novemberwhisky
-
Posts
7 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by novemberwhisky
-
-
Oh, The redirects have stopped.
-
Did you still want our help?
Sorry,
I have been out of the country for a week.
See the OTL log as requested.
Thanks
NW
OTL logfile created on: 12/03/2010 19:31:28 - Run 2
OTL by OldTimer - Version 3.1.33.0 Folder = C:\Documents and Settings\DAD\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
1,023.00 Mb Total Physical Memory | 487.00 Mb Available Physical Memory | 48.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.29 Gb Total Space | 38.08 Gb Free Space | 54.18% Space Free | Partition Type: NTFS
Drive D: | 14.33 Gb Total Space | 10.46 Gb Free Space | 72.98% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: DADKIDS
Current User Name: DAD
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan
========== Processes (SafeList) ==========
PRC - [2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe
PRC - [2009/12/11 18:41:15 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/12/11 18:41:15 | 000,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/12/03 03:50:39 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/12/03 03:50:38 | 000,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/12/03 03:50:31 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2009/12/03 03:50:30 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/09/24 14:41:58 | 000,434,176 | ---- | M] (Sony Ericsson Mobile Communications AB) -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
PRC - [2009/04/30 12:23:26 | 000,090,112 | ---- | M] () -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/01 19:50:06 | 000,626,810 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2006/03/01 00:05:54 | 002,364,976 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgre.exe
PRC - [2006/03/01 00:00:34 | 001,992,240 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe
PRC - [2006/02/06 22:39:36 | 000,262,144 | R--- | M] (LITE-ON TECHNOLOGY CORP.) -- C:\Program Files\Lenovo\Productivity Keyboard\Skdaemon.exe
PRC - [2006/01/11 23:08:36 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2005/12/07 09:00:00 | 000,106,496 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE
PRC - [2005/10/28 11:23:10 | 001,404,928 | ---- | M] (Belkin) -- C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
PRC - [2005/08/02 01:33:04 | 000,126,976 | ---- | M] () -- C:\Program Files\ThinkVantage\SystemUpdate\PipeServer.exe
PRC - [2005/04/13 22:34:28 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe
PRC - [2003/11/06 23:51:32 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\FSRremoS.EXE
========== Modules (SafeList) ==========
MOD - [2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe
========== Win32 Services (SafeList) ==========
SRV - [2009/12/03 03:50:31 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/12/03 03:50:30 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/12/03 02:13:32 | 000,032,256 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psasrv.exe -- (PsaSrv)
SRV - [2009/04/30 12:23:26 | 000,090,112 | ---- | M] () [Auto | Running] -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe -- (OMSI download service)
SRV - [2006/03/01 19:50:06 | 000,626,810 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2005/12/22 02:34:58 | 000,077,824 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe -- (TVT Scheduler)
SRV - [2005/12/22 02:20:56 | 001,384,448 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe -- (TVT Backup Service)
SRV - [2005/08/02 01:32:40 | 000,040,960 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe -- (UCLauncherService)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://news.bbc.co.uk/ [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D6 FD 9C 1C FA 83 CA 01 [binary data]
IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
[2010/02/25 00:05:02 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
O1 HOSTS File: ([2010/02/24 23:01:36 | 000,380,253 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13102 more lines...
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\ShellBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [cssauthe] C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation)
O4 - HKLM..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LPManager] C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [sKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\Skdaemon.exe (LITE-ON TECHNOLOGY CORP.)
O4 - HKLM..\Run: [soundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe ()
O4 - HKCU..\Run: [sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe (Sony Ericsson Mobile Communications AB)
O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe (Belkin)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: &Translate English Word - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Translate Page into English - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.4.2/...all-142-win.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.2/...all-142-win.cab (Java Plug-in 1.4.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\DAD\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\DAD\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/12/03 02:34:50 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*
NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/09 21:12:00 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)
========== Files/Folders - Created Within 14 Days ==========
[2010/03/12 19:20:26 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/03/04 18:34:55 | 000,552,960 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe
[2010/03/04 16:32:28 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/03/03 22:06:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/03/03 22:04:38 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/03 22:04:38 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/03 22:04:38 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/03 22:04:38 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/03 22:04:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/03 22:04:29 | 000,000,000 | ---D | C] -- C:\Combo-Fix
[2010/03/03 22:04:16 | 000,000,000 | ---D | C] -- C:\Qoobox
[2009/12/04 22:54:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/12/03 03:31:59 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/12/03 03:31:59 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2004/08/09 21:33:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files - Modified Within 14 Days ==========
[2010/03/12 19:25:06 | 000,002,055 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/03/12 17:04:03 | 057,018,777 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/03/12 16:45:01 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/12 16:44:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/12 16:44:55 | 1073,270,784 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/12 16:43:42 | 009,175,040 | -H-- | M] () -- C:\Documents and Settings\DAD\NTUSER.DAT
[2010/03/12 16:43:42 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\DAD\ntuser.ini
[2010/03/12 16:43:35 | 007,469,944 | -H-- | M] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\IconCache.db
[2010/03/12 13:48:40 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A277806A-F328-4CC4-9BA9-41C902613B3B}.job
[2010/03/12 12:57:31 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe
[2010/03/03 22:33:37 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/03 22:06:24 | 000,000,254 | RHS- | M] () -- C:\BOOT.INI
[2010/03/03 19:34:02 | 000,010,973 | ---- | M] () -- C:\Documents and Settings\DAD\My Documents\1.docx
[2010/02/27 18:29:37 | 000,018,944 | ---- | M] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/26 20:22:16 | 000,001,514 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files Created - No Company Name ==========
[2010/03/12 19:21:06 | 000,002,055 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/03/03 22:06:24 | 000,000,184 | ---- | C] () -- C:\Boot.bak
[2010/03/03 22:06:21 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/03/03 22:04:38 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/03 22:04:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/03 22:04:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/03 22:04:38 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/03 22:04:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/03 19:34:02 | 000,010,973 | ---- | C] () -- C:\Documents and Settings\DAD\My Documents\1.docx
[2010/02/26 20:22:16 | 000,001,514 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
[2009/12/10 20:30:43 | 000,018,944 | ---- | C] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/03 21:18:10 | 000,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2009/12/03 02:33:54 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\fusioncache.dat
[2009/12/03 02:16:06 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/12/03 02:05:14 | 000,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2009/12/03 02:03:39 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2009/12/03 02:03:39 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2009/12/03 02:03:39 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2009/12/03 02:03:39 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2009/12/03 02:03:39 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2009/12/03 02:03:39 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2009/12/03 02:03:18 | 000,000,032 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/12/03 01:58:25 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2009/12/03 01:57:38 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\FSRremoC.DLL
[2009/12/03 01:57:38 | 000,005,528 | ---- | C] () -- C:\WINDOWS\System32\Setup2k.ini
[2009/12/03 01:57:38 | 000,000,296 | ---- | C] () -- C:\WINDOWS\System32\presetup.ini
[2006/02/03 00:37:10 | 000,004,676 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/01/19 20:46:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/01/10 21:38:30 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2005/07/12 22:44:42 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL
[2004/08/09 21:34:32 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/03/24 00:38:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll
[2002/04/11 18:47:52 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\msmscoin.dll
========== LOP Check ==========
[2009/12/02 22:12:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2009/12/03 03:50:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/12/10 00:11:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2009/12/03 02:01:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo
[2010/02/18 11:30:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/12/03 02:35:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ThinkVantage
[2009/12/25 09:53:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/02/24 22:24:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\AVG9
[2009/12/03 20:48:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\GetRightToGo
[2009/12/03 02:04:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\IBM
[2009/12/03 19:46:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\InterVideo
[2009/12/03 19:50:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Leadertech
[2009/12/06 19:06:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\LEGO Company
[2009/12/06 20:13:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Lenovo
[2009/12/09 16:54:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\MSNInstaller
[2009/12/12 19:33:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Sony
[2009/12/12 19:23:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Sony Setup
[2009/12/03 02:35:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\ThinkVantage
[2009/12/09 19:44:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\TrueSwitch
[2010/03/12 13:48:40 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{A277806A-F328-4CC4-9BA9-41C902613B3B}.job
========== Purity Check ==========
========== Custom Scans ==========
< %SYSTEMDRIVE%\*.exe >
< MD5 for: AGP440.SYS >
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 07:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
< MD5 for: ATAPI.SYS >
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2010/03/05 17:26:47 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/04 06:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
< MD5 for: EVENTLOG.DLL >
[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
< MD5 for: NETLOGON.DLL >
[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 18:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2009/02/06 18:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtUninstallKB975467_0$\netlogon.dll
[2004/08/04 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389_0$\netlogon.dll
< MD5 for: SCECLI.DLL >
[2004/08/04 13:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
========== Alternate Data Streams ==========
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
< End of report >
-
Looks like a newer variant of one of the nastiest rootkits we are seeing lately. Let's see if this will help.
