pvonkaenel
-
Posts
29 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by pvonkaenel
-
Please Close topic, the issue above had been solved
-
A while ago I had a rogue virus on one of my computers. I used Malwarebytes and it apparently removed the virus, however now whenever I try and go to the Web the Browser will re-direct to http://fazher.com/index..... on the bottom it says connecting to 93.190.139.152 The Screen appears blank and continues to say Connecting... It never returns a bad page error. This happens on both IE8 and Firefox browser so I am pretty sure that it is some type of Virus still Thanks in advance for your help I have attached the various reports requested below Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3996 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/16/2010 11:27:26 AM mbam-log-2010-04-16 (11-27-26).txt Scan type: Quick scan Objects scanned: 163452 Time elapsed: 20 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\{F9197A7E-CE10-458e-85F8-5B0CE6DF2BBE} (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS (Ver_10-03-17.01) - NTFSx86 Run by Administrator at 13:05:16.07 on Fri 04/16/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1476 [GMT -6:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\WINDOWS\system32\rdpclip.exe C:\Documents and Settings\administrator.SESC\Desktop\dds (1).scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.dell4me.com/myway uSearch Page = hxxp://www.google.com uDefault_Page_URL = hxxp://www.dell4me.com/myway uSearch Bar = hxxp://www.google.com/ie uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway mSearchAssistant = hxxp://www.google.com/ie mWinlogon: Userinit=\\.\globalroot\systemroot\system32\userinit.exe, TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227562440961 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: igfxcui - igfxdev.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll ================= FIREFOX =================== FF - ProfilePath - FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208] R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100415.003\NAVENG.sys [2010-4-16 84912] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100415.003\NAVEX15.sys [2010-4-16 1324720] S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\DM150Drv.sys [2010-1-27 20600] =============== Created Last 30 ================ 2010-04-16 17:29:35 0 ----a-w- c:\documents and settings\administrator.sesc\defogger_reenable 2010-04-16 17:02:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-16 17:02:20 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-16 17:02:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware ==================== Find3M ==================== 2008-09-03 15:31:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat ============= FINISH: 13:06:13.10 =============== Attach.zip
-
Please close this, I have reposted the topic. thanks,
-
Thanks again for all of your help. I truly do appreciate it.
-
A while ago I had a rogue virus on one of my computers. I used Malwarebytes and it apparently removed the virus, however now whenever I try and go to the Web the Browser will re-direct to http://fazher.com/index..... on the bottom it says connecting to 93.190.139.152 This happens on both IE8 and Firefox browser so I am pretty sure that it is some type of Virus still Thanks in advance for your help I have attached the various reports requested below Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3996 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/16/2010 11:27:26 AM mbam-log-2010-04-16 (11-27-26).txt Scan type: Quick scan Objects scanned: 163452 Time elapsed: 20 minute(s), 30 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\{F9197A7E-CE10-458e-85F8-5B0CE6DF2BBE} (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS (Ver_10-03-17.01) - NTFSx86 Run by Administrator at 13:05:16.07 on Fri 04/16/2010 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1476 [GMT -6:00] ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\WINDOWS\system32\rdpclip.exe C:\Documents and Settings\administrator.SESC\Desktop\dds (1).scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.dell4me.com/myway uSearch Page = hxxp://www.google.com uDefault_Page_URL = hxxp://www.dell4me.com/myway uSearch Bar = hxxp://www.google.com/ie uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway mSearchAssistant = hxxp://www.google.com/ie mWinlogon: Userinit=\\.\globalroot\systemroot\system32\userinit.exe, TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227562440961 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Notify: igfxcui - igfxdev.dll Notify: NavLogon - c:\windows\system32\NavLogon.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll ================= FIREFOX =================== FF - ProfilePath - FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R2 NAVAPEL;NAVAPEL;c:\program files\symantec_client_security\symantec antivirus\Navapel.sys [2003-5-2 30208] R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\symant~1\symant~1\Rtvscan.exe [2003-5-21 610304] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] R3 NAVAP;NAVAP;c:\progra~1\symant~1\symant~1\NAVAP.sys [2003-5-2 224256] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100415.003\NAVENG.sys [2010-4-16 84912] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100415.003\NAVEX15.sys [2010-4-16 1324720] S3 DM150Drv;DM150Drv;c:\windows\system32\drivers\DM150Drv.sys [2010-1-27 20600] =============== Created Last 30 ================ 2010-04-16 17:29:35 0 ----a-w- c:\documents and settings\administrator.sesc\defogger_reenable 2010-04-16 17:02:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-04-16 17:02:20 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-04-16 17:02:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware ==================== Find3M ==================== 2008-09-03 15:31:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat ============= FINISH: 13:06:13.10 =============== Attach.zip
-
Here is the latest Malwarebytes scan log The computer seems to be running good now, I have not done anything on it because of having this issue so I will really not know until later, but at first glance I would think the problem is resolved. Once again, thank you for all of your help. Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3996 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/16/2010 8:54:49 AM mbam-log-2010-04-16 (08-54-49).txt Scan type: Quick scan Objects scanned: 102995 Time elapsed: 4 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)
-
Here is the latest GMER GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-04-15 15:39:49 Windows 5.1.2600 Service Pack 3 Running: 9yhey3sg.exe; Driver: C:\DOCUME~1\Phil\LOCALS~1\Temp\pgloapod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwClose [0xA8971A1C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateDirectoryObject [0xA8971A48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateFile [0xA8971A7C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateKey [0xA8971AD0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwDeleteKey [0xA8971B14] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateKey [0xA8971B40] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateValueKey [0xA8971B80] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwFlushKey [0xA8971BC0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMakeTemporaryObject [0xA8971BEC] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMapViewOfSection [0xA8971C18] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenKey [0xA8971C68] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenSection [0xA8971C9C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryInformationFile [0xA8971CD0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryKey [0xA8971D0C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryValueKey [0xA8971D48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwReadFile [0xA8971D88] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationFile [0xA8971DD4] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationThread [0xA8971E10] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetValueKey [0xA8971E48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwUnmapViewOfSection [0xA8971E88] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwWriteFile [0xA8971EB8] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\SearchIndexer.exe[244] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 ---- EOF - GMER 1.0.15 ----
-
Okay, that is what I thought it is already in process.
-
I am doing that now, do you want GMER ran with everything checked including show all?
