:562 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F73EEB3A 17:24:19:562 1460 IRP_MJ_SHUTDOWN : F73EEB3A 17:24:19:562 1460 IRP_MJ_LOCK_CONTROL : F73EEB3A 17:24:19:562 1460 IRP_MJ_CLEANUP : F73EEB3A 17:24:19:562 1460 IRP_MJ_CREATE_MAILSLOT : F73EEB3A 17:24:19:562 1460 IRP_MJ_QUERY_SECURITY : F73EEB3A 17:24:19:562 1460 IRP_MJ_SET_SECURITY : F73EEB3A 17:24:19:562 1460 IRP_MJ_POWER : F73EEB3A 17:24:19:562 1460 IRP_MJ_SYSTEM_CONTROL : F73EEB3A 17:24:19:562 1460 IRP_MJ_DEVICE_CHANGE : F73EEB3A 17:24:19:562 1460 IRP_MJ_QUERY_QUOTA : F73EEB3A 17:24:19:562 1460 IRP_MJ_SET_QUOTA : F73EEB3A 17:24:19:562 1460 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr 17:24:19:562 1460 TDL3_IrpHookDetect: New IrpHandler addr: 86F0B8C8 17:24:19:562 1460 ihd1 17:24:19:562 1460 siohd: 0 17:24:19:578 1460 C:\WINDOWS\system32\drivers\tskC.tmp - Verdict: Clean 17:24:19:578 1460 Reboot required for cure complete.. 17:24:19:578 1460 Cure on reboot scheduled successfully 17:24:19:578 1460 17:24:19:578 1460 Completed 17:24:19:578 1460 17:24:19:578 1460 Results: 17:24:19:578 1460 Memory objects infected / cured / cured on reboot: 1 / 1 / 0 17:24:19:578 1460 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 17:24:19:578 1460 File objects infected / cured / cured on reboot: 1 / 0 / 1 17:24:19:578 1460 17:24:19:578 1460 UnloadDriverW: NtUnloadDriver error 1 17:24:19:578 1460 KLMD_Unload: UnloadDriverW(klmd21) error 1 17:24:19:578 1460 KLMD(ARK) unloaded successfully I can't thank you enough. will this be the end of it? Novemberwhisky
  4. IndiGenus, OTL scans as requested below. My browser is still diverting me to unwanted web pages. I came home from work and the PC was on already (my kids had turn it on by accident) , I had to restart - to enable the wireless connection and which involved a hard shutdown (which has been happening on and off several weeks now). Thanks novemberwhisky OTL logfile created on: 04/03/2010 18:39:53 - Run 1 OTL by OldTimer - Version Folder = C:\Documents and Settings\DAD\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 1,023.00 Mb Total Physical Memory | 426.00 Mb Available Physical Memory | 42.00% Memory free 2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 70.29 Gb Total Space | 38.94 Gb Free Space | 55.39% Space Free | Partition Type: NTFS Drive D: | 14.33 Gb Total Space | 10.50 Gb Free Space | 73.26% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: DADKIDS Current User Name: DAD Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe PRC - [2009/12/11 18:41:15 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe PRC - [2009/12/11 18:41:15 | 000,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe PRC - [2009/12/03 03:50:39 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe PRC - [2009/12/03 03:50:38 | 000,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe PRC - [2009/12/03 03:50:31 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe PRC - [2009/12/03 03:50:30 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe PRC - [2009/04/30 12:23:26 | 000,090,112 | ---- | M] () -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2006/03/01 19:50:06 | 000,626,810 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe PRC - [2006/03/01 00:05:54 | 002,364,976 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgre.exe PRC - [2006/03/01 00:00:34 | 001,992,240 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe PRC - [2006/02/06 22:39:36 | 000,262,144 | R--- | M] (LITE-ON TECHNOLOGY CORP.) -- C:\Program Files\Lenovo\Productivity Keyboard\Skdaemon.exe PRC - [2006/01/11 23:08:36 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE PRC - [2005/12/07 09:00:00 | 000,106,496 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE PRC - [2005/10/28 11:23:10 | 001,404,928 | ---- | M] (Belkin) -- C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe PRC - [2005/08/02 01:33:04 | 000,126,976 | ---- | M] () -- C:\Program Files\ThinkVantage\SystemUpdate\PipeServer.exe PRC - [2005/04/13 22:34:28 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe PRC - [2003/11/06 23:51:32 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\FSRremoS.EXE ========== Modules (SafeList) ========== MOD - [2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe ========== Win32 Services (SafeList) ========== SRV - [2009/12/03 03:50:31 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc) SRV - [2009/12/03 03:50:30 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd) SRV - [2009/12/03 02:13:32 | 000,032,256 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psasrv.exe -- (PsaSrv) SRV - [2009/04/30 12:23:26 | 000,090,112 | ---- | M] () [Auto | Running] -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe -- (OMSI download service) SRV - [2006/03/01 19:50:06 | 000,626,810 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper) SRV - [2005/12/22 02:34:58 | 000,077,824 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe -- (TVT Scheduler) SRV - [2005/12/22 02:20:56 | 001,384,448 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe -- (TVT Backup Service) SRV - [2005/08/02 01:32:40 | 000,040,960 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe -- (UCLauncherService) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = http://www.google.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D6 FD 9C 1C FA 83 CA 01 [binary data] IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll () IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local [2010/02/25 00:05:02 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions O1 HOSTS File: ([2010/02/24 23:01:36 | 000,380,253 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: localhost O1 - Hosts: www.007guard.com O1 - Hosts: 007guard.com O1 - Hosts: 008i.com O1 - Hosts: www.008k.com O1 - Hosts: 008k.com O1 - Hosts: www.00hq.com O1 - Hosts: 00hq.com O1 - Hosts: 010402.com O1 - Hosts: www.032439.com O1 - Hosts: 032439.com O1 - Hosts: www.0scan.com O1 - Hosts: 0scan.com O1 - Hosts: 1000gratisproben.com O1 - Hosts: www.1000gratisproben.com O1 - Hosts: 1001namen.com O1 - Hosts: www.1001namen.com O1 - Hosts: 100888290cs.com O1 - Hosts: www.100888290cs.com O1 - Hosts: www.100sexlinks.com O1 - Hosts: 100sexlinks.com O1 - Hosts: 10sek.com O1 - Hosts: www.10sek.com O1 - Hosts: www.1-2005-search.com O1 - Hosts: 1-2005-search.com O1 - Hosts: 13102 more lines... O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll () O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll () O3 - HKCU\..