- Download TDSSKiller and save it to your Desktop.
- Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
- Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v - If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
- When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
Indigenus
TDSS found a corrupt Atapi.sys file. Here is the log.
17:24:16:937 1460 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
17:24:16:937 1460 ================================================================================
17:24:16:937 1460 SystemInfo:
17:24:16:937 1460 OS Version: 5.1.2600 ServicePack: 3.0
17:24:16:937 1460 Product type: Workstation
17:24:16:937 1460 ComputerName: DADKIDS
17:24:16:937 1460 UserName: DAD
17:24:16:937 1460 Windows directory: C:\WINDOWS
17:24:16:937 1460 Processor architecture: Intel x86
17:24:16:937 1460 Number of processors: 1
17:24:16:937 1460 Page size: 0x1000
17:24:16:937 1460 Boot type: Normal boot
17:24:16:937 1460 ================================================================================
17:24:16:937 1460 UnloadDriverW: NtUnloadDriver error 2
17:24:16:937 1460 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
17:24:17:015 1460 Initialize success
17:24:17:015 1460
17:24:17:015 1460 Scanning Services ...
17:24:17:015 1460 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
17:24:17:015 1460 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:24:17:015 1460 wfopen_ex: Trying to KLMD file open
17:24:17:015 1460 wfopen_ex: File opened ok (Flags 2)
17:24:17:015 1460 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
17:24:17:031 1460 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
17:24:17:031 1460 wfopen_ex: Trying to KLMD file open
17:24:17:031 1460 wfopen_ex: File opened ok (Flags 2)
17:24:17:312 1460 GetAdvancedServicesInfo: Raw services enum returned 354 services
17:24:17:328 1460 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
17:24:17:328 1460 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
17:24:17:328 1460
17:24:17:328 1460 Scanning Kernel memory ...
17:24:17:328 1460 Devices to scan: 13
17:24:17:328 1460
17:24:17:328 1460 Driver Name: Disk
17:24:17:328 1460 IRP_MJ_CREATE : F75A2BB0
17:24:17:328 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:24:17:328 1460 IRP_MJ_CLOSE : F75A2BB0
17:24:17:328 1460 IRP_MJ_READ : F759CD1F
17:24:17:328 1460 IRP_MJ_WRITE : F759CD1F
17:24:17:328 1460 IRP_MJ_QUERY_INFORMATION : 804F355A
17:24:17:328 1460 IRP_MJ_SET_INFORMATION : 804F355A
17:24:17:328 1460 IRP_MJ_QUERY_EA : 804F355A
17:24:17:328 1460 IRP_MJ_SET_EA : 804F355A
17:24:17:328 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2
17:24:17:328 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:24:17:328 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:24:17:328 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:24:17:328 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:24:17:328 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB
17:24:17:328 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28
17:24:17:328 1460 IRP_MJ_SHUTDOWN : F759D2E2
17:24:17:328 1460 IRP_MJ_LOCK_CONTROL : 804F355A
17:24:17:328 1460 IRP_MJ_CLEANUP : 804F355A
17:24:17:328 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:24:17:328 1460 IRP_MJ_QUERY_SECURITY : 804F355A
17:24:17:328 1460 IRP_MJ_SET_SECURITY : 804F355A
17:24:17:328 1460 IRP_MJ_POWER : F759EC82
17:24:17:328 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E
17:24:17:328 1460 IRP_MJ_DEVICE_CHANGE : 804F355A
17:24:17:328 1460 IRP_MJ_QUERY_QUOTA : 804F355A
17:24:17:328 1460 IRP_MJ_SET_QUOTA : 804F355A
17:24:17:328 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
17:24:17:328 1460 sion
17:24:17:343 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:24:17:343 1460
17:24:17:343 1460 Driver Name: Disk
17:24:17:343 1460 IRP_MJ_CREATE : F75A2BB0
17:24:17:343 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:24:17:343 1460 IRP_MJ_CLOSE : F75A2BB0
17:24:17:343 1460 IRP_MJ_READ : F759CD1F
17:24:17:343 1460 IRP_MJ_WRITE : F759CD1F
17:24:17:343 1460 IRP_MJ_QUERY_INFORMATION : 804F355A
17:24:17:343 1460 IRP_MJ_SET_INFORMATION : 804F355A
17:24:17:343 1460 IRP_MJ_QUERY_EA : 804F355A
17:24:17:343 1460 IRP_MJ_SET_EA : 804F355A
17:24:17:343 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2
17:24:17:343 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:24:17:343 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:24:17:343 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:24:17:343 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:24:17:343 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB
17:24:17:343 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28
17:24:17:343 1460 IRP_MJ_SHUTDOWN : F759D2E2
17:24:17:343 1460 IRP_MJ_LOCK_CONTROL : 804F355A
17:24:17:343 1460 IRP_MJ_CLEANUP : 804F355A
17:24:17:343 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:24:17:343 1460 IRP_MJ_QUERY_SECURITY : 804F355A
17:24:17:343 1460 IRP_MJ_SET_SECURITY : 804F355A
17:24:17:343 1460 IRP_MJ_POWER : F759EC82
17:24:17:343 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E
17:24:17:343 1460 IRP_MJ_DEVICE_CHANGE : 804F355A
17:24:17:343 1460 IRP_MJ_QUERY_QUOTA : 804F355A
17:24:17:343 1460 IRP_MJ_SET_QUOTA : 804F355A
17:24:17:343 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
17:24:17:343 1460 sion
17:24:17:359 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:24:17:359 1460
17:24:17:359 1460 Driver Name: Disk
17:24:17:359 1460 IRP_MJ_CREATE : F75A2BB0
17:24:17:359 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:24:17:359 1460 IRP_MJ_CLOSE : F75A2BB0
17:24:17:359 1460 IRP_MJ_READ : F759CD1F
17:24:17:359 1460 IRP_MJ_WRITE : F759CD1F
17:24:17:359 1460 IRP_MJ_QUERY_INFORMATION : 804F355A
17:24:17:359 1460 IRP_MJ_SET_INFORMATION : 804F355A
17:24:17:359 1460 IRP_MJ_QUERY_EA : 804F355A
17:24:17:359 1460 IRP_MJ_SET_EA : 804F355A
17:24:17:359 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2
17:24:17:359 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:24:17:359 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:24:17:359 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:24:17:359 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:24:17:359 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB
17:24:17:359 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28
17:24:17:359 1460 IRP_MJ_SHUTDOWN : F759D2E2
17:24:17:359 1460 IRP_MJ_LOCK_CONTROL : 804F355A
17:24:17:359 1460 IRP_MJ_CLEANUP : 804F355A
17:24:17:359 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:24:17:359 1460 IRP_MJ_QUERY_SECURITY : 804F355A
17:24:17:359 1460 IRP_MJ_SET_SECURITY : 804F355A
17:24:17:359 1460 IRP_MJ_POWER : F759EC82
17:24:17:359 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E
17:24:17:359 1460 IRP_MJ_DEVICE_CHANGE : 804F355A
17:24:17:359 1460 IRP_MJ_QUERY_QUOTA : 804F355A
17:24:17:359 1460 IRP_MJ_SET_QUOTA : 804F355A
17:24:17:359 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
17:24:17:359 1460 sion
17:24:17:359 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:24:17:359 1460
17:24:17:359 1460 Driver Name: Disk
17:24:17:359 1460 IRP_MJ_CREATE : F75A2BB0
17:24:17:359 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:24:17:359 1460 IRP_MJ_CLOSE : F75A2BB0
17:24:17:359 1460 IRP_MJ_READ : F759CD1F
17:24:17:359 1460 IRP_MJ_WRITE : F759CD1F