-
OTL logfile created on: 4/15/2010 1:08:26 PM - Run 2 OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Phil\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 54.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 74.52 Gb Total Space | 29.39 Gb Free Space | 39.44% Space Free | Partition Type: NTFS D: Drive not present or media not loaded Drive E: | 74.52 Gb Total Space | 33.09 Gb Free Space | 44.41% Space Free | Partition Type: NTFS F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: PHILV-T64 Current User Name: Phil Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010/04/13 15:08:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTL.exe PRC - [2010/04/11 01:52:33 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe PRC - [2010/03/20 18:33:08 | 002,046,816 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe PRC - [2009/12/28 19:13:16 | 000,761,600 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgscanx.exe PRC - [2009/09/14 13:01:01 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe PRC - [2009/09/14 13:01:01 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe PRC - [2009/09/14 13:01:00 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe PRC - [2009/09/14 13:00:49 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe PRC - [2009/04/10 11:29:08 | 000,037,888 | ---- | M] () -- E:\Program Files\Winamp\winampa.exe PRC - [2008/10/15 17:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\winvnc4.exe PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2007/06/11 19:27:24 | 000,291,760 | ---- | M] () -- C:\Program Files\Lexmark 2500 Series\lxddmon.exe PRC - [2007/05/25 09:41:38 | 000,537,520 | ---- | M] ( ) -- C:\WINDOWS\system32\lxddcoms.exe PRC - [2007/04/30 08:19:54 | 000,020,480 | ---- | M] () -- C:\Program Files\Lexmark 2500 Series\lxddamon.exe PRC - [2006/04/12 21:22:42 | 000,114,688 | ---- | M] (InterVideo Inc.) -- C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe PRC - [2004/08/11 13:22:52 | 000,065,588 | ---- | M] (SafeNet) -- C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe PRC - [2004/08/11 13:22:46 | 000,057,398 | ---- | M] (SafeNet) -- C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe PRC - [2004/08/11 13:22:44 | 000,319,538 | ---- | M] (SafeNet) -- C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe PRC - [2004/07/14 15:36:54 | 000,057,344 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ICO.EXE ========== Modules (SafeList) ========== MOD - [2010/04/13 15:08:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTL.exe ========== Win32 Services (SafeList) ========== SRV - [2009/09/14 13:00:49 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd) SRV - [2008/10/15 17:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4) SRV - [2007/05/25 09:41:54 | 000,099,248 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe -- (lxddCATSCustConnectService) SRV - [2007/05/25 09:41:38 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxddcoms.exe -- (lxdd_device) SRV - [2004/08/11 13:22:46 | 000,057,398 | ---- | M] (SafeNet) [Auto | Running] -- C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe -- (IPSECMON) SRV - [2004/08/11 13:22:44 | 000,319,538 | ---- | M] (SafeNet) [Auto | Running] -- C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe -- (IREIKE) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll () IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "http://www.facebook.com/home.php" FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.429 FF - prefs.js..extensions.enabledItems: avg@igeared:3.011.025.005 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=" FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/12/21 10:44:49 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2009/12/28 19:49:18 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/11 01:52:48 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/11 01:52:47 | 000,000,000 | ---D | M] [2009/07/27 20:02:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Mozilla\Extensions [2010/04/15 10:15:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\k8l8zeaw.default\extensions [2009/09/27 16:33:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\k8l8zeaw.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010/04/15 10:15:21 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll () O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll () O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll () O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.) O4 - HKLM..\Run: [lxddamon] C:\Program Files\Lexmark 2500 Series\lxddamon.exe () O4 - HKLM..\Run: [lxddmon.exe] C:\Program Files\Lexmark 2500 Series\lxddmon.exe () O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ICO.EXE (Primax Electronics Ltd.) O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh) O4 - HKLM..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.) O4 - HKLM..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe () O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe (InterVideo Inc.) O4 - Startup: C:\Documents and Settings\Phil\Start Menu\Programs\Startup\Mobile User VPN.lnk = C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe (SafeNet) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.16.1.20 205.171.3.65 205.171.2.65 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 205.171.3.65 205.171.2.65 O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.) O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/04/23 11:38:57 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 14 Days ========== [2010/04/14 16:06:02 | 000,000,000 | --SD | C] -- C:\ComboFix [2010/04/14 08:47:16 | 000,000,000 | -HSD | C] -- C:\RECYCLER [2010/04/13 15:08:43 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTL.exe [2010/04/13 10:50:16 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Phil\Desktop\TDSSKiller.exe [2010/04/11 00:23:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Local Settings\Application Data\Ahead [2010/04/11 00:11:11 | 000,000,000 | ---D | C] -- C:\Program Files\Free Convert WMV MOV MPEG to AVI DIVX Converter [2010/04/10 23:53:43 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2010/04/10 23:53:43 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2010/04/10 23:53:43 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2010/04/10 23:53:43 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2010/04/10 23:37:01 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Phil\Recent [2010/04/10 21:17:59 | 000,038,912 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\picn20.dll [2010/04/10 20:53:38 | 000,364,544 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\TwnLib4.dll [2010/04/10 20:53:38 | 000,106,496 | ---- | C] (Pegasus Software) -- C:\WINDOWS\System32\TwnLib20.dll [2010/04/10 20:53:37 | 001,568,768 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagX7.dll [2010/04/10 20:53:37 | 000,476,320 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXpr7.dll [2010/04/10 20:53:37 | 000,471,040 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXRA7.dll [2010/04/10 20:53:37 | 000,262,144 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXR7.dll [2010/04/10 20:53:37 | 000,155,648 | ---- | C] (Ahead Software Gmbh) -- C:\WINDOWS\System32\NeroCheck.exe [2010/04/10 20:53:35 | 000,000,000 | ---D | C] -- C:\Program Files\Ahead [2010/04/10 20:09:54 | 000,000,000 | ---D | C] -- C:\Reg Backups [2010/04/10 20:06:38 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2010/04/10 18:49:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\My Documents\NeroVision [2010/04/10 18:37:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia [2010/04/10 18:37:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe [2010/04/10 18:20:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\Ahead [2010/04/10 18:18:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ahead [2010/04/10 18:12:59 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Ahead [2010/04/06 09:27:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\Facebook [2010/04/05 09:21:53 | 000,000,000 | ---D | C] -- C:\Temp folder for DVD [2010/04/05 09:00:06 | 000,000,000 | ---D | C] -- C:\VOLUME_IDENTIFIER [2010/04/04 23:35:22 | 000,000,000 | ---D | C] -- C:\Program Files\DVD Shrink [2010/04/04 23:35:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink [2010/04/03 13:13:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\AVS4YOU [2010/04/03 13:13:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVS4YOU [2010/04/03 13:12:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AVSMedia [2010/04/03 13:12:13 | 000,000,000 | ---D | C] -- C:\Program Files\AVS4YOU [2010/04/02 22:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Local Settings\Application Data\Help [2010/04/02 22:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\Help [2010/04/02 22:29:15 | 000,000,000 | ---D | C] -- C:\Program Files\UP [2009/09/18 21:48:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe [2009/09/14 12:59:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft [2009/09/14 12:59:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft [2009/09/14 12:59:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft [2009/09/14 12:59:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft [2009/05/08 13:57:55 | 001,232,896 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddserv.dll [2009/05/08 13:57:55 | 000,999,424 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddusb1.dll [2009/05/08 