\Toolbar\ShellBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll () O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [cssauthe] C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe (Lenovo Group Limited) O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation) O4 - HKLM..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.) O4 - HKLM..\Run: [LPManager] C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE (Lenovo Group Limited) O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.) O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.) O4 - HKLM..\Run: [sKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\Skdaemon.exe (LITE-ON TECHNOLOGY CORP.) O4 - HKLM..\Run: [soundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.) O4 - HKLM..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe () O4 - HKCU..\Run: [sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe (Sony Ericsson Mobile Communications AB) O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe (Belkin) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O8 - Extra context menu item: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O8 - Extra context menu item: &Translate English Word - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O8 - Extra context menu item: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O8 - Extra context menu item: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O8 - Extra context menu item: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O8 - Extra context menu item: Translate Page into English - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.4.2/...all-142-win.cab (Java Plug-in 1.4.2) O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.2/...all-142-win.cab (Java Plug-in 1.4.2) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.) O24 - Desktop WallPaper: C:\Documents and Settings\DAD\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\DAD\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/12/03 02:34:50 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - comfile [open] -- "%1" %* O35 - exefile [open] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/09 21:12:00 | 000,000,000 | ---D | M] NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation) NetSvcs: WmdmPmSp - File not found CREATERESTOREPOINT Restore point Set: OTL Restore Point (16891891626803200) ========== Files/Folders - Created Within 14 Days ========== [2010/03/04 18:34:55 | 000,552,960 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe [2010/03/04 16:32:28 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2010/03/03 22:06:19 | 000,000,000 | RHSD | C] -- C:\cmdcons [2010/03/03 22:04:38 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2010/03/03 22:04:38 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2010/03/03 22:04:38 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2010/03/03 22:04:38 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2010/03/03 22:04:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT [2010/03/03 22:04:29 | 000,000,000 | ---D | C] -- C:\Combo-Fix [2010/03/03 22:04:16 | 000,000,000 | ---D | C] -- C:\Qoobox [2010/02/25 23:39:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData [2010/02/24 23:16:18 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2010/02/24 23:16:16 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2010/02/24 23:16:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/02/24 22:25:41 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy [2010/02/24 22:25:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy [2010/02/24 22:24:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\DAD\Application Data\AVG9 [2010/02/24 20:56:41 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro [2010/02/24 01:13:10 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox [2010/02/23 23:37:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft [2010/02/23 21:39:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\DAD\Application Data\Malwarebytes [2010/02/23 21:38:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2010/02/22 22:52:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\DAD\Local Settings\Application Data\Help [2010/02/22 22:52:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\DAD\Application Data\Help [2009/12/04 22:54:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft [2009/12/03 03:31:59 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft [2009/12/03 03:31:59 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft [2004/08/09 21:33:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files - Modified Within 14 Days ========== [2010/03/04 18:35:21 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A277806A-F328-4CC4-9BA9-41C902613B3B}.job [2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe [2010/03/04 18:30:36 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010/03/04 18:30:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/03/04 18:30:30 | 1073,270,784 | -HS- | M] () -- C:\hiberfil.sys [2010/03/04 18:24:23 | 009,175,040 | -H-- | M] () -- C:\Documents and Settings\DAD\NTUSER.DAT [2010/03/04 18:24:23 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\DAD\ntuser.ini [2010/03/04 18:24:18 | 007,464,274 | -H-- | M] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\IconCache.db [2010/03/03 23:11:36 | 056,626,860 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm [2010/03/03 22:33:37 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2010/03/03 22:06:24 | 000,000,254 | RHS- | M] () -- C:\BOOT.INI [2010/03/03 21:46:57 | 004,118,254 | R--- | M] () -- C:\Documents and Settings\DAD\Desktop\Combo-Fix.exe [2010/03/03 19:34:02 | 000,010,973 | ---- | M] () -- C:\Documents and Settings\DAD\My