17:24:17:359 1460 IRP_MJ_QUERY_INFORMATION : 804F355A
17:24:17:359 1460 IRP_MJ_SET_INFORMATION : 804F355A
17:24:17:359 1460 IRP_MJ_QUERY_EA : 804F355A
17:24:17:359 1460 IRP_MJ_SET_EA : 804F355A
17:24:17:359 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2
17:24:17:359 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:24:17:359 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:24:17:359 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:24:17:359 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:24:17:359 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB
17:24:17:359 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28
17:24:17:359 1460 IRP_MJ_SHUTDOWN : F759D2E2
17:24:17:359 1460 IRP_MJ_LOCK_CONTROL : 804F355A
17:24:17:359 1460 IRP_MJ_CLEANUP : 804F355A
17:24:17:359 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:24:17:359 1460 IRP_MJ_QUERY_SECURITY : 804F355A
17:24:17:359 1460 IRP_MJ_SET_SECURITY : 804F355A
17:24:17:359 1460 IRP_MJ_POWER : F759EC82
17:24:17:359 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E
17:24:17:359 1460 IRP_MJ_DEVICE_CHANGE : 804F355A
17:24:17:359 1460 IRP_MJ_QUERY_QUOTA : 804F355A
17:24:17:359 1460 IRP_MJ_SET_QUOTA : 804F355A
17:24:17:359 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
17:24:17:359 1460 sion
17:24:17:375 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:24:17:375 1460
17:24:17:375 1460 Driver Name: USBSTOR
17:24:17:375 1460 IRP_MJ_CREATE : F7901218
17:24:17:375 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:24:17:375 1460 IRP_MJ_CLOSE : F7901218
17:24:17:375 1460 IRP_MJ_READ : F790123C
17:24:17:375 1460 IRP_MJ_WRITE : F790123C
17:24:17:375 1460 IRP_MJ_QUERY_INFORMATION : 804F355A
17:24:17:375 1460 IRP_MJ_SET_INFORMATION : 804F355A
17:24:17:375 1460 IRP_MJ_QUERY_EA : 804F355A
17:24:17:375 1460 IRP_MJ_SET_EA : 804F355A
17:24:17:375 1460 IRP_MJ_FLUSH_BUFFERS : 804F355A
17:24:17:375 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:24:17:375 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:24:17:375 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:24:17:375 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:24:17:375 1460 IRP_MJ_DEVICE_CONTROL : F7901180
17:24:17:375 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78FC9E6
17:24:17:375 1460 IRP_MJ_SHUTDOWN : 804F355A
17:24:17:375 1460 IRP_MJ_LOCK_CONTROL : 804F355A
17:24:17:375 1460 IRP_MJ_CLEANUP : 804F355A
17:24:17:375 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:24:17:375 1460 IRP_MJ_QUERY_SECURITY : 804F355A
17:24:17:375 1460 IRP_MJ_SET_SECURITY : 804F355A
17:24:17:375 1460 IRP_MJ_POWER : F79005F0
17:24:17:375 1460 IRP_MJ_SYSTEM_CONTROL : F78FEA6E
17:24:17:375 1460 IRP_MJ_DEVICE_CHANGE : 804F355A
17:24:17:375 1460 IRP_MJ_QUERY_QUOTA : 804F355A
17:24:17:375 1460 IRP_MJ_SET_QUOTA : 804F355A
17:24:17:375 1460 siohd: 0
17:24:17:375 1460 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
17:24:17:375 1460
17:24:17:375 1460 Driver Name: USBSTOR
17:24:17:375 1460 IRP_MJ_CREATE : F7901218
17:24:17:375 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:24:17:375 1460 IRP_MJ_CLOSE : F7901218
17:24:17:375 1460 IRP_MJ_READ : F790123C
17:24:17:375 1460 IRP_MJ_WRITE : F790123C
17:24:17:375 1460 IRP_MJ_QUERY_INFORMATION : 804F355A
17:24:17:375 1460 IRP_MJ_SET_INFORMATION : 804F355A
17:24:17:375 1460 IRP_MJ_QUERY_EA : 804F355A
17:24:17:375 1460 IRP_MJ_SET_EA : 804F355A
17:24:17:375 1460 IRP_MJ_FLUSH_BUFFERS : 804F355A
17:24:17:375 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:24:17:375 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:24:17:375 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:24:17:375 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:24:17:375 1460 IRP_MJ_DEVICE_CONTROL : F7901180
17:24:17:375 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78FC9E6
17:24:17:375 1460 IRP_MJ_SHUTDOWN : 804F355A
17:24:17:375 1460 IRP_MJ_LOCK_CONTROL : 804F355A
17:24:17:375 1460 IRP_MJ_CLEANUP : 804F355A
17:24:17:375 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:24:17:375 1460 IRP_MJ_QUERY_SECURITY : 804F355A
17:24:17:375 1460 IRP_MJ_SET_SECURITY : 804F355A
17:24:17:375 1460 IRP_MJ_POWER : F79005F0
17:24:17:375 1460 IRP_MJ_SYSTEM_CONTROL : F78FEA6E
17:24:17:375 1460 IRP_MJ_DEVICE_CHANGE : 804F355A
17:24:17:375 1460 IRP_MJ_QUERY_QUOTA : 804F355A
17:24:17:375 1460 IRP_MJ_SET_QUOTA : 804F355A
17:24:17:375 1460 siohd: 0
17:24:17:375 1460 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
17:24:17:375 1460
17:24:17:375 1460 Driver Name: USBSTOR
17:24:17:375 1460 IRP_MJ_CREATE : F7901218
17:24:17:375 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:24:17:375 1460 IRP_MJ_CLOSE : F7901218
17:24:17:375 1460 IRP_MJ_READ : F790123C
17:24:17:375 1460 IRP_MJ_WRITE : F790123C
17:24:17:375 1460 IRP_MJ_QUERY_INFORMATION : 804F355A
17:24:17:375 1460 IRP_MJ_SET_INFORMATION : 804F355A
17:24:17:375 1460 IRP_MJ_QUERY_EA : 804F355A
17:24:17:375 1460 IRP_MJ_SET_EA : 804F355A
17:24:17:375 1460 IRP_MJ_FLUSH_BUFFERS : 804F355A
17:24:17:375 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:24:17:375 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:24:17:375 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:24:17:375 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:24:17:375 1460 IRP_MJ_DEVICE_CONTROL : F7901180
17:24:17:375 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78FC9E6
17:24:17:375 1460 IRP_MJ_SHUTDOWN : 804F355A
17:24:17:375 1460 IRP_MJ_LOCK_CONTROL : 804F355A
17:24:17:375 1460 IRP_MJ_CLEANUP : 804F355A
17:24:17:375 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:24:17:375 1460 IRP_MJ_QUERY_SECURITY : 804F355A
17:24:17:375 1460 IRP_MJ_SET_SECURITY : 804F355A
17:24:17:375 1460 IRP_MJ_POWER : F79005F0
17:24:17:375 1460 IRP_MJ_SYSTEM_CONTROL : F78FEA6E
17:24:17:375 1460 IRP_MJ_DEVICE_CHANGE : 804F355A
17:24:17:375 1460 IRP_MJ_QUERY_QUOTA : 804F355A
17:24:17:375 1460 IRP_MJ_SET_QUOTA : 804F355A
17:24:17:375 1460 siohd: 0
17:24:17:390 1460 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
17:24:17:390 1460
17:24:17:390 1460 Driver Name: USBSTOR
17:24:17:390 1460 IRP_MJ_CREATE : F7901218
17:24:17:390 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:24:17:390 1460 IRP_MJ_CLOSE : F7901218
17:24:17:390 1460 IRP_MJ_READ : F790123C
17:24:17:390 1460 IRP_MJ_WRITE : F790123C
17:24:17:390 1460 IRP_MJ_QUERY_INFORMATION : 804F355A
17:24:17:390 1460 IRP_MJ_SET_INFORMATION : 804F355A
17:24:17:390 1460 IRP_MJ_QUERY_EA : 804F355A
17:24:17:390 1460 IRP_MJ_SET_EA : 804F355A
17:24:17:390 1460 IRP_MJ_FLUSH_BUFFERS : 804F355A
17:24:17:390 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:24:17:390 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:24:17:390 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:24:17:390 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:24:17:390 1460 IRP_MJ_DEVICE_CONTROL : F7901180
17:24:17:390 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78FC9E6
17:24:17:390 1460 IRP_MJ_SHUTDOWN : 804F355A
17:24:17:390 1460 IRP_MJ_LOCK_CONTROL : 804F355A
17:24:17:390 1460 IRP_MJ_CLEANUP : 804F355A
17:24:17:390 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:24:17:390 1460 IRP_MJ_QUERY_SECURITY : 804F355A
17:24:17:390 1460 IRP_MJ_SET_SECURITY : 804F355A
17:24:17:390 1460 IRP_MJ_POWER : F79005F0
17:24:17:390 1460 IRP_MJ_SYSTEM_CONTROL : F78FEA6E
17:24:17:390 1460 IRP_MJ_DEVICE_CHANGE : 804F355A