13:57:55 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddpmui.dll [2009/05/08 13:57:55 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddlmpm.dll [2009/05/08 13:57:55 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddinpa.dll [2009/05/08 13:57:55 | 000,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddiesc.dll [2009/05/08 13:57:55 | 000,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDDhcp.dll [2009/05/08 13:57:55 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddprox.dll [2009/05/08 13:57:55 | 000,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddpplc.dll [2009/05/08 13:57:54 | 000,700,416 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddhbn3.dll [2009/05/08 13:57:54 | 000,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddcomc.dll [2009/05/08 13:57:54 | 000,425,984 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddcomm.dll [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 14 Days ========== [2010/04/15 12:25:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003UA.job [2010/04/15 09:13:12 | 000,465,640 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010/04/15 09:13:12 | 000,079,360 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010/04/15 09:13:11 | 000,555,168 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010/04/15 09:09:20 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/04/15 09:09:03 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010/04/15 09:08:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/04/15 09:05:42 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\Phil\NTUSER.DAT [2010/04/15 09:05:42 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Phil\ntuser.ini [2010/04/15 08:45:27 | 058,926,845 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm [2010/04/13 15:08:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTL.exe [2010/04/13 13:51:44 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2010/04/13 13:41:12 | 003,914,375 | R--- | M] () -- C:\Documents and Settings\Phil\Desktop\ComboFix.exe [2010/04/13 10:49:03 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\tdsskiller.zip [2010/04/12 23:34:36 | 000,004,208 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\Attach.zip [2010/04/12 22:59:51 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\9yhey3sg.exe [2010/04/12 22:56:13 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\dds.scr [2010/04/12 22:50:24 | 000,000,156 | ---- | M] () -- C:\Documents and Settings\Phil\defogger_reenable [2010/04/12 22:49:03 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\Defogger.exe [2010/04/12 22:25:01 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003Core.job [2010/04/12 22:22:32 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\Google Chrome.lnk [2010/04/11 21:22:40 | 000,000,094 | ---- | M] () -- C:\Documents and Settings\Phil\default.pls [2010/04/11 21:21:54 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2010/04/11 09:03:38 | 000,115,200 | ---- | M] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/04/11 00:11:15 | 000,000,034 | -H-- | M] () -- C:\WINDOWS\System32\Converter_sysquict.dat [2010/04/10 19:01:27 | 000,193,776 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010/04/09 23:28:51 | 000,001,722 | -H-- | M] () -- C:\Documents and Settings\Phil\My Documents\Default.rdp [2010/04/05 09:09:30 | 506,986,496 | ---- | M] () -- C:\VOLUME_IDENTIFIER.ISO [2010/04/04 23:35:22 | 000,000,670 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\DVD Shrink 3.2.lnk [2010/04/03 13:13:36 | 000,046,080 | ---- | M] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT [2010/04/02 00:03:24 | 006,397,780 | -H-- | M] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\IconCache.db [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/04/13 10:48:55 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\tdsskiller.zip [2010/04/12 23:34:36 | 000,004,208 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\Attach.zip [2010/04/12 22:59:49 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\9yhey3sg.exe [2010/04/12 22:56:11 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\dds.scr [2010/04/12 22:50:21 | 000,000,156 | ---- | C] () -- C:\Documents and Settings\Phil\defogger_reenable [2010/04/12 22:49:02 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\Defogger.exe [2010/04/12 22:22:32 | 000,002,277 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\Google Chrome.lnk [2010/04/12 22:20:53 | 000,000,974 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003UA.job [2010/04/12 22:20:52 | 000,000,922 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003Core.job [2010/04/11 00:11:15 | 000,000,034 | -H-- | C] () -- C:\WINDOWS\System32\Converter_sysquict.dat [2010/04/10 23:53:43 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe [2010/04/10 23:53:43 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2010/04/10 23:53:43 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2010/04/10 23:53:43 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2010/04/10 23:53:43 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2010/04/10 23:51:44 | 003,914,375 | R--- | C] () -- C:\Documents and Settings\Phil\Desktop\ComboFix.exe [2010/04/10 22:37:25 | 000,000,094 | ---- | C] () -- C:\Documents and Settings\Phil\default.pls [2010/04/10 21:40:16 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2010/04/10 21:18:12 | 000,135,532 | ---- | C] () -- C:\WINDOWS\UNNeroVision.cfg [2010/04/05 09:08:21 | 506,986,496 | ---- | C] () -- C:\VOLUME_IDENTIFIER.ISO [2010/04/04 23:35:22 | 000,000,670 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\DVD Shrink 3.2.lnk [2009/10/18 20:51:23 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL [2009/10/09 17:31:42 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll [2009/10/09 17:31:30 | 000,000,032 | ---- | C] () -- C:\WINDOWS\sierra.ini [2009/09/18 18:37:00 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll [2009/09/13 01:06:16 | 000,000,745 | ---- | C] () -- C:\WINDOWS\CoD.INI [2009/09/07 22:56:11 | 000,000,765 | ---- | C] () -- C:\Documents and Settings\All Users\lxdd [2009/07/27 20:49:42 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI [2009/05/20 08:39:57 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll [2009/05/20 08:39:57 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll [2009/05/20 08:39:57 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll [2009/05/20 08:39:57 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll [2009/05/20 08:39:57 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll [2009/05/20 08:39:57 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll [2009/05/15 10:25:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI [2009/05/08 13:58:58 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxddvs.dll [2009/05/08 13:58:56 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\lxddcoin.dll [2009/05/08 13:58:30 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxdddrs.dll [2009/05/08 13:58:30 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxddcnv4.dll [2009/05/08 13:58:30 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxddcaps.dll [2009/05/08 13:58:13 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxddrwrd.ini [2009/05/08 13:57:55 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\LXDDinst.dll [2009/05/08 13:57:54 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxddgrd.dll [2009/05/05 22:19:14 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\nsldap32v50.dll [2009/05/03 14:37:12 | 000,115,200 | ---- | C] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009/05/02 22:22:38 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll [2009/04/26 07:51:04 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini [2009/04/23 14:54:05 | 000,008,181 | ---- | C] () -- C:\WINDOWS\System32\Setup2k.ini [2009/04/23 14:54:05 | 000,000,184 | ---- | C] () -- C:\WINDOWS\System32\presetup.ini [2009/04/23 14:48:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\QSwitch.txt [2009/04/23 14:48:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\DSwitch.txt [2009/04/23 14:48:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\AtStart.txt [2009/04/23 12:16:47 | 000,000,484 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2009/04/23 11:46:38 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Phil\ntuser.ini [2009/04/23 11:46:37 | 004,194,304 | -H-- | C] () -- C:\Documents and Settings\Phil\NTUSER.DAT [2009/04/23 11:46:37 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Phil\NTUSER.DAT.LOG [2009/03/03 12:18:04 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll [2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini [2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini [2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini [2003/06/20 06:00:00 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI ========== LOP Check ========== [2009/05/02 22:25:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Age of Empires 3 [2009/09/27 16:39:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar [2010/01/02 20:17:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite [2009/05/04 14:40:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound [2009/05/08 12:13:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut [2009/09/16 11:05:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\DAEMON Tools Lite [2010/04/06 09:27:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Facebook [2009/06/30 00:22:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\InterVideo [2009/05/20 08:40:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Leadertech [2009/05/08 13:59:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Lexmark Productivity Studio [2009/05/04 14:40:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\NCH Swift Sound [2009/05/04 14:39:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Recordpad [2009/05/08 12:15:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\TaxCut [2009/04/27 22:45:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Windows Desktop Search [2009/04/28 15:30:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Windows Search ========== Purity Check ========== ========== Custom Scans ========== < MD5 for: REDBOOK.SYS > [2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:redbook.sys [2009/04/25 16:20:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:redbook.sys [2009/04/25 16:20:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:redbook.sys [2008/04/13 12:40:27 | 000,057,600 | ---- | M] (Microsoft Corporation) MD5=F828DD7E1419B6653894A8F97A0094C5 -- C:\WINDOWS\maxdriver\redbook.sys [2008/04/13 12:40:27 | 000,057,600 | ---- | M] (Microsoft Corporation) MD5=F828DD7E1419B6653894A8F97A0094C5 -- C:\WINDOWS\ServicePackFiles\i386\redbook.sys [2010/04/11 20:50:59 | 000,057,600 | ---- | M] (Microsoft Corporation) MD5=F828DD7E1419B6653894A8F97A0094C5 -- C:\WINDOWS\system32\dllcache\redbook.sys [2010/04/11 20:50:59 | 000,057,600 | ---- | M] (Microsoft Corporation) MD5=F828DD7E1419B6653894A8F97A0094C5 -- C:\WINDOWS\system32\drivers\redbook.sys < End of report >
-
I did Redo the GMER scan having both Drives checked and since it did find a couple of more suspicious items I went ahead and attached the new file. For future reference I did check the MD5 Value on the clean computer and it does match the infected computer, but per your instruction I have not copied the file GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-04-15 10:04:48 Windows 5.1.2600 Service Pack 3 Running: 9yhey3sg.exe; Driver: C:\DOCUME~1\Phil\LOCALS~1\Temp\pgloapod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwClose [0xA8015A1C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateDirectoryObject [0xA8015A48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateFile [0xA8015A7C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateKey [0xA8015AD0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwDeleteKey [0xA8015B14] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateKey [0xA8015B40] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateValueKey [0xA8015B80] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwFlushKey [0xA8015BC0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMakeTemporaryObject [0xA8015BEC] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMapViewOfSection [0xA8015C18] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenKey [0xA8015C68] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenSection [0xA8015C9C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryInformationFile [0xA8015CD0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryKey [0xA8015D0C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryValueKey [0xA8015D48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwReadFile [0xA8015D88] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationFile [0xA8015DD4] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationThread [0xA8015E10] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetValueKey [0xA8015E48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwUnmapViewOfSection [0xA8015E88] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwWriteFile [0xA8015EB8] ---- Kernel code sections - GMER 1.0.15 ---- .rsrc C:\WINDOWS\system32\DRIVERS\redbook.sys entry point in ".rsrc" section [0xF681FF94] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\SearchIndexer.exe[1440] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation) .text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A .text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84] .text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A .text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C .text C:\WINDOWS\system32\wuauclt.exe[2028] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A .text C:\WINDOWS\system32\wuauclt.exe[2028] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84] .text C:\WINDOWS\system32\wuauclt.exe[2028] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A .text C:\WINDOWS\system32\wuauclt.exe[2028] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C .text C:\WINDOWS\system32\wuauclt.exe[2600] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B9000A .text C:\WINDOWS\system32\wuauclt.exe[2600] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BA000A .text C:\WINDOWS\system32\wuauclt.exe[2600] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C .text C:\WINDOWS\Explorer.EXE[3460] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A .text C:\WINDOWS\Explorer.EXE[3460] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A .text C:\WINDOWS\Explorer.EXE[3460] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3AAAC8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\NetworkService\Cookies\system@bidsystem[2].txt 0 bytes File C:\Documents and Settings\NetworkService\Cookies\system@64.111.196[2].txt 0 bytes File C:\Documents and Settings\NetworkService\Cookies\system@mygeek[4].txt 0 bytes File C:\WINDOWS\system32\DRIVERS\redbook.sys suspicious modification File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ----
-
Here is the GMER log with everything checked except "Show all" I also did not realize until it wa half way through that I did not have the secondary Data E: drive checked. While I wait for your response I will probably go ahead and run it. I will post below when it is done Thanks again. GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-04-15 08:57:37 Windows 5.1.2600 Service Pack 3 Running: 9yhey3sg.exe; Driver: C:\DOCUME~1\Phil\LOCALS~1\Temp\pgloapod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwClose [0xA83BDA1C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateDirectoryObject [0xA83BDA48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateFile [0xA83BDA7C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateKey [0xA83BDAD0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwDeleteKey [0xA83BDB14] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateKey [0xA83BDB40] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateValueKey [0xA83BDB80] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwFlushKey [0xA83BDBC0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMakeTemporaryObject [0xA83BDBEC] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMapViewOfSection [0xA83BDC18] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenKey [0xA83BDC68] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenSection [0xA83BDC9C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryInformationFile [0xA83BDCD0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryKey [0xA83BDD0C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryValueKey [0xA83BDD48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwReadFile [0xA83BDD88] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationFile [0xA83BDDD4] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationThread [0xA83BDE10] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetValueKey [0xA83BDE48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwUnmapViewOfSection [0xA83BDE88] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwWriteFile [0xA83BDEB8] ---- Kernel code sections - GMER 1.0.15 ---- .rsrc C:\WINDOWS\system32\DRIVERS\redbook.sys entry point in ".rsrc" section [0xF7542F94] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\wuauclt.exe[248] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B9000A .text C:\WINDOWS\system32\wuauclt.exe[248] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BA000A .text C:\WINDOWS\system32\wuauclt.exe[248] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C .text C:\WINDOWS\system32\SearchIndexer.exe[1520] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation) .text C:\WINDOWS\System32\svchost.exe[1648] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A .text C:\WINDOWS\System32\svchost.exe[1648] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84] .text C:\WINDOWS\System32\svchost.exe[1648] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A .text C:\WINDOWS\System32\svchost.exe[1648] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C .text C:\WINDOWS\System32\svchost.exe[1648] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 03A6000A .text C:\WINDOWS\System32\svchost.exe[1648] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 02B3000A .text C:\WINDOWS\Explorer.EXE[3896] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A .text C:\WINDOWS\Explorer.EXE[3896] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A .text C:\WINDOWS\Explorer.EXE[3896] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3A6AC8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\DRIVERS\redbook.sys suspicious modification File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ----
-
I do have another XP Pro Operating system as my disposal, how about using the working file from that machine? and doing the same recovery console file copy?