Documents\1.docx [2010/02/27 18:29:37 | 000,018,944 | ---- | M] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/02/26 20:22:16 | 000,001,514 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk [2010/02/25 22:16:07 | 000,462,454 | ---- | M] () -- C:\Documents and Settings\DAD\Desktop\over confident.bmp [2010/02/25 21:59:08 | 000,038,118 | ---- | M] () -- C:\Documents and Settings\DAD\Desktop\the hostile world awaits.jpg [2010/02/25 21:11:54 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK [2010/02/24 23:16:20 | 000,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/02/24 23:01:36 | 000,380,253 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts [2010/02/24 22:25:48 | 000,000,944 | ---- | M] () -- C:\Documents and Settings\DAD\Desktop\Spybot - Search & Destroy.lnk [2010/02/24 20:56:42 | 000,001,745 | ---- | M] () -- C:\Documents and Settings\DAD\Desktop\HijackThis.lnk [2010/02/19 17:23:51 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] [1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/03/03 22:06:24 | 000,000,184 | ---- | C] () -- C:\Boot.bak [2010/03/03 22:06:21 | 000,260,272 | ---- | C] () -- C:\cmldr [2010/03/03 22:04:38 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe [2010/03/03 22:04:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2010/03/03 22:04:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2010/03/03 22:04:38 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2010/03/03 22:04:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2010/03/03 21:46:51 | 004,118,254 | R--- | C] () -- C:\Documents and Settings\DAD\Desktop\Combo-Fix.exe [2010/03/03 19:34:02 | 000,010,973 | ---- | C] () -- C:\Documents and Settings\DAD\My Documents\1.docx [2010/02/26 20:22:16 | 000,001,514 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk [2010/02/25 22:16:07 | 000,462,454 | ---- | C] () -- C:\Documents and Settings\DAD\Desktop\over confident.bmp [2010/02/25 22:08:34 | 000,038,118 | ---- | C] () -- C:\Documents and Settings\DAD\Desktop\the hostile world awaits.jpg [2010/02/24 23:16:20 | 000,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/02/24 22:25:48 | 000,000,944 | ---- | C] () -- C:\Documents and Settings\DAD\Desktop\Spybot - Search & Destroy.lnk [2010/02/24 20:56:42 | 000,001,745 | ---- | C] () -- C:\Documents and Settings\DAD\Desktop\HijackThis.lnk [2009/12/10 20:30:43 | 000,018,944 | ---- | C] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009/12/03 21:18:10 | 000,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini [2009/12/03 02:33:54 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\fusioncache.dat [2009/12/03 02:16:06 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini [2009/12/03 02:05:14 | 000,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys [2009/12/03 02:03:39 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll [2009/12/03 02:03:39 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll [2009/12/03 02:03:39 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll [2009/12/03 02:03:39 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll [2009/12/03 02:03:39 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll [2009/12/03 02:03:39 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll [2009/12/03 02:03:18 | 000,000,032 | ---- | C] () -- C:\WINDOWS\WININIT.INI [2009/12/03 01:58:25 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll [2009/12/03 01:57:38 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\FSRremoC.DLL [2009/12/03 01:57:38 | 000,005,528 | ---- | C] () -- C:\WINDOWS\System32\Setup2k.ini [2009/12/03 01:57:38 | 000,000,296 | ---- | C] () -- C:\WINDOWS\System32\presetup.ini [2006/02/03 00:37:10 | 000,004,676 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI [2006/01/19 20:46:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini [2006/01/10 21:38:30 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll [2005/07/12 22:44:42 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL [2004/08/09 21:34:32 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini [2004/03/24 00:38:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll [2002/04/11 18:47:52 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\msmscoin.dll ========== LOP Check ========== [2009/12/02 22:12:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar [2009/12/03 03:50:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9 [2009/12/10 00:11:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software [2009/12/03 02:01:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo [2010/02/18 11:30:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP [2009/12/03 02:35:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ThinkVantage [2009/12/25 09:53:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} [2010/02/24 22:24:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\AVG9 [2009/12/03 20:48:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\GetRightToGo [2009/12/03 02:04:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\IBM [2009/12/03 19:46:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\InterVideo [2009/12/03 19:50:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Leadertech [2009/12/06 19:06:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\LEGO Company [2009/12/06 20:13:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Lenovo [2009/12/09 16:54:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\MSNInstaller [2009/12/12 19:33:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Sony [2009/12/12 19:23:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Sony Setup [2009/12/03 02:35:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\ThinkVantage [2009/12/09 19:44:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\TrueSwitch [2010/03/04 18:35:21 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{A277806A-F328-4CC4-9BA9-41C902613B3B}.job ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.exe > < MD5 for: AGP440.SYS > [2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys [2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys [2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys [2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys [2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys [2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys [2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys [2004/08/04 07:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys < MD5 for: ATAPI.SYS > [2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys [2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys [2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys [2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys [2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys [2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys [2004/08/04 06:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys [2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys < MD5 for: EVENTLOG.DLL > [2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll [2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll [2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll [2004/08/04 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll < MD5 for: NETLOGON.DLL > [2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll [2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll [2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll [2009/02/06 18:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll [2009/02/06 18:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtUninstallKB975467_0$\netlogon.dll [2004/08/04 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389_0$\netlogon.dll < MD5 for: SCECLI.DLL > [2004/08/04 13:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll [2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll [2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll [2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll ========== Alternate Data Streams ========== @Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1 < End of report > OTL Extras logfile created on: 04/03/2010 18:39:53 - Run 1 OTL by OldTimer - Version Folder = C:\Documents and Settings\DAD\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy 1,023.00 Mb Total Physical Memory | 426.00 Mb Available Physical Memory | 42.00% Memory free 2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free Paging file location(s): C:\pagefile.sys 1536 3072 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 70.29 Gb Total Space | 38.94 Gb Free Space | 55.39% Space Free | Partition Type: NTFS Drive D: | 14.33 Gb Total Space | 10.50 Gb Free Space | 73.26% Space Free | Partition Type: NTFS E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: DADKIDS Current User Name: DAD Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* exefile [open] -- "%1" %* htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DoNotAllowExceptions" = 0 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 "2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 "139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 "445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 "137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 "138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe" = C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe:*:Enabled:ThinkVantage System Update -- (IBM) "C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation) [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe" = C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe:*:Enabled:ThinkVantage System Update -- (IBM) "C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.) "C:\Program Files\Sony Ericsson\Update Service\Update Service.exe" = C:\Program Files\Sony Ericsson\Update Service\Update Service.exe:*:Enabled:Update Service -- () "C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation) "C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.) "D:\Program Files\iTunes\iTunes.exe" = D:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.) "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- (Malwarebytes Corporation) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour "{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data "{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}" = PlayStation®Store "{1007F41F-7D69-468E-8017-3849A5A973C2}" = ThinkVantage Technologies Welcome Message "{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime "{1A07F627-0F8F-43EE-B667-38908DF85911}" = Rescue and Recovery "{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 "{1FD0C5C1-B01B-4B4C-9607-E5D3B3D1318F}" = Microsoft IntelliPoint 4.1 "{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool "{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{2A43FF29-0D97-4445-B82D-9324F176AED5}" = ThinkVantage System Update "{2C7A0299-5A88-41D2-B687-512DA6892058}" = USB Enhanced Performance Keyboard Software "{2FFE93F0-BB72-4E52-8761-354D1AAA9387}" = Sony Ericsson PC Suite "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support "{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant "{6280149E-EFF3-4F1B-BD43-5B7EDD6F620A}" = Lenovo Care Supplement "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com "{6E7DD182-9FC6-4651-0095-2E666CC6AF35}" = The Sims 2 "{7B3577F5-1D82-4C9B-008B-69D026FD8BCA}" = The Sims 2 Open For Business "{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable "{8E726115-FCBE-43B1-9FB7-06E8E25F9ABE}" = Diskeeper Lite "{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12 "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007 "{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007 "{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007 "{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007 "{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007 "{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007 "{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007 "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581) "{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD "{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting "{986F64DC-FF15-449D-998F-EE3BCEC6666A}" = Help Center "{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI "{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility "{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes "{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger "{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support "{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio "{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2 "{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy "{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy "{B6659DD8-00A7-4A24-BBFB-C1F6982E5D66}" = PlayStation®Network Downloader "{BEAD39CD-901D-4267-8B8B-EAA83CB4B70D}" = Pivot Stickfigure Animator "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C54ED2B6-1AF2-416F-BBA8-5E2B8CDCB5C4}" = XP Themes "{C6FA39A7-26B1-480A-BC74-6D17531AC222}" = Access Help "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{CF52099A-3BEA-4C41-AEA8-1E190F04D737}" = Lenovo Care "{DB71210F-8314-4AE3-B7A7-EBAF85BD30E9}" = Wallpapers "{E7E836B8-4BDD-454F-82E6-5FEA17C83AD4}" = Message Center "{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2 "{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform "{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard "{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}" = Windows Media Connect "{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call "{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio "{FBE5AA96-22F0-4C4A-8E92-4BE3498D4CCB}" = Media Go "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Shockwave Player" = Adobe Shockwave Player 11.5 "AVG9Uninstall" = AVG Free 9.0 "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com "Digital Media LE Uninstall" = Roxio Digital Media LE "HijackThis" = HijackThis 2.0.2 "HOMESTUDENTR" = Microsoft Office Home and Student 2007 "ie8" = Windows Internet Explorer 8 "InstallShield_{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility "InstallShield_{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2 "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "MouseSuite98" = Mouse Suite "MSNINST" = MSN "PC-Doctor 5 for Windows" = PC-Doctor 5 for Windows "RollerCoaster Tycoon Setup" = Roll "Update Service" = Update Service "VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter "Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 "Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7 "Windows Media Connect" = Windows Media Connect "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 10 "Windows XP Service Pack" = Windows XP Service Pack 3 "WinLiveSuite_Wave3" = Windows Live Essentials "WMFDist11" = Windows Media Format 11 runtime "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 ========== HKEY_CURRENT_USER Uninstall List ========== [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] ========== Last 10 Event Log Errors ========== [ System Events ] Error - 23/02/2010 15:29:46 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7024 Description = The Messenger service terminated with service-specific error 2270 (0x8DE). Error - 24/02/2010 13:54:49 | Computer Name = DADKIDS | Source = Server | ID = 2505 Description = The server could not bind to the transport \Device\NwlnkNb because another computer on the network has the same name. The server could not start. Error - 24/02/2010 13:54:49 | Computer Name = DADKIDS | Source = Server | ID = 2505 Description = The server could not bind to the transport \Device\NwlnkIpx because another computer on the network has the same name. The server could not start. Error - 25/02/2010 13:45:26 | Computer Name = DADKIDS | Source = Windows Update Agent | ID = 16 Description = Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection. Error - 25/02/2010 18:24:24 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7034 Description = The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s). Error - 25/02/2010 19:42:49 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7034 Description = The TVT Scheduler service terminated unexpectedly. It has done this 1 time(s). Error - 28/02/2010 11:48:39 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7024 Description = The Messenger service terminated with service-specific error 2137 (0x859). Error - 01/03/2010 06:33:47 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7024 Description = The Messenger service terminated with service-specific error 2270 (0x8DE). Error - 03/03/2010 18:08:16 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7034 Description = The Sony Ericsson OMSI download service service terminated unexpectedly. It has done this 1 time(s). Error - 03/03/2010 18:26:51 | Computer Name = DADKIDS | Source = atapi | ID = 262153 Description = The device, \Device\Ide\IdePort0, did not respond within the timeout period. < End of report >
  5. Hi IndiGenus, Here is the log you asked for. Thanks Novemberwhisky omboFix 10-03-03.03 - DAD 03/03/2010 22:27:09.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.737 [GMT 0:00] Running from: c:\documents and settings\DAD\Desktop\Combo-Fix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\hpe78.dll c:\windows\EventSystem.log . ((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 ))))))))))))))))))))))))))))))) . 2010-02-26 17:45 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe 2010-02-25 23:39 . 2010-02-25 23:39 -------- d-----w- c:\windows\system32\NtmsData 2010-02-24 23:16 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-24 23:16 . 2010-02-24 23:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-02-24 23:16 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-02-24 22:25 . 2010-02-24 22:27 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-02-24 22:25 . 2010-02-24 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-02-24 22:24 . 2010-02-24 22:24 -------- d-----w- c:\documents and settings\DAD\Application Data\AVG9 2010-02-24 20:56 . 2010-02-24 20:56 -------- d-----w- c:\program files\Trend Micro 2010-02-23 21:39 . 2010-02-23 21:39 -------- d-----w- c:\documents and settings\DAD\Application Data\Malwarebytes 2010-02-23 21:38 . 