17:24:17:390 1460 IRP_MJ_QUERY_QUOTA : 804F355A
17:24:17:390 1460 IRP_MJ_SET_QUOTA : 804F355A
17:24:17:390 1460 siohd: 0
17:24:17:390 1460 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
17:24:17:390 1460
17:24:17:390 1460 Driver Name: Disk
17:24:17:390 1460 IRP_MJ_CREATE : F75A2BB0
17:24:17:390 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:24:17:390 1460 IRP_MJ_CLOSE : F75A2BB0
17:24:17:390 1460 IRP_MJ_READ : F759CD1F
17:24:17:390 1460 IRP_MJ_WRITE : F759CD1F
17:24:17:390 1460 IRP_MJ_QUERY_INFORMATION : 804F355A
17:24:17:390 1460 IRP_MJ_SET_INFORMATION : 804F355A
17:24:17:390 1460 IRP_MJ_QUERY_EA : 804F355A
17:24:17:390 1460 IRP_MJ_SET_EA : 804F355A
17:24:17:390 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2
17:24:17:390 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:24:17:390 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:24:17:390 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:24:17:390 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:24:17:390 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB
17:24:17:390 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28
17:24:17:390 1460 IRP_MJ_SHUTDOWN : F759D2E2
17:24:17:390 1460 IRP_MJ_LOCK_CONTROL : 804F355A
17:24:17:390 1460 IRP_MJ_CLEANUP : 804F355A
17:24:17:390 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:24:17:390 1460 IRP_MJ_QUERY_SECURITY : 804F355A
17:24:17:390 1460 IRP_MJ_SET_SECURITY : 804F355A
17:24:17:390 1460 IRP_MJ_POWER : F759EC82
17:24:17:390 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E
17:24:17:390 1460 IRP_MJ_DEVICE_CHANGE : 804F355A
17:24:17:390 1460 IRP_MJ_QUERY_QUOTA : 804F355A
17:24:17:390 1460 IRP_MJ_SET_QUOTA : 804F355A
17:24:17:390 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
17:24:17:390 1460 sion
17:24:17:390 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:24:17:390 1460
17:24:17:390 1460 Driver Name: Disk
17:24:17:390 1460 IRP_MJ_CREATE : F75A2BB0
17:24:17:390 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:24:17:390 1460 IRP_MJ_CLOSE : F75A2BB0
17:24:17:390 1460 IRP_MJ_READ : F759CD1F
17:24:17:390 1460 IRP_MJ_WRITE : F759CD1F
17:24:17:390 1460 IRP_MJ_QUERY_INFORMATION : 804F355A
17:24:17:390 1460 IRP_MJ_SET_INFORMATION : 804F355A
17:24:17:390 1460 IRP_MJ_QUERY_EA : 804F355A
17:24:17:390 1460 IRP_MJ_SET_EA : 804F355A
17:24:17:390 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2
17:24:17:390 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:24:17:390 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:24:17:390 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:24:17:390 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:24:17:390 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB
17:24:17:390 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28
17:24:17:390 1460 IRP_MJ_SHUTDOWN : F759D2E2
17:24:17:390 1460 IRP_MJ_LOCK_CONTROL : 804F355A
17:24:17:390 1460 IRP_MJ_CLEANUP : 804F355A
17:24:17:390 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:24:17:390 1460 IRP_MJ_QUERY_SECURITY : 804F355A
17:24:17:390 1460 IRP_MJ_SET_SECURITY : 804F355A
17:24:17:390 1460 IRP_MJ_POWER : F759EC82
17:24:17:390 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E
17:24:17:390 1460 IRP_MJ_DEVICE_CHANGE : 804F355A
17:24:17:390 1460 IRP_MJ_QUERY_QUOTA : 804F355A
17:24:17:390 1460 IRP_MJ_SET_QUOTA : 804F355A
17:24:17:390 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
17:24:17:390 1460 sion
17:24:17:406 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:24:17:406 1460
17:24:17:406 1460 Driver Name: Disk
17:24:17:406 1460 IRP_MJ_CREATE : F75A2BB0
17:24:17:406 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
17:24:17:406 1460 IRP_MJ_CLOSE : F75A2BB0
17:24:17:406 1460 IRP_MJ_READ : F759CD1F
17:24:17:406 1460 IRP_MJ_WRITE : F759CD1F
17:24:17:406 1460 IRP_MJ_QUERY_INFORMATION : 804F355A
17:24:17:406 1460 IRP_MJ_SET_INFORMATION : 804F355A
17:24:17:406 1460 IRP_MJ_QUERY_EA : 804F355A
17:24:17:406 1460 IRP_MJ_SET_EA : 804F355A
17:24:17:406 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2
17:24:17:406 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
17:24:17:406 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
17:24:17:406 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A
17:24:17:406 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
17:24:17:406 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB
17:24:17:406 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28
17:24:17:406 1460 IRP_MJ_SHUTDOWN : F759D2E2
17:24:17:406 1460 IRP_MJ_LOCK_CONTROL : 804F355A
17:24:17:406 1460 IRP_MJ_CLEANUP : 804F355A
17:24:17:406 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A
17:24:17:406 1460 IRP_MJ_QUERY_SECURITY : 804F355A
17:24:17:406 1460 IRP_MJ_SET_SECURITY : 804F355A
17:24:17:406 1460 IRP_MJ_POWER : F759EC82
17:24:17:406 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E
17:24:17:406 1460 IRP_MJ_DEVICE_CHANGE : 804F355A
17:24:17:406 1460 IRP_MJ_QUERY_QUOTA : 804F355A
17:24:17:406 1460 IRP_MJ_SET_QUOTA : 804F355A
17:24:17:406 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
17:24:17:406 1460 sion
17:24:17:406 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
17:24:17:406 1460
17:24:17:406 1460 Driver Name: atapi
17:24:17:406 1460 IRP_MJ_CREATE : F73EEB3A
17:24:17:406 1460 IRP_MJ_CREATE_NAMED_PIPE : F73EEB3A
17:24:17:406 1460 IRP_MJ_CLOSE : F73EEB3A
17:24:17:406 1460 IRP_MJ_READ : F73EEB3A
17:24:17:406 1460 IRP_MJ_WRITE : F73EEB3A
17:24:17:406 1460 IRP_MJ_QUERY_INFORMATION : F73EEB3A
17:24:17:406 1460 IRP_MJ_SET_INFORMATION : F73EEB3A
17:24:17:406 1460 IRP_MJ_QUERY_EA : F73EEB3A
17:24:17:406 1460 IRP_MJ_SET_EA : F73EEB3A
17:24:17:406 1460 IRP_MJ_FLUSH_BUFFERS : F73EEB3A
17:24:17:406 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : F73EEB3A
17:24:17:406 1460 IRP_MJ_SET_VOLUME_INFORMATION : F73EEB3A
17:24:17:406 1460 IRP_MJ_DIRECTORY_CONTROL : F73EEB3A
17:24:17:406 1460 IRP_MJ_FILE_SYSTEM_CONTROL : F73EEB3A
17:24:17:406 1460 IRP_MJ_DEVICE_CONTROL : F73EEB3A
17:24:17:406 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F73EEB3A
17:24:17:406 1460 IRP_MJ_SHUTDOWN : F73EEB3A
17:24:17:406 1460 IRP_MJ_LOCK_CONTROL : F73EEB3A
17:24:17:406 1460 IRP_MJ_CLEANUP : F73EEB3A
17:24:17:406 1460 IRP_MJ_CREATE_MAILSLOT : F73EEB3A
17:24:17:406 1460 IRP_MJ_QUERY_SECURITY : F73EEB3A
17:24:17:406 1460 IRP_MJ_SET_SECURITY : F73EEB3A
17:24:17:406 1460 IRP_MJ_POWER : F73EEB3A
17:24:17:406 1460 IRP_MJ_SYSTEM_CONTROL : F73EEB3A
17:24:17:406 1460 IRP_MJ_DEVICE_CHANGE : F73EEB3A
17:24:17:406 1460 IRP_MJ_QUERY_QUOTA : F73EEB3A
17:24:17:406 1460 IRP_MJ_SET_QUOTA : F73EEB3A
17:24:17:406 1460 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
17:24:17:406 1460 TDL3_IrpHookDetect: New IrpHandler addr: 86F0B8C8
17:24:17:406 1460 ihd: 10, FFDF0308, 510, 134, 3, 120, 0
17:24:17:406 1460 Driver "atapi" Irp handler infected by TDSS rootkit ... 17:24:17:406 1460 cured
17:24:17:406 1460 siohd: 0
17:24:17:437 1460 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
17:24:17:437 1460 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 17:24:17:437 1460 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
17:24:17:437 1460 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
17:24:17:671 1460 vfvi6
17:24:17:843 1460 !dsvbh1
17:24:19:500 1460 dsvbh2
17:24:19:515 1460 fdfb2
17:24:19:515 1460 Backup copy found, using it..