-
GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-04-14 15:30:10 Windows 5.1.2600 Service Pack 3 Running: 9yhey3sg.exe; Driver: C:\DOCUME~1\Phil\LOCALS~1\Temp\pgloapod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwClose [0xA838CA1C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateDirectoryObject [0xA838CA48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateFile [0xA838CA7C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateKey [0xA838CAD0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwDeleteKey [0xA838CB14] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateKey [0xA838CB40] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateValueKey [0xA838CB80] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwFlushKey [0xA838CBC0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMakeTemporaryObject [0xA838CBEC] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMapViewOfSection [0xA838CC18] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenKey [0xA838CC68] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenSection [0xA838CC9C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryInformationFile [0xA838CCD0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryKey [0xA838CD0C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryValueKey [0xA838CD48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwReadFile [0xA838CD88] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationFile [0xA838CDD4] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationThread [0xA838CE10] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetValueKey [0xA838CE48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwUnmapViewOfSection [0xA838CE88] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwWriteFile [0xA838CEB8] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3A3AC8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ... ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ----
-
GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-04-14 14:00:33 Windows 5.1.2600 Service Pack 3 Running: 9yhey3sg.exe; Driver: C:\DOCUME~1\Phil\LOCALS~1\Temp\pgloapod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwClose [0xA82BFA1C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateDirectoryObject [0xA82BFA48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateFile [0xA82BFA7C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateKey [0xA82BFAD0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwDeleteKey [0xA82BFB14] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateKey [0xA82BFB40] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateValueKey [0xA82BFB80] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwFlushKey [0xA82BFBC0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMakeTemporaryObject [0xA82BFBEC] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMapViewOfSection [0xA82BFC18] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenKey [0xA82BFC68] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenSection [0xA82BFC9C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryInformationFile [0xA82BFCD0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryKey [0xA82BFD0C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryValueKey [0xA82BFD48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwReadFile [0xA82BFD88] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationFile [0xA82BFDD4] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationThread [0xA82BFE10] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetValueKey [0xA82BFE48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwUnmapViewOfSection [0xA82BFE88] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwWriteFile [0xA82BFEB8] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3AEAC8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@BalloonTime 2010-04-14 14:52:01 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ----
-
Her are both the new TDSSKiller and GMER logs. The TDSKiller did have me reboot during the process. 08:48:50:812 0312 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04 08:48:50:812 0312 ================================================================================ 08:48:50:812 0312 SystemInfo: 08:48:50:812 0312 OS Version: 5.1.2600 ServicePack: 3.0 08:48:50:812 0312 Product type: Workstation 08:48:50:812 0312 ComputerName: PHILV-T64 08:48:50:812 0312 UserName: Phil 08:48:50:812 0312 Windows directory: C:\WINDOWS 08:48:50:812 0312 Processor architecture: Intel x86 08:48:50:812 0312 Number of processors: 1 08:48:50:812 0312 Page size: 0x1000 08:48:50:812 0312 Boot type: Normal boot 08:48:50:812 0312 ================================================================================ 08:48:50:890 0312 UnloadDriverW: NtUnloadDriver error 2 08:48:50:890 0312 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2 08:48:50:968 0312 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 08:48:50:968 0312 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 08:48:50:968 0312 wfopen_ex: Trying to KLMD file open 08:48:50:968 0312 wfopen_ex: File opened ok (Flags 2) 08:48:50:968 0312 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 08:48:50:968 0312 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 08:48:50:968 0312 wfopen_ex: Trying to KLMD file open 08:48:50:968 0312 wfopen_ex: File opened ok (Flags 2) 08:48:50:968 0312 Initialize success 08:48:50:968 0312 08:48:50:968 0312 Scanning Services ... 08:48:52:078 0312 Raw services enum returned 351 services 08:48:52:093 0312 08:48:52:093 0312 Scanning Kernel memory ... 08:48:52:093 0312 Devices to scan: 4 08:48:52:093 0312 08:48:52:093 0312 Driver Name: Disk 08:48:52:093 0312 IRP_MJ_CREATE : F74EDBB0 08:48:52:093 0312 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 08:48:52:093 0312 IRP_MJ_CLOSE : F74EDBB0 08:48:52:093 0312 IRP_MJ_READ : F74E7D1F 08:48:52:093 0312 IRP_MJ_WRITE : F74E7D1F 08:48:52:093 0312 IRP_MJ_QUERY_INFORMATION : 804F355A 08:48:52:093 0312 IRP_MJ_SET_INFORMATION : 804F355A 08:48:52:093 0312 IRP_MJ_QUERY_EA : 804F355A 08:48:52:093 0312 IRP_MJ_SET_EA : 804F355A 08:48:52:093 0312 IRP_MJ_FLUSH_BUFFERS : F74E82E2 08:48:52:093 0312 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 08:48:52:093 0312 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 08:48:52:093 0312 IRP_MJ_DIRECTORY_CONTROL : 804F355A 08:48:52:093 0312 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 08:48:52:093 0312 IRP_MJ_DEVICE_CONTROL : F74E83BB 08:48:52:093 0312 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74EBF28 08:48:52:093 0312 IRP_MJ_SHUTDOWN : F74E82E2 08:48:52:093 0312 IRP_MJ_LOCK_CONTROL : 804F355A 08:48:52:093 0312 IRP_MJ_CLEANUP : 804F355A 08:48:52:093 0312 IRP_MJ_CREATE_MAILSLOT : 804F355A 08:48:52:093 0312 IRP_MJ_QUERY_SECURITY : 804F355A 08:48:52:093 0312 IRP_MJ_SET_SECURITY : 804F355A 08:48:52:093 0312 IRP_MJ_POWER : F74E9C82 08:48:52:093 0312 IRP_MJ_SYSTEM_CONTROL : F74EE99E 08:48:52:093 0312 IRP_MJ_DEVICE_CHANGE : 804F355A 08:48:52:093 0312 IRP_MJ_QUERY_QUOTA : 804F355A 08:48:52:093 0312 IRP_MJ_SET_QUOTA : 804F355A 08:48:52:109 0312 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 08:48:52:109 0312 08:48:52:109 0312 Driver Name: Disk 08:48:52:109 0312 IRP_MJ_CREATE : F74EDBB0 08:48:52:109 0312 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 08:48:52:109 0312 IRP_MJ_CLOSE : F74EDBB0 08:48:52:109 0312 IRP_MJ_READ : F74E7D1F 08:48:52:109 0312 IRP_MJ_WRITE : F74E7D1F 08:48:52:109 0312 IRP_MJ_QUERY_INFORMATION : 804F355A 08:48:52:109 0312 IRP_MJ_SET_INFORMATION : 804F355A 08:48:52:109 0312 IRP_MJ_QUERY_EA : 804F355A 08:48:52:109 0312 IRP_MJ_SET_EA : 804F355A 08:48:52:109 0312 IRP_MJ_FLUSH_BUFFERS : F74E82E2 08:48:52:109 0312 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 08:48:52:109 0312 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 08:48:52:109 0312 IRP_MJ_DIRECTORY_CONTROL : 804F355A 08:48:52:109 0312 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 08:48:52:109 0312 IRP_MJ_DEVICE_CONTROL : F74E83BB 08:48:52:109 0312 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74EBF28 08:48:52:109 0312 IRP_MJ_SHUTDOWN : F74E82E2 08:48:52:109 0312 IRP_MJ_LOCK_CONTROL : 804F355A 08:48:52:109 0312 IRP_MJ_CLEANUP : 804F355A 08:48:52:109 0312 IRP_MJ_CREATE_MAILSLOT : 804F355A 08:48:52:109 0312 IRP_MJ_QUERY_SECURITY : 804F355A 08:48:52:109 0312 IRP_MJ_SET_SECURITY : 804F355A 08:48:52:109 0312 IRP_MJ_POWER : F74E9C82 08:48:52:109 0312 IRP_MJ_SYSTEM_CONTROL : F74EE99E 08:48:52:109 0312 IRP_MJ_DEVICE_CHANGE : 804F355A 08:48:52:109 0312 IRP_MJ_QUERY_QUOTA : 804F355A 08:48:52:109 0312 IRP_MJ_SET_QUOTA : 804F355A 08:48:52:109 0312 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 08:48:52:109 0312 08:48:52:109 0312 Driver Name: atapi 08:48:52:109 0312 IRP_MJ_CREATE : F72D66F2 08:48:52:109 0312 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 08:48:52:109 0312 IRP_MJ_CLOSE : F72D66F2 08:48:52:109 0312 IRP_MJ_READ : 804F355A 08:48:52:109 0312 IRP_MJ_WRITE : 804F355A 08:48:52:109 0312 IRP_MJ_QUERY_INFORMATION : 804F355A 08:48:52:109 0312 IRP_MJ_SET_INFORMATION : 804F355A 08:48:52:109 0312 IRP_MJ_QUERY_EA : 804F355A 08:48:52:109 0312 IRP_MJ_SET_EA : 804F355A 08:48:52:125 0312 IRP_MJ_FLUSH_BUFFERS : 804F355A 08:48:52:125 0312 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 08:48:52:125 0312 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 08:48:52:125 0312 IRP_MJ_DIRECTORY_CONTROL : 804F355A 08:48:52:125 0312 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 08:48:52:125 0312 IRP_MJ_DEVICE_CONTROL : F72D6712 08:48:52:125 0312 IRP_MJ_INTERNAL_DEVICE_CONTROL : F72D2852 08:48:52:125 0312 IRP_MJ_SHUTDOWN : 804F355A 08:48:52:125 0312 IRP_MJ_LOCK_CONTROL : 804F355A 08:48:52:125 0312 IRP_MJ_CLEANUP : 804F355A 08:48:52:125 0312 IRP_MJ_CREATE_MAILSLOT : 804F355A 08:48:52:125 0312 IRP_MJ_QUERY_SECURITY : 804F355A 08:48:52:125 0312 IRP_MJ_SET_SECURITY : 804F355A 08:48:52:125 0312 IRP_MJ_POWER : F72D673C 08:48:52:125 0312 IRP_MJ_SYSTEM_CONTROL : F72DD336 08:48:52:125 0312 IRP_MJ_DEVICE_CHANGE : 804F355A 08:48:52:125 0312 IRP_MJ_QUERY_QUOTA : 804F355A 08:48:52:125 0312 IRP_MJ_SET_QUOTA : 804F355A 08:48:52:140 0312 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1 08:48:52:140 0312 08:48:52:140 0312 Driver Name: atapi 08:48:52:140 0312 IRP_MJ_CREATE : 8A38DAC8 08:48:52:140 0312 IRP_MJ_CREATE_NAMED_PIPE : 8A38DAC8 08:48:52:140 0312 IRP_MJ_CLOSE : 8A38DAC8 08:48:52:140 0312 IRP_MJ_READ : 8A38DAC8 08:48:52:140 0312 IRP_MJ_WRITE : 8A38DAC8 08:48:52:140 0312 IRP_MJ_QUERY_INFORMATION : 8A38DAC8 08:48:52:140 0312 IRP_MJ_SET_INFORMATION : 8A38DAC8 08:48:52:140 0312 IRP_MJ_QUERY_EA : 8A38DAC8 08:48:52:140 0312 IRP_MJ_SET_EA : 8A38DAC8 08:48:52:140 0312 IRP_MJ_FLUSH_BUFFERS : 8A38DAC8 08:48:52:140 0312 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A38DAC8 08:48:52:140 0312 IRP_MJ_SET_VOLUME_INFORMATION : 8A38DAC8 08:48:52:140 0312 IRP_MJ_DIRECTORY_CONTROL : 8A38DAC8 08:48:52:140 0312 IRP_MJ_FILE_SYSTEM_CONTROL : 8A38DAC8 08:48:52:140 0312 IRP_MJ_DEVICE_CONTROL : 8A38DAC8 08:48:52:140 0312 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A38DAC8 08:48:52:140 0312 IRP_MJ_SHUTDOWN : 8A38DAC8 08:48:52:140 0312 IRP_MJ_LOCK_CONTROL : 8A38DAC8 08:48:52:140 0312 IRP_MJ_CLEANUP : 8A38DAC8 08:48:52:140 0312 IRP_MJ_CREATE_MAILSLOT : 8A38DAC8 08:48:52:140 0312 IRP_MJ_QUERY_SECURITY : 8A38DAC8 08:48:52:140 0312 IRP_MJ_SET_SECURITY : 8A38DAC8 08:48:52:140 0312 IRP_MJ_POWER : 8A38DAC8 08:48:52:140 0312 IRP_MJ_SYSTEM_CONTROL : 8A38DAC8 08:48:52:140 0312 IRP_MJ_DEVICE_CHANGE : 8A38DAC8 08:48:52:140 0312 IRP_MJ_QUERY_QUOTA : 8A38DAC8 08:48:52:140 0312 IRP_MJ_SET_QUOTA : 8A38DAC8 08:48:52:140 0312 Driver "atapi" infected by TDSS rootkit! 08:48:52:156 0312 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1 08:48:52:156 0312 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 08:48:52:156 0312 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys 08:48:52:156 0312 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3 08:48:52:593 0312 vfvi6 08:48:52:781 0312 !dsvbh1 08:48:56:265 0312 dsvbh2 08:48:56:265 0312 fdfb2 08:48:56:265 0312 Backup copy found, using it.. 08:48:56:328 0312 will be cured on next reboot 08:48:56:328 0312 Reboot required for cure complete.. 08:48:56:343 0312 Cure on reboot scheduled successfully 08:48:56:343 0312 08:48:56:343 0312 Completed 08:48:56:343 0312 08:48:56:343 0312 Results: 08:48:56:343 0312 Memory objects infected / cured / cured on reboot: 1 / 0 / 0 08:48:56:343 0312 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 08:48:56:343 0312 File objects infected / cured / cured on reboot: 1 / 0 / 1 08:48:56:343 0312 08:48:56:343 0312 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 08:48:56:343 0312 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 08:48:56:343 0312 UnloadDriverW: NtUnloadDriver error 1 08:48:56:343 0312 KLMD(ARK) unloaded successfully GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-04-14 08:53:47 Windows 5.1.2600 Service Pack 3 Running: 9yhey3sg.exe; Driver: C:\DOCUME~1\Phil\LOCALS~1\Temp\pgloapod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwClose [0xA83A5A1C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateDirectoryObject [0xA83A5A48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateFile [0xA83A5A7C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateKey [0xA83A5AD0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwDeleteKey [0xA83A5B14] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateKey [0xA83A5B40] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateValueKey [0xA83A5B80] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwFlushKey [0xA83A5BC0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMakeTemporaryObject [0xA83A5BEC] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMapViewOfSection [0xA83A5C18] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenKey [0xA83A5C68] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenSection [0xA83A5C9C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryInformationFile [0xA83A5CD0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryKey [0xA83A5D0C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryValueKey [0xA83A5D48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwReadFile [0xA83A5D88] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationFile [0xA83A5DD4] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationThread [0xA83A5E10] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetValueKey [0xA83A5E48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwUnmapViewOfSection [0xA83A5E88] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwWriteFile [0xA83A5EB8] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\atapi \Device\Ide\IdePort0 tsk3.tmp Device \Driver\atapi \Device\Ide\IdePort1 tsk3.tmp Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c tsk3.tmp Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 tsk3.tmp AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device -> \Driver\atapi \Device\Harddisk0\DR0 8A39BAC8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ... ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ----
-
Here is the OTL.exe log OTL logfile created on: 4/13/2010 3:10:12 PM - Run 1 OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Phil\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free Paging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 74.52 Gb Total Space | 29.44 Gb Free Space | 39.50% Space Free | Partition Type: NTFS D: Drive not present or media not loaded Drive E: | 74.52 Gb Total Space | 33.09 Gb Free Space | 44.41% Space Free | Partition Type: NTFS F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: PHILV-T64 Current User Name: Phil Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: On File Age = 14 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010/04/13 15:08:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTL.exe PRC - [2010/04/11 01:52:33 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe PRC - [2010/03/20 18:33:08 | 002,046,816 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe PRC - [2009/09/14 13:01:01 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe PRC - [2009/09/14 13:01:01 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe PRC - [2009/09/14 13:00:49 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe PRC - [2008/10/15 17:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\winvnc4.exe PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe PRC - [2007/06/11 19:27:24 | 000,291,760 | ---- | M] () -- C:\Program Files\Lexmark 2500 Series\lxddmon.exe PRC - [2007/05/25 09:41:38 | 000,537,520 | ---- | M] ( ) -- C:\WINDOWS\system32\lxddcoms.exe PRC - [2006/04/12 21:22:42 | 000,114,688 | ---- | M] (InterVideo Inc.) -- C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe PRC - [2004/08/11 13:22:52 | 000,065,588 | ---- | M] (SafeNet) -- C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe PRC - [2004/08/11 13:22:46 | 000,057,398 | ---- | M] (SafeNet) -- C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe PRC - [2004/08/11 13:22:44 | 000,319,538 | ---- | M] (SafeNet) -- C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe PRC - [2004/07/14 15:36:54 | 000,057,344 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ICO.EXE ========== Modules (SafeList) ========== MOD - [2010/04/13 15:08:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTL.exe ========== Win32 Services (SafeList) ========== SRV - [2009/09/14 13:00:49 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd) SRV - [2008/10/15 17:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4) SRV - [2007/05/25 09:41:54 | 000,099,248 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe -- (lxddCATSCustConnectService) SRV - [2007/05/25 09:41:38 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxddcoms.exe -- (lxdd_device) SRV - [2004/08/11 13:22:46 | 000,057,398 | ---- | M] (SafeNet) [Auto | Running] -- C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe -- (IPSECMON) SRV - [2004/08/11 13:22:44 | 000,319,538 | ---- | M] (SafeNet) [Auto | Running] -- C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe -- (IREIKE) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll () IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "http://www.facebook.com/home.php" FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.429 FF - prefs.js..extensions.enabledItems: avg@igeared:3.011.025.005 FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=" FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/12/21 10:44:49 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2009/12/28 19:49:18 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/11 01:52:48 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/11 01:52:47 | 000,000,000 | ---D | M] [2009/07/27 20:02:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Mozilla\Extensions [2010/04/12 22:30:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\k8l8zeaw.default\extensions [2009/09/27 16:33:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\k8l8zeaw.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010/04/11 21:25:32 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.) O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll () O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll () O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll () O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.) O4 - HKLM..\Run: [lxddamon] C:\Program Files\Lexmark 2500 Series\lxddamon.exe () O4 - HKLM..\Run: [lxddmon.exe] C:\Program Files\Lexmark 2500 Series\lxddmon.exe () O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ICO.EXE (Primax Electronics Ltd.) O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh) O4 - HKLM..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.) O4 - HKLM..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe () O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe (InterVideo Inc.) O4 - Startup: C:\Documents and Settings\Phil\Start Menu\Programs\Startup\Mobile User VPN.lnk = C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe (SafeNet) O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.16.1.20 205.171.3.65 205.171.2.65 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 205.171.3.65 205.171.2.65 O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.) O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/04/23 11:38:57 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = ComFile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* NetSvcs: 6to4 - File not found NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/04/23 05:19:43 | 000,000,000 | ---D | M] NetSvcs: Iprip - File not found NetSvcs: Irmon - File not found NetSvcs: NWCWorkstation - File not found NetSvcs: Nwsapagent - File not found NetSvcs: WmdmPmSp - File not found CREATERESTOREPOINT Restore point Set: OTL Restore Point (17746534284132352) ========== Files/Folders - Created Within 14 Days ========== [2010/04/13 15:08:43 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTL.exe [2010/04/13 10:50:16 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Phil\Desktop\TDSSKiller.exe [2010/04/11 00:23:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Local Settings\Application Data\Ahead [2010/04/11 00:11:11 | 000,000,000 | ---D | C] -- C:\Program Files\Free Convert WMV MOV MPEG to AVI DIVX Converter [2010/04/10 23:53:43 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe [2010/04/10 23:53:43 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe [2010/04/10 23:53:43 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe [2010/04/10 23:53:43 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe [2010/04/10 23:37:01 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Phil\Recent [2010/04/10 21:17:59 | 000,038,912 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\picn20.dll [2010/04/10 20:53:38 | 000,364,544 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\TwnLib4.dll [2010/04/10 20:53:38 | 000,106,496 | ---- | C] (Pegasus Software) -- C:\WINDOWS\System32\TwnLib20.dll [2010/04/10 20:53:37 | 001,568,768 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagX7.dll [2010/04/10 20:53:37 | 000,476,320 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXpr7.dll [2010/04/10 20:53:37 | 000,471,040 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXRA7.dll [2010/04/10 20:53:37 | 000,262,144 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXR7.dll [2010/04/10 20:53:37 | 000,155,648 | ---- | C] (Ahead Software Gmbh) -- C:\WINDOWS\System32\NeroCheck.exe [2010/04/10 20:53:35 | 000,000,000 | ---D | C] -- C:\Program Files\Ahead [2010/04/10 20:09:54 | 000,000,000 | ---D | C] -- C:\Reg Backups [2010/04/10 20:06:38 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner [2010/04/10 18:49:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\My Documents\NeroVision [2010/04/10 18:37:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia [2010/04/10 18:37:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe [2010/04/10 18:20:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\Ahead [2010/04/10 18:18:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ahead [2010/04/10 18:12:59 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Ahead [2010/04/06 09:27:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\Facebook [2010/04/05 09:21:53 | 000,000,000 | ---D | C] -- C:\Temp folder for DVD [2010/04/05 09:00:06 | 000,000,000 | ---D | C] -- C:\VOLUME_IDENTIFIER [2010/04/04 23:35:22 | 000,000,000 | ---D | C] -- C:\Program Files\DVD Shrink [2010/04/04 23:35:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink [2010/04/03 13:13:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\AVS4YOU [2010/04/03 13:13:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVS4YOU [2010/04/03 13:12:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AVSMedia [2010/04/03 13:12:13 | 000,000,000 | ---D | C] -- C:\Program Files\AVS4YOU [2010/04/02 22:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Local Settings\Application Data\Help [2010/04/02 22:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\Help [2010/04/02 22:29:15 | 000,000,000 | ---D | C] -- C:\Program Files\UP [2010/03/30 16:43:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun [2010/03/30 16:43:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java [2009/09/18 21:48:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe [2009/09/14 12:59:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft [2009/09/14 12:59:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft [2009/09/14 12:59:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft [2009/09/14 12:59:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft [2009/05/08 13:57:55 | 001,232,896 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddserv.dll [2009/05/08 13:57:55 | 000,999,424 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddusb1.dll [2009/05/08 13:57:55 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddpmui.dll [2009/05/08 13:57:55 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddlmpm.dll [2009/05/08 13:57:55 