2010-02-23 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-02-22 22:52 . 2010-02-22 22:52 -------- d-----w- c:\documents and settings\DAD\Local Settings\Application Data\Help 2010-02-18 10:49 . 2010-02-18 11:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-02-10 21:06 . 2009-11-27 17:11 17920 ------w- c:\windows\system32\dllcache\msyuv.dll 2010-02-05 20:43 . 2010-02-25 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2010-02-05 20:43 . 2010-02-05 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller 2010-02-05 17:41 . 2010-02-17 21:54 -------- d-----w- c:\windows\system32\Adobe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-02-25 17:49 . 2009-12-03 02:05 -------- d-----w- c:\program files\Common Files\Symantec Shared 2010-02-21 15:55 . 2009-12-03 02:14 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS 2010-02-05 20:43 . 2009-12-03 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec 2010-01-23 19:39 . 2010-01-23 19:39 -------- d-----w- c:\documents and settings\KIDS\Application Data\Apple Computer 2010-01-12 13:03 . 2009-12-03 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-12-31 16:50 . 1980-01-01 08:00 353792 ------w- c:\windows\system32\drivers\srv.sys 2009-12-26 15:51 . 2009-12-12 14:43 24816 ------w- c:\documents and settings\KIDS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-12-25 13:10 . 2009-12-25 13:10 26260 ---h--w- c:\windows\system32\mlfcache.dat 2009-12-21 19:14 . 1980-01-01 08:00 916480 ------w- c:\windows\system32\wininet.dll 2009-12-16 18:43 . 2004-08-09 21:22 343040 ------w- c:\windows\system32\mspaint.exe 2009-12-15 19:52 . 2009-12-03 03:13 24816 ------w- c:\documents and settings\DAD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-12-14 07:08 . 1980-01-01 08:00 33280 ------w- c:\windows\system32\csrsrv.dll 2009-12-12 19:29 . 2009-12-12 19:29 10134 ------r- c:\documents and settings\DAD\Application Data\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe 2009-12-12 19:25 . 2009-12-12 19:23 23510720 ------w- c:\documents and settings\DAD\Application Data\Sony Setup\09063B41-0916-4360-A80D-0C2A2B89D300\dotnetfx.exe 2009-12-12 19:19 . 2009-12-12 19:17 32494896 ------w- c:\documents and settings\DAD\Application Data\Sony Setup\9234765D-29DF-48d0-93FB-284B7B6009B9\QuickTimeInstaller.exe 2009-12-09 16:54 . 2009-12-09 16:54 846312 ------w- c:\documents and settings\DAD\Application Data\MSNInstaller\msnauins.exe 2009-12-08 21:46 . 2009-12-08 21:47 25512 ------w- c:\windows\system32\drivers\ggsemc.sys 2009-12-08 21:46 . 2009-12-08 21:47 13224 ------w- c:\windows\system32\drivers\ggflt.sys 2009-12-08 21:46 . 2009-12-08 21:47 1112288 ------w- c:\windows\system32\WdfCoInstaller01007.dll 2009-12-08 19:27 . 1980-01-01 08:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe 2009-12-08 18:43 . 2004-08-04 06:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe 2009-12-04 22:50 . 2009-12-04 22:50 86016 ------w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe 2009-12-04 18:22 . 1980-01-01 08:00 455424 ------w- c:\windows\system32\drivers\mrxsmb.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-11-25 13:01 1230080 ------w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 49152] "suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960] "DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-03-01 196710] "LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2005-12-07 106496] "cssauthe"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" [2006-03-01 1992240] "SKDaemon.exe"="c:\program files\Lenovo\Productivity Keyboard\SKDaemon.exe" [2006-02-06 262144] "SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792] "iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-12-03 03:50 12464 ------w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"= "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "d:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"= R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [03/12/2009 03:50 333192] R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [03/12/2009 03:50 360584] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [03/12/2009 03:50 906520] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [03/12/2009 03:50 285392] R2 smi2;smi2;c:\program files\SMI2\smi2.sys [22/12/2005 00:45 3968] R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [09/12/2009 23:04 27632] S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?] S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [09/12/2009 23:02 90112] S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [08/12/2009 21:47 13224] S3 s3chipid;s3chipid;\??\c:\docume~1\Owner\LOCALS~1\Temp\s3chipid.sys --> c:\docume~1\Owner\LOCALS~1\Temp\s3chipid.sys [?] . Contents of the 'Scheduled Tasks' folder 2010-02-25 c:\windows\Tasks\User_Feed_Synchronization-{A277806A-F328-4CC4-9BA9-41C902613B3B}.job - c:\windows\system32\msfeedssync.exe [2009-03-08 12:31] . . ------- Supplementary Scan ------- . uLocal Page = hxxp://www.google.com/ uStart Page = hxxp://home.bt.yahoo.com/ uInternet Connection Wizard,ShellNext = hxxp://www.lenovo.com/us/en/ uInternet Settings,ProxyOverride = *.local IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html . - - - - ORPHANS REMOVED - - - - HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe HKLM-Run-POINTER - point32.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-03 22:34 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2010-03-03 22:35:23 ComboFix-quarantined-files.txt 2010-03-03 22:35 Pre-Run: 41,218,633,728 bytes free Post-Run: 41,828,462,592 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Home Edition" /fastdetect - - End Of File - - 719C2E6C9ED7793955116D36AAAE35B5 log.txt