17:24:19:562 1460 will be cured on next reboot
17:24:19:562 1460
17:24:19:562 1460 Driver Name: atapi
17:24:19:562 1460 IRP_MJ_CREATE : F73EEB3A
17:24:19:562 1460 IRP_MJ_CREATE_NAMED_PIPE : F73EEB3A
17:24:19:562 1460 IRP_MJ_CLOSE : F73EEB3A
17:24:19:562 1460 IRP_MJ_READ : F73EEB3A
17:24:19:562 1460 IRP_MJ_WRITE : F73EEB3A
17:24:19:562 1460 IRP_MJ_QUERY_INFORMATION : F73EEB3A
17:24:19:562 1460 IRP_MJ_SET_INFORMATION : F73EEB3A
17:24:19:562 1460 IRP_MJ_QUERY_EA : F73EEB3A
17:24:19:562 1460 IRP_MJ_SET_EA : F73EEB3A
17:24:19:562 1460 IRP_MJ_FLUSH_BUFFERS : F73EEB3A
17:24:19:562 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : F73EEB3A
17:24:19:562 1460 IRP_MJ_SET_VOLUME_INFORMATION : F73EEB3A
17:24:19:562 1460 IRP_MJ_DIRECTORY_CONTROL : F73EEB3A
17:24:19:562 1460 IRP_MJ_FILE_SYSTEM_CONTROL : F73EEB3A
17:24:19:562 1460 IRP_MJ_DEVICE_CONTROL : F73EEB3A
17:24:19:562 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F73EEB3A
17:24:19:562 1460 IRP_MJ_SHUTDOWN : F73EEB3A
17:24:19:562 1460 IRP_MJ_LOCK_CONTROL : F73EEB3A
17:24:19:562 1460 IRP_MJ_CLEANUP : F73EEB3A
17:24:19:562 1460 IRP_MJ_CREATE_MAILSLOT : F73EEB3A
17:24:19:562 1460 IRP_MJ_QUERY_SECURITY : F73EEB3A
17:24:19:562 1460 IRP_MJ_SET_SECURITY : F73EEB3A
17:24:19:562 1460 IRP_MJ_POWER : F73EEB3A
17:24:19:562 1460 IRP_MJ_SYSTEM_CONTROL : F73EEB3A
17:24:19:562 1460 IRP_MJ_DEVICE_CHANGE : F73EEB3A
17:24:19:562 1460 IRP_MJ_QUERY_QUOTA : F73EEB3A
17:24:19:562 1460 IRP_MJ_SET_QUOTA : F73EEB3A
17:24:19:562 1460 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
17:24:19:562 1460 TDL3_IrpHookDetect: New IrpHandler addr: 86F0B8C8
17:24:19:562 1460 ihd1
17:24:19:562 1460 siohd: 0
17:24:19:578 1460 C:\WINDOWS\system32\drivers\tskC.tmp - Verdict: Clean
17:24:19:578 1460 Reboot required for cure complete..
17:24:19:578 1460 Cure on reboot scheduled successfully
17:24:19:578 1460
17:24:19:578 1460 Completed
17:24:19:578 1460
17:24:19:578 1460 Results:
17:24:19:578 1460 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
17:24:19:578 1460 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
17:24:19:578 1460 File objects infected / cured / cured on reboot: 1 / 0 / 1
17:24:19:578 1460
17:24:19:578 1460 UnloadDriverW: NtUnloadDriver error 1
17:24:19:578 1460 KLMD_Unload: UnloadDriverW(klmd21) error 1
17:24:19:578 1460 KLMD(ARK) unloaded successfully
I can't thank you enough. will this be the end of it?
Novemberwhisky
- Download TDSSKiller and save it to your Desktop.
-
How is it running at this point? I would like to get another scan run here.
Run OTL
- Download OTL to your desktop.
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
/md5stop
CREATERESTOREPOINT - Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
IndiGenus,
OTL scans as requested below. My browser is still diverting me to unwanted web pages. I came home from work and the PC was on already (my kids had turn it on by accident) , I had to restart - to enable the wireless connection and which involved a hard shutdown (which has been happening on and off several weeks now).
Thanks
novemberwhisky
OTL logfile created on: 04/03/2010 18:39:53 - Run 1
OTL by OldTimer - Version 3.1.33.0 Folder = C:\Documents and Settings\DAD\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
1,023.00 Mb Total Physical Memory | 426.00 Mb Available Physical Memory | 42.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.29 Gb Total Space | 38.94 Gb Free Space | 55.39% Space Free | Partition Type: NTFS
Drive D: | 14.33 Gb Total Space | 10.50 Gb Free Space | 73.26% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: DADKIDS
Current User Name: DAD
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan
========== Processes (SafeList) ==========
PRC - [2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe
PRC - [2009/12/11 18:41:15 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/12/11 18:41:15 | 000,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/12/03 03:50:39 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/12/03 03:50:38 | 000,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/12/03 03:50:31 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2009/12/03 03:50:30 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/04/30 12:23:26 | 000,090,112 | ---- | M] () -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/01 19:50:06 | 000,626,810 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
PRC - [2006/03/01 00:05:54 | 002,364,976 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgre.exe
PRC - [2006/03/01 00:00:34 | 001,992,240 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe
PRC - [2006/02/06 22:39:36 | 000,262,144 | R--- | M] (LITE-ON TECHNOLOGY CORP.) -- C:\Program Files\Lenovo\Productivity Keyboard\Skdaemon.exe
PRC - [2006/01/11 23:08:36 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2005/12/07 09:00:00 | 000,106,496 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE
PRC - [2005/10/28 11:23:10 | 001,404,928 | ---- | M] (Belkin) -- C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
PRC - [2005/08/02 01:33:04 | 000,126,976 | ---- | M] () -- C:\Program Files\ThinkVantage\SystemUpdate\PipeServer.exe
PRC - [2005/04/13 22:34:28 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe
PRC - [2003/11/06 23:51:32 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\FSRremoS.EXE
========== Modules (SafeList) ==========
MOD - [2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe
========== Win32 Services (SafeList) ==========
SRV - [2009/12/03 03:50:31 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/12/03 03:50:30 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/12/03 02:13:32 | 000,032,256 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psasrv.exe -- (PsaSrv)
SRV - [2009/04/30 12:23:26 | 000,090,112 | ---- | M] () [Auto | Running] -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe -- (OMSI download service)
SRV - [2006/03/01 19:50:06 | 000,626,810 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2005/12/22 02:34:58 | 000,077,824 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe -- (TVT Scheduler)
SRV - [2005/12/22 02:20:56 | 001,384,448 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe -- (TVT Backup Service)
SRV - [2005/08/02 01:32:40 | 000,040,960 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe -- (UCLauncherService)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D6 FD 9C 1C FA 83 CA 01 [binary data]
IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
[2010/02/25 00:05:02 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
O1 HOSTS File: ([2010/02/24 23:01:36 | 000,380,253 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13102 more lines...
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKCU\..\Toolbar\ShellBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [cssauthe] C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe (Lenovo Group Limited)
O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation)
O4 - HKLM..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [LPManager] C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE (Lenovo Group Limited)
O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [sKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\Skdaemon.exe (LITE-ON TECHNOLOGY CORP.)