  6. Hi, I was wondering if you could help with what seems an identical problem posted on your forum? Atapi.sys infection? Start of Problems??? Deltalima was the expert involved with solving the TDL3 rootkit problem. How easily can it be fixed? please see attached scans logs from Mbam, GMER and Hijack this. It took a bit of work getting Mbam and spybot with the latest updates as they were being blocked. Now the problem seems to be the Atapi.sys. I believe that if I I delete atapi.sys i will not be able to reboot, the system. I have an IBM system with Rescue and Recover and the PRE-Load is on a partition of the hard drive. I want to avoid reformatting, as i have already done so about 3 months ago. Many thanks New member "novemberwhisky" GMER - http://www.gmer.net Rootkit scan 2010-02-24 20:52:41 Windows 5.1.2600 Service Pack 3 Running: 5s9i679h.exe; Driver: C:\DOCUME~1\DAD\LOCALS~1\Temp\awrdapow.sys ---- Kernel code sections - GMER 1.0.15 ---- .rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF73FB780] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!CreateWindowExA] [004179E4] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!CreateWindowExW] [00417A5E] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!ShowWindow] [00417AD8] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!CreateWindowExA] [004179E4] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!CreateWindowExW] [00417A5E] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!SetWindowPos] [00417B8A] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!ShowWindow] [00417AD8] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\wininet.dll [uSER32.dll!SetWindowPos] [00417B8A] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\wininet.dll [uSER32.dll!CreateWindowExW] [00417A5E] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\shell32.dll [uSER32.dll!CreateWindowExW] [00417A5E] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\shell32.dll [uSER32.dll!ShowWindow] [00417AD8] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\shell32.dll [uSER32.dll!SetWindowPos] [00417B8A] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs ibmfilter.sys (IBM Rescue and Recovery filter driver/IBM) AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-1b [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]} Device \Driver\atapi \Device\Ide\IdePort0 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]} Device \Driver\atapi \Device\Ide\IdePort1 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]} Device \Driver\atapi \Device\Ide\IdePort2 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]} Device \Driver\atapi \Device\Ide\IdePort3 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]} Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]} AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Files - GMER 1.0.15 ---- File C:\RRbackups\C 0 bytes File C:\RRbackups\Documents and Settings 0 bytes File C:\RRbackups\Documents and Settings\All Users 0 bytes File C:\RRbackups\Documents and Settings\All Users\Application Data 0 bytes File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto 0 bytes File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys 0 bytes File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_c90750f4-1a9a-4385-b16f-b780e69ce3dc 52 bytes File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18 0 bytes File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_c90750f4-1a9a-4385-b16f-b780e69ce3dc 893 bytes File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage 0 bytes File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security 0 bytes File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\css.ini 26 bytes File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\encobject.dat 1608 bytes File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\swkeys.dat 6372 bytes File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\symkeys.dat 656 bytes File C:\RRbackups\Documents and Settings\DAD 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1006 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1006\095eef4ec6fbefd1e618f6bcc8a2c409_c90750f4-1a9a-4385-b16f-b780e69ce3dc 44 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1006\533145ef011ddf5ca3983e2545a902b4_c90750f4-1a9a-4385-b16f-b780e69ce3dc 2075 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1006\83aa4cc77f591dfc2374580bbd95f6ba_c90750f4-1a9a-4385-b16f-b780e69ce3dc 45 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\CREDHIST 296 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\bcc758da-8202-4f98-8e02-b38aaef0f0a2 388 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\Preferred 24 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\b494fd33-76f6-4b91-9917-7145d83c8e0f 388 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\Preferred 24 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1006 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1006\56bdf13a-bad8-4cd1-ab44-1a2499927ac1 388 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1006\e8018cf0-b6e6-4359-aa8a-6a671f2cae47 388 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1006\Preferred 24 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage\Client Security 0 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage\Client Security\encobject.dat 6432 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage\Client Security\hibernation.dat 4 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage\Client Security\swkeys.dat 4248 bytes File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage\Client Security\symkeys.dat 1968 bytes File C:\RRbackups\Documents and Settings\Default User 0 bytes File C:\RRbackups\Documents and Settings\Default User\Application Data 0 bytes File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003 0 bytes File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\bcc758da-8202-4f98-8e02-b38aaef0f0a2 388 bytes File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\Preferred 24 bytes File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003 0 bytes File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\b494fd33-76f6-4b91-9917-7145d83c8e0f 388 bytes File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\Preferred 24 bytes File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\KIDS 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Crypto 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1007 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1007\533145ef011ddf5ca3983e2545a902b4_c90750f4-1a9a-4385-b16f-b780e69ce3dc 