O4 - HKLM..\Run: [soundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe ()
O4 - HKCU..\Run: [sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe (Sony Ericsson Mobile Communications AB)
O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe (Belkin)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: &Translate English Word - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O8 - Extra context menu item: Translate Page into English - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.4.2/...all-142-win.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.2/...all-142-win.cab (Java Plug-in 1.4.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O24 - Desktop WallPaper: C:\Documents and Settings\DAD\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\DAD\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/12/03 02:34:50 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*
NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/09 21:12:00 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891891626803200)
========== Files/Folders - Created Within 14 Days ==========
[2010/03/04 18:34:55 | 000,552,960 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe
[2010/03/04 16:32:28 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/03/03 22:06:19 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/03/03 22:04:38 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/03 22:04:38 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/03 22:04:38 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/03 22:04:38 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/03 22:04:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/03/03 22:04:29 | 000,000,000 | ---D | C] -- C:\Combo-Fix
[2010/03/03 22:04:16 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/02/25 23:39:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/02/24 23:16:18 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/02/24 23:16:16 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/02/24 23:16:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/02/24 22:25:41 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/02/24 22:25:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/02/24 22:24:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\DAD\Application Data\AVG9
[2010/02/24 20:56:41 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/02/24 01:13:10 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/02/23 23:37:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft
[2010/02/23 21:39:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\DAD\Application Data\Malwarebytes
[2010/02/23 21:38:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/02/22 22:52:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\DAD\Local Settings\Application Data\Help
[2010/02/22 22:52:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\DAD\Application Data\Help
[2009/12/04 22:54:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/12/03 03:31:59 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/12/03 03:31:59 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2004/08/09 21:33:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files - Modified Within 14 Days ==========
[2010/03/04 18:35:21 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A277806A-F328-4CC4-9BA9-41C902613B3B}.job
[2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe
[2010/03/04 18:30:36 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/04 18:30:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/04 18:30:30 | 1073,270,784 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/04 18:24:23 | 009,175,040 | -H-- | M] () -- C:\Documents and Settings\DAD\NTUSER.DAT
[2010/03/04 18:24:23 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\DAD\ntuser.ini
[2010/03/04 18:24:18 | 007,464,274 | -H-- | M] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\IconCache.db
[2010/03/03 23:11:36 | 056,626,860 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2010/03/03 22:33:37 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/03 22:06:24 | 000,000,254 | RHS- | M] () -- C:\BOOT.INI
[2010/03/03 21:46:57 | 004,118,254 | R--- | M] () -- C:\Documents and Settings\DAD\Desktop\Combo-Fix.exe
[2010/03/03 19:34:02 | 000,010,973 | ---- | M] () -- C:\Documents and Settings\DAD\My Documents\1.docx
[2010/02/27 18:29:37 | 000,018,944 | ---- | M] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/26 20:22:16 | 000,001,514 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
[2010/02/25 22:16:07 | 000,462,454 | ---- | M] () -- C:\Documents and Settings\DAD\Desktop\over confident.bmp
[2010/02/25 21:59:08 | 000,038,118 | ---- | M] () -- C:\Documents and Settings\DAD\Desktop\the hostile world awaits.jpg
[2010/02/25 21:11:54 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/24 23:16:20 | 000,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/24 23:01:36 | 000,380,253 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/02/24 22:25:48 | 000,000,944 | ---- | M] () -- C:\Documents and Settings\DAD\Desktop\Spybot - Search & Destroy.lnk
[2010/02/24 20:56:42 | 000,001,745 | ---- | M] () -- C:\Documents and Settings\DAD\Desktop\HijackThis.lnk
[2010/02/19 17:23:51 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
========== Files Created - No Company Name ==========
[2010/03/03 22:06:24 | 000,000,184 | ---- | C] () -- C:\Boot.bak
[2010/03/03 22:06:21 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/03/03 22:04:38 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/03 22:04:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/03 22:04:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/03 22:04:38 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/03 22:04:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/03 21:46:51 | 004,118,254 | R--- | C] () -- C:\Documents and Settings\DAD\Desktop\Combo-Fix.exe
[2010/03/03 19:34:02 | 000,010,973 | ---- | C] () -- C:\Documents and Settings\DAD\My Documents\1.docx
[2010/02/26 20:22:16 | 000,001,514 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
[2010/02/25 22:16:07 | 000,462,454 | ---- | C] () -- C:\Documents and Settings\DAD\Desktop\over confident.bmp
[2010/02/25 22:08:34 | 000,038,118 | ---- | C] () -- C:\Documents and Settings\DAD\Desktop\the hostile world awaits.jpg
[2010/02/24 23:16:20 | 000,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/02/24 22:25:48 | 000,000,944 | ---- | C] () -- C:\Documents and Settings\DAD\Desktop\Spybot - Search & Destroy.lnk
[2010/02/24 20:56:42 | 000,001,745 | ---- | C] () -- C:\Documents and Settings\DAD\Desktop\HijackThis.lnk
[2009/12/10 20:30:43 | 000,018,944 | ---- | C] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/03 21:18:10 | 000,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini
[2009/12/03 02:33:54 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\fusioncache.dat
[2009/12/03 02:16:06 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2009/12/03 02:05:14 | 000,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys
[2009/12/03 02:03:39 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2009/12/03 02:03:39 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2009/12/03 02:03:39 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2009/12/03 02:03:39 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2009/12/03 02:03:39 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2009/12/03 02:03:39 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2009/12/03 02:03:18 | 000,000,032 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/12/03 01:58:25 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2009/12/03 01:57:38 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\FSRremoC.DLL
[2009/12/03 01:57:38 | 000,005,528 | ---- | C] () -- C:\WINDOWS\System32\Setup2k.ini
[2009/12/03 01:57:38 | 000,000,296 | ---- | C] () -- C:\WINDOWS\System32\presetup.ini
[2006/02/03 00:37:10 | 000,004,676 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/01/19 20:46:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2006/01/10 21:38:30 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll
[2005/07/12 22:44:42 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL
[2004/08/09 21:34:32 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/03/24 00:38:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll
[2002/04/11 18:47:52 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\msmscoin.dll
========== LOP Check ==========
[2009/12/02 22:12:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
[2009/12/03 03:50:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/12/10 00:11:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2009/12/03 02:01:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo
[2010/02/18 11:30:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/12/03 02:35:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ThinkVantage
[2009/12/25 09:53:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/02/24 22:24:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\AVG9
[2009/12/03 20:48:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\GetRightToGo
[2009/12/03 02:04:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\IBM
[2009/12/03 19:46:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\InterVideo
[2009/12/03 19:50:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Leadertech
[2009/12/06 19:06:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\LEGO Company
[2009/12/06 20:13:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Lenovo
[2009/12/09 16:54:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\MSNInstaller
[2009/12/12 19:33:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Sony
[2009/12/12 19:23:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Sony Setup
[2009/12/03 02:35:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\ThinkVantage
[2009/12/09 19:44:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\TrueSwitch
[2010/03/04 18:35:21 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{A277806A-F328-4CC4-9BA9-41C902613B3B}.job
========== Purity Check ==========
========== Custom Scans ==========
< %SYSTEMDRIVE%\*.exe >
< MD5 for: AGP440.SYS >
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/04 07:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
< MD5 for: ATAPI.SYS >
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys
[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2004/08/04 06:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys
< MD5 for: EVENTLOG.DLL >
[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
< MD5 for: NETLOGON.DLL >
[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2009/02/06 18:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2009/02/06 18:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtUninstallKB975467_0$\netlogon.dll
[2004/08/04 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389_0$\netlogon.dll
< MD5 for: SCECLI.DLL >
[2004/08/04 13:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
========== Alternate Data Streams ==========
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1
< End of report >
OTL Extras logfile created on: 04/03/2010 18:39:53 - Run 1
OTL by OldTimer - Version 3.1.33.0 Folder = C:\Documents and Settings\DAD\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
1,023.00 Mb Total Physical Memory | 426.00 Mb Available Physical Memory | 42.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 70.29 Gb Total Space | 38.94 Gb Free Space | 55.39% Space Free | Partition Type: NTFS
Drive D: | 14.33 Gb Total Space | 10.50 Gb Free Space | 73.26% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: DADKIDS
Current User Name: DAD
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan
========== Extra Registry (SafeList) ==========
========== File Associations ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
========== Shell Spawning ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
========== Security Center Settings ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
========== Authorized Applications List ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe" = C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe:*:Enabled:ThinkVantage System Update -- (IBM)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe" = C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe:*:Enabled:ThinkVantage System Update -- (IBM)
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\Sony Ericsson\Update Service\Update Service.exe" = C:\Program Files\Sony Ericsson\Update Service\Update Service.exe:*:Enabled:Update Service -- ()
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"D:\Program Files\iTunes\iTunes.exe" = D:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- (Malwarebytes Corporation)
========== HKEY_LOCAL_MACHINE Uninstall List ==========
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}" = PlayStation®Store
"{1007F41F-7D69-468E-8017-3849A5A973C2}" = ThinkVantage Technologies Welcome Message
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{1A07F627-0F8F-43EE-B667-38908DF85911}" = Rescue and Recovery
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FD0C5C1-B01B-4B4C-9607-E5D3B3D1318F}" = Microsoft IntelliPoint 4.1
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2A43FF29-0D97-4445-B82D-9324F176AED5}" = ThinkVantage System Update
"{2C7A0299-5A88-41D2-B687-512DA6892058}" = USB Enhanced Performance Keyboard Software
"{2FFE93F0-BB72-4E52-8761-354D1AAA9387}" = Sony Ericsson PC Suite
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{6280149E-EFF3-4F1B-BD43-5B7EDD6F620A}" = Lenovo Care Supplement
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{6E7DD182-9FC6-4651-0095-2E666CC6AF35}" = The Sims 2
"{7B3577F5-1D82-4C9B-008B-69D026FD8BCA}" = The Sims 2 Open For Business
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8E726115-FCBE-43B1-9FB7-06E8E25F9ABE}" = Diskeeper Lite
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{986F64DC-FF15-449D-998F-EE3BCEC6666A}" = Help Center
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B6659DD8-00A7-4A24-BBFB-C1F6982E5D66}" = PlayStation®Network Downloader
"{BEAD39CD-901D-4267-8B8B-EAA83CB4B70D}" = Pivot Stickfigure Animator
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C54ED2B6-1AF2-416F-BBA8-5E2B8CDCB5C4}" = XP Themes
"{C6FA39A7-26B1-480A-BC74-6D17531AC222}" = Access Help
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF52099A-3BEA-4C41-AEA8-1E190F04D737}" = Lenovo Care
"{DB71210F-8314-4AE3-B7A7-EBAF85BD30E9}" = Wallpapers
"{E7E836B8-4BDD-454F-82E6-5FEA17C83AD4}" = Message Center
"{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}" = Windows Media Connect
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"{FBE5AA96-22F0-4C4A-8E92-4BE3498D4CCB}" = Media Go
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"AVG9Uninstall" = AVG Free 9.0
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Digital Media LE Uninstall" = Roxio Digital Media LE
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"ie8" = Windows Internet Explorer 8
"InstallShield_{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility
"InstallShield_{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MouseSuite98" = Mouse Suite
"MSNINST" = MSN
"PC-Doctor 5 for Windows" = PC-Doctor 5 for Windows
"RollerCoaster Tycoon Setup" = Roll
"Update Service" = Update Service
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Windows Media Connect" = Windows Media Connect
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
========== HKEY_CURRENT_USER Uninstall List ==========
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
========== Last 10 Event Log Errors ==========
[ System Events ]
Error - 23/02/2010 15:29:46 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7024
Description = The Messenger service terminated with service-specific error 2270
(0x8DE).
Error - 24/02/2010 13:54:49 | Computer Name = DADKIDS | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NwlnkNb because
another computer on the network has the same name. The server could not start.
Error - 24/02/2010 13:54:49 | Computer Name = DADKIDS | Source = Server | ID = 2505
Description = The server could not bind to the transport \Device\NwlnkIpx because
another computer on the network has the same name. The server could not start.
Error - 25/02/2010 13:45:26 | Computer Name = DADKIDS | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.
Error - 25/02/2010 18:24:24 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7034
Description = The Application Layer Gateway Service service terminated unexpectedly.
It has done this 1 time(s).
Error - 25/02/2010 19:42:49 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7034
Description = The TVT Scheduler service terminated unexpectedly. It has done this
1 time(s).
Error - 28/02/2010 11:48:39 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7024
Description = The Messenger service terminated with service-specific error 2137
(0x859).
Error - 01/03/2010 06:33:47 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7024
Description = The Messenger service terminated with service-specific error 2270
(0x8DE).
Error - 03/03/2010 18:08:16 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7034
Description = The Sony Ericsson OMSI download service service terminated unexpectedly.
It has done this 1 time(s).
Error - 03/03/2010 18:26:51 | Computer Name = DADKIDS | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.
< End of report >
- Download OTL to your desktop.
-
Hello and welcome to the Malware removal forums.
Please read through the instructions to familiarize yourself with what to expect when the tool runs.
It is vitally important that combofix is renamed before it is even started to download
Please download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
- If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to "Always ask me where to Save the files". - During the download, rename Combofix to Combo-Fix as follows:
- It is important you rename Combofix during the download, but not after.
- Please do not rename Combofix to other names, but only to the one indicated.
- Close any open browsers.
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
- Double click on ComboFix.exe & follow the prompts.Close all other windows/browser first.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do Not run combofix more than once. If you have problems please post back for further instructions.
3.CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Please post back with the combofix log.
Hi IndiGenus,
Here is the log you asked for.
Thanks
Novemberwhisky
omboFix 10-03-03.03 - DAD 03/03/2010 22:27:09.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.737 [GMT 0:00]
Running from: c:\documents and settings\DAD\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\hpe78.dll
c:\windows\EventSystem.log
.
((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))
.
2010-02-26 17:45 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-25 23:39 . 2010-02-25 23:39 -------- d-----w- c:\windows\system32\NtmsData
2010-02-24 23:16 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-24 23:16 . 2010-02-24 23:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-24 23:16 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-24 22:25 . 2010-02-24 22:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-24 22:25 . 2010-02-24 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-24 22:24 . 2010-02-24 22:24 -------- d-----w- c:\documents and settings\DAD\Application Data\AVG9
2010-02-24 20:56 . 2010-02-24 20:56 -------- d-----w- c:\program files\Trend Micro
2010-02-23 21:39 . 2010-02-23 21:39 -------- d-----w- c:\documents and settings\DAD\Application Data\Malwarebytes
2010-02-23 21:38 . 2010-02-23 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-22 22:52 . 2010-02-22 22:52 -------- d-----w- c:\documents and settings\DAD\Local Settings\Application Data\Help
2010-02-18 10:49 . 2010-02-18 11:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-10 21:06 . 2009-11-27 17:11 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2010-02-05 20:43 . 2010-02-25 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-02-05 20:43 . 2010-02-05 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-02-05 17:41 . 2010-02-17 21:54 -------- d-----w- c:\windows\system32\Adobe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 17:49 . 2009-12-03 02:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-21 15:55 . 2009-12-03 02:14 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2010-02-05 20:43 . 2009-12-03 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-23 19:39 . 2010-01-23 19:39 -------- d-----w- c:\documents and settings\KIDS\Application Data\Apple Computer
2010-01-12 13:03 . 2009-12-03 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-31 16:50 . 1980-01-01 08:00 353792 ------w- c:\windows\system32\drivers\srv.sys
2009-12-26 15:51 . 2009-12-12 14:43 24816 ------w- c:\documents and settings\KIDS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-25 13:10 . 2009-12-25 13:10 26260 ---h--w- c:\windows\system32\mlfcache.dat
2009-12-21 19:14 . 1980-01-01 08:00 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2004-08-09 21:22 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-15 19:52 . 2009-12-03 03:13 24816 ------w- c:\documents and settings\DAD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-14 07:08 . 1980-01-01 08:00 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-12 19:29 . 2009-12-12 19:29 10134 ------r- c:\documents and settings\DAD\Application Data\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe
2009-12-12 19:25 . 2009-12-12 19:23 23510720 ------w- c:\documents and settings\DAD\Application Data\Sony Setup\09063B41-0916-4360-A80D-0C2A2B89D300\dotnetfx.exe
2009-12-12 19:19 . 2009-12-12 19:17 32494896 ------w- c:\documents and settings\DAD\Application Data\Sony Setup\9234765D-29DF-48d0-93FB-284B7B6009B9\QuickTimeInstaller.exe
2009-12-09 16:54 . 2009-12-09 16:54 846312 ------w- c:\documents and settings\DAD\Application Data\MSNInstaller\msnauins.exe
2009-12-08 21:46 . 2009-12-08 21:47 25512 ------w- c:\windows\system32\drivers\ggsemc.sys
2009-12-08 21:46 . 2009-12-08 21:47 13224 ------w- c:\windows\system32\drivers\ggflt.sys
2009-12-08 21:46 . 2009-12-08 21:47 1112288 ------w- c:\windows\system32\WdfCoInstaller01007.dll
2009-12-08 19:27 . 1980-01-01 08:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 06:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 22:50 . 2009-12-04 22:50 86016 ------w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-12-04 18:22 . 1980-01-01 08:00 455424 ------w- c:\windows\system32\drivers\mrxsmb.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01 1230080 ------w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 49152]
"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-03-01 196710]
"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2005-12-07 106496]
"cssauthe"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" [2006-03-01 1992240]
"SKDaemon.exe"="c:\program files\Lenovo\Productivity Keyboard\SKDaemon.exe" [2006-02-06 262144]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-03 03:50 12464 ------w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [03/12/2009 03:50 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [03/12/2009 03:50 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [03/12/2009 03:50 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [03/12/2009 03:50 285392]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [22/12/2005 00:45 3968]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [09/12/2009 23:04 27632]
S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]
S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [09/12/2009 23:02 90112]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [08/12/2009 21:47 13224]
S3 s3chipid;s3chipid;\??\c:\docume~1\Owner\LOCALS~1\Temp\s3chipid.sys --> c:\docume~1\Owner\LOCALS~1\Temp\s3chipid.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2010-02-25 c:\windows\Tasks\User_Feed_Synchronization-{A277806A-F328-4CC4-9BA9-41C902613B3B}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
.