2075 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\CREDHIST 24 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\bcc758da-8202-4f98-8e02-b38aaef0f0a2 388 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\Preferred 24 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\b494fd33-76f6-4b91-9917-7145d83c8e0f 388 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\Preferred 24 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1007 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1007\979da260-4fa4-4938-86a8-22941fb6619c 388 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1007\Preferred 24 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage\Client Security 0 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage\Client Security\encobject.dat 6432 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage\Client Security\hibernation.dat 4 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage\Client Security\swkeys.dat 4248 bytes File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage\Client Security\symkeys.dat 1968 bytes File C:\RRbackups\Documents and Settings\LocalService 0 bytes File C:\RRbackups\Documents and Settings\LocalService\Application Data 0 bytes File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\NetworkService 0 bytes File C:\RRbackups\Documents and Settings\NetworkService\Application Data 0 bytes File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\Owner 0 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data 0 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Crypto 0 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect 0 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\CREDHIST 24 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003 0 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\bcc758da-8202-4f98-8e02-b38aaef0f0a2 388 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\Preferred 24 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003 0 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\b494fd33-76f6-4b91-9917-7145d83c8e0f 388 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\Preferred 24 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\TEMP 0 bytes File C:\RRbackups\Documents and Settings\TEMP\Application Data 0 bytes File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\Protect 0 bytes File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003 0 bytes File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003 0 bytes File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1006 0 bytes File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\TEMP\Application Data\ThinkVantage 0 bytes File C:\RRbackups\Documents and Settings\TEMP\Application Data\ThinkVantage\Client Security 0 bytes File C:\RRbackups\hints.dat 8192 bytes File C:\RRbackups\osfilter.txt 7563 bytes File C:\RRbackups\regcerts.dat 8192 bytes File C:\RRbackups\rr.log 3016 bytes File C:\RRbackups\SAM 262144 bytes File C:\RRbackups\system 6815744 bytes File C:\RRbackups\system.dat 12288 bytes File C:\RRbackups\tvt.txt 10076 bytes File C:\RRbackups\usersids.dat 11440 bytes File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ---- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:07:33, on 24/02/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe C:\Program Files\AVG\AVG9\avgemc.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ICO.EXE C:\WINDOWS\system32\FSRremoS.EXE C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\WINDOWS\SOUNDMAN.EXE D:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe C:\Documents and Settings\DAD\Application Data\SystemProc\lsass.exe C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgre.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/us/en/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [iSUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe O4 - HKLM\..\Run: [cssauthe] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" silent O4 - HKLM\..\Run: [sKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe O4 - HKLM\..\Run: [EarthLink Installer] " /C O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon O4 - HKCU\..\Run: [TOY5KNQ8OC] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\DAD\Application Data\SystemProc\lsass.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O11 - Options group: [JAVA_IBM] Java (IBM) O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/ O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{382CDC68-6BEF-4ADC-B514-E72B86A01101}: NameServer =, O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB7A6DB-36A0-45D6-8267-468F18D94C87}: NameServer =, O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer =, O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer =, O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer =, O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing) O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe -- End of file - 10282 bytes Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:31:26, on 28/02/2010Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\AVG\AVG9\avgemc.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ICO.EXE C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe C:\WINDOWS\system32\FSRremoS.EXE C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe C:\Program Files\ThinkVantage\SystemUpdate\PipeServer.exe C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe C:\PROGRA~1\AVG\AVG9\avgtray.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Microsoft Hardware\Mouse\point32.exe D:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgre.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/us/en/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [iSUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe O4 - HKLM\..\Run: [cssauthe] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" silent O4 - HKLM\..\Run: [sKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing) -- End of file - 8117 bytes mbam_log_2010_02_28__20_20_55_.txt mbam_log_2010_02_23__23_37_51_.txt
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.