.
------- Supplementary Scan -------
.
uLocal Page = hxxp://www.google.com/
uStart Page = hxxp://home.bt.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.lenovo.com/us/en/
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe
HKLM-Run-POINTER - point32.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 22:34
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2010-03-03 22:35:23
ComboFix-quarantined-files.txt 2010-03-03 22:35
Pre-Run: 41,218,633,728 bytes free
Post-Run: 41,828,462,592 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Home Edition" /fastdetect
- - End Of File - - 719C2E6C9ED7793955116D36AAAE35B5
- If you are using Firefox, make sure that your download settings are as follows:
-
Hi,
I was wondering if you could help with what seems an identical problem posted on your forum?
Atapi.sys infection? Start of Problems???
Deltalima was the expert involved with solving the TDL3 rootkit problem. How easily can it be fixed?
please see attached scans logs from Mbam, GMER and Hijack this.
It took a bit of work getting Mbam and spybot with the latest updates as they were being blocked. Now the problem seems to be the Atapi.sys. I believe that if I I delete atapi.sys i will not be able to reboot, the system.
I have an IBM system with Rescue and Recover and the PRE-Load is on a partition of the hard drive. I want to avoid reformatting, as i have already done so about 3 months ago.
Many thanks
New member "novemberwhisky"
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-24 20:52:41
Windows 5.1.2600 Service Pack 3
Running: 5s9i679h.exe; Driver: C:\DOCUME~1\DAD\LOCALS~1\Temp\awrdapow.sys
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF73FB780]
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!CreateWindowExA] [004179E4] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe
IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!CreateWindowExW] [00417A5E] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe
IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!ShowWindow] [00417AD8] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe
IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!CreateWindowExA] [004179E4] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe
IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!CreateWindowExW] [00417A5E] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe
IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!SetWindowPos] [00417B8A] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe
IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!ShowWindow] [00417AD8] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe
IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\wininet.dll [uSER32.dll!SetWindowPos] [00417B8A] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe
IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\wininet.dll [uSER32.dll!CreateWindowExW] [00417A5E] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe
IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\shell32.dll [uSER32.dll!CreateWindowExW] [00417A5E] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe
IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\shell32.dll [uSER32.dll!ShowWindow] [00417AD8] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe
IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\shell32.dll [uSER32.dll!SetWindowPos] [00417B8A] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs ibmfilter.sys (IBM Rescue and Recovery filter driver/IBM)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-1b [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort0 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort1 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort2 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdePort3 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Files - GMER 1.0.15 ----
File C:\RRbackups\C 0 bytes
File C:\RRbackups\Documents and Settings 0 bytes
File C:\RRbackups\Documents and Settings\All Users 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_c90750f4-1a9a-4385-b16f-b780e69ce3dc 52 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_c90750f4-1a9a-4385-b16f-b780e69ce3dc 893 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security 0 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\css.ini 26 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\encobject.dat 1608 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\swkeys.dat 6372 bytes
File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\symkeys.dat 656 bytes
File C:\RRbackups\Documents and Settings\DAD 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1006 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1006\095eef4ec6fbefd1e618f6bcc8a2c409_c90750f4-1a9a-4385-b16f-b780e69ce3dc 44 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1006\533145ef011ddf5ca3983e2545a902b4_c90750f4-1a9a-4385-b16f-b780e69ce3dc 2075 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1006\83aa4cc77f591dfc2374580bbd95f6ba_c90750f4-1a9a-4385-b16f-b780e69ce3dc 45 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\CREDHIST 296 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\bcc758da-8202-4f98-8e02-b38aaef0f0a2 388 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\b494fd33-76f6-4b91-9917-7145d83c8e0f 388 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1006 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1006\56bdf13a-bad8-4cd1-ab44-1a2499927ac1 388 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1006\e8018cf0-b6e6-4359-aa8a-6a671f2cae47 388 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1006\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage\Client Security 0 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage\Client Security\encobject.dat 6432 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage\Client Security\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage\Client Security\swkeys.dat 4248 bytes
File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage\Client Security\symkeys.dat 1968 bytes
File C:\RRbackups\Documents and Settings\Default User 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\bcc758da-8202-4f98-8e02-b38aaef0f0a2 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\b494fd33-76f6-4b91-9917-7145d83c8e0f 388 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\KIDS 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1007 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1007\533145ef011ddf5ca3983e2545a902b4_c90750f4-1a9a-4385-b16f-b780e69ce3dc 2075 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\bcc758da-8202-4f98-8e02-b38aaef0f0a2 388 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\b494fd33-76f6-4b91-9917-7145d83c8e0f 388 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1007 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1007\979da260-4fa4-4938-86a8-22941fb6619c 388 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1007\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage\Client Security 0 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage\Client Security\encobject.dat 6432 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage\Client Security\hibernation.dat 4 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage\Client Security\swkeys.dat 4248 bytes
File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage\Client Security\symkeys.dat 1968 bytes
File C:\RRbackups\Documents and Settings\LocalService 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\Owner 0 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Crypto 0 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Crypto\RSA 0 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\CREDHIST 24 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003 0 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\bcc758da-8202-4f98-8e02-b38aaef0f0a2 388 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003 0 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\b494fd33-76f6-4b91-9917-7145d83c8e0f 388 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\Preferred 24 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\TEMP 0 bytes
File C:\RRbackups\Documents and Settings\TEMP\Application Data 0 bytes
File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft 0 bytes
File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\Protect 0 bytes
File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003 0 bytes
File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003 0 bytes
File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1006 0 bytes
File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\SystemCertificates 0 bytes
File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\SystemCertificates\My 0 bytes
File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes
File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes
File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes
File C:\RRbackups\Documents and Settings\TEMP\Application Data\ThinkVantage 0 bytes
File C:\RRbackups\Documents and Settings\TEMP\Application Data\ThinkVantage\Client Security 0 bytes
File C:\RRbackups\hints.dat 8192 bytes
File C:\RRbackups\osfilter.txt 7563 bytes
File C:\RRbackups\regcerts.dat 8192 bytes
File C:\RRbackups\rr.log 3016 bytes
File C:\RRbackups\SAM 262144 bytes
File C:\RRbackups\system 6815744 bytes
File C:\RRbackups\system.dat 12288 bytes
File C:\RRbackups\tvt.txt 10076 bytes
File C:\RRbackups\usersids.dat 11440 bytes
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:07:33, on 24/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\FSRremoS.EXE
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe
C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Documents and Settings\DAD\Application Data\SystemProc\lsass.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgre.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/us/en/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [iSUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [iSUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [cssauthe] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" silent
O4 - HKLM\..\Run: [sKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [TOY5KNQ8OC] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe
O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\DAD\Application Data\SystemProc\lsass.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/
O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{382CDC68-6BEF-4ADC-B514-E72B86A01101}: NameServer = 93.188.164.224,93.188.166.70
O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB7A6DB-36A0-45D6-8267-468F18D94C87}: NameServer = 93.188.164.224,93.188.166.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.224,93.188.166.70
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.224,93.188.166.70
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.224,93.188.166.70
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
--
End of file - 10282 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:26, on 28/02/2010Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ICO.EXE
C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe
C:\Program Files\ThinkVantage\SystemUpdate\PipeServer.exe
C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgre.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/us/en/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [iSUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [iSUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe
O4 - HKLM\..\Run: [cssauthe] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" silent
O4 - HKLM\..\Run: [sKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
--
End of file - 8117 bytes
TDL3 rootkit problem-Atapi.sys infected
in Resolved Malware Removal Logs
Posted
Sorry - I've been away from my pc again. Thanks for your time helping me
The Kaspersky report is below - it looks all good to me:
KASPERSKY ONLINE SCANNER 7.0: scan reportKASPERSKY ONLINE SCANNER 7.0:
scan report
Monday, March 22, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build
2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, March 22, 2010 12:34:19
Records in database: 3846667
Scan settings
scan using the following databaseextended
Scan archivesyes
Scan e-mail databasesyes
Scan areaMy Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan statistics
Objects scanned83895
Threats found0
Infected objects found0
Suspicious objects found0
Scan duration02:42:24
No threats found. Scanned area is clean.
Selected area has been scanned.