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddinpa.dll [2009/05/08 13:57:55 | 000,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddiesc.dll [2009/05/08 13:57:55 | 000,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDDhcp.dll [2009/05/08 13:57:55 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddprox.dll [2009/05/08 13:57:55 | 000,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddpplc.dll [2009/05/08 13:57:54 | 000,700,416 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddhbn3.dll [2009/05/08 13:57:54 | 000,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddcomc.dll [2009/05/08 13:57:54 | 000,425,984 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddcomm.dll [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 14 Days ========== [2010/04/13 15:08:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTL.exe [2010/04/13 14:25:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003UA.job [2010/04/13 13:54:51 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT [2010/04/13 13:51:44 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini [2010/04/13 13:41:12 | 003,914,375 | R--- | M] () -- C:\Documents and Settings\Phil\Desktop\ComboFix.exe [2010/04/13 13:39:10 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\Phil\NTUSER.DAT [2010/04/13 12:48:54 | 000,555,168 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2010/04/13 12:48:54 | 000,465,640 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat [2010/04/13 12:48:54 | 000,079,360 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat [2010/04/13 12:45:55 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2010/04/13 12:44:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2010/04/13 12:43:08 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Phil\ntuser.ini [2010/04/13 10:49:03 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\tdsskiller.zip [2010/04/13 10:48:42 | 058,857,433 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm [2010/04/12 23:34:36 | 000,004,208 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\Attach.zip [2010/04/12 22:59:51 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\9yhey3sg.exe [2010/04/12 22:56:13 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\dds.scr [2010/04/12 22:50:24 | 000,000,156 | ---- | M] () -- C:\Documents and Settings\Phil\defogger_reenable [2010/04/12 22:49:03 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\Defogger.exe [2010/04/12 22:25:01 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003Core.job [2010/04/12 22:22:32 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\Google Chrome.lnk [2010/04/11 21:22:40 | 000,000,094 | ---- | M] () -- C:\Documents and Settings\Phil\default.pls [2010/04/11 21:21:54 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini [2010/04/11 09:03:38 | 000,115,200 | ---- | M] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2010/04/11 00:11:15 | 000,000,034 | -H-- | M] () -- C:\WINDOWS\System32\Converter_sysquict.dat [2010/04/10 19:01:27 | 000,193,776 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2010/04/09 23:28:51 | 000,001,722 | -H-- | M] () -- C:\Documents and Settings\Phil\My Documents\Default.rdp [2010/04/05 09:09:30 | 506,986,496 | ---- | M] () -- C:\VOLUME_IDENTIFIER.ISO [2010/04/04 23:35:22 | 000,000,670 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\DVD Shrink 3.2.lnk [2010/04/03 13:13:36 | 000,046,080 | ---- | M] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT [2010/04/02 00:03:24 | 006,397,780 | -H-- | M] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\IconCache.db [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2010/04/13 10:48:55 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\tdsskiller.zip [2010/04/12 23:34:36 | 000,004,208 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\Attach.zip [2010/04/12 22:59:49 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\9yhey3sg.exe [2010/04/12 22:56:11 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\dds.scr [2010/04/12 22:50:21 | 000,000,156 | ---- | C] () -- C:\Documents and Settings\Phil\defogger_reenable [2010/04/12 22:49:02 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\Defogger.exe [2010/04/12 22:22:32 | 000,002,277 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\Google Chrome.lnk [2010/04/12 22:20:53 | 000,000,974 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003UA.job [2010/04/12 22:20:52 | 000,000,922 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003Core.job [2010/04/11 00:11:15 | 000,000,034 | -H-- | C] () -- C:\WINDOWS\System32\Converter_sysquict.dat [2010/04/10 23:53:43 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe [2010/04/10 23:53:43 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe [2010/04/10 23:53:43 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe [2010/04/10 23:53:43 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe [2010/04/10 23:53:43 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe [2010/04/10 23:51:44 | 003,914,375 | R--- | C] () -- C:\Documents and Settings\Phil\Desktop\ComboFix.exe [2010/04/10 22:37:25 | 000,000,094 | ---- | C] () -- C:\Documents and Settings\Phil\default.pls [2010/04/10 21:40:16 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini [2010/04/10 21:18:12 | 000,135,532 | ---- | C] () -- C:\WINDOWS\UNNeroVision.cfg [2010/04/05 09:08:21 | 506,986,496 | ---- | C] () -- C:\VOLUME_IDENTIFIER.ISO [2010/04/04 23:35:22 | 000,000,670 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\DVD Shrink 3.2.lnk [2009/10/18 20:51:23 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL [2009/10/09 17:31:42 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll [2009/10/09 17:31:30 | 000,000,032 | ---- | C] () -- C:\WINDOWS\sierra.ini [2009/09/18 18:37:00 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll [2009/09/13 01:06:16 | 000,000,745 | ---- | C] () -- C:\WINDOWS\CoD.INI [2009/09/07 22:56:11 | 000,000,765 | ---- | C] () -- C:\Documents and Settings\All Users\lxdd [2009/07/27 20:49:42 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI [2009/05/20 08:39:57 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll [2009/05/20 08:39:57 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll [2009/05/20 08:39:57 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll [2009/05/20 08:39:57 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll [2009/05/20 08:39:57 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll [2009/05/20 08:39:57 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll [2009/05/15 10:25:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI [2009/05/08 13:58:58 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxddvs.dll [2009/05/08 13:58:56 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\lxddcoin.dll [2009/05/08 13:58:30 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxdddrs.dll [2009/05/08 13:58:30 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxddcnv4.dll [2009/05/08 13:58:30 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxddcaps.dll [2009/05/08 13:58:13 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxddrwrd.ini [2009/05/08 13:57:55 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\LXDDinst.dll [2009/05/08 13:57:54 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxddgrd.dll [2009/05/05 22:19:14 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\nsldap32v50.dll [2009/05/03 14:37:12 | 000,115,200 | ---- | C] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009/05/02 22:22:38 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll [2009/04/26 07:51:04 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini [2009/04/23 14:54:05 | 000,008,181 | ---- | C] () -- C:\WINDOWS\System32\Setup2k.ini [2009/04/23 14:54:05 | 000,000,184 | ---- | C] () -- C:\WINDOWS\System32\presetup.ini [2009/04/23 14:48:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\QSwitch.txt [2009/04/23 14:48:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\DSwitch.txt [2009/04/23 14:48:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\AtStart.txt [2009/04/23 12:16:47 | 000,000,484 | ---- | C] () -- C:\WINDOWS\ODBC.INI [2009/04/23 11:46:38 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Phil\ntuser.ini [2009/04/23 11:46:37 | 004,194,304 | -H-- | C] () -- C:\Documents and Settings\Phil\NTUSER.DAT [2009/04/23 11:46:37 | 000,024,576 | -H-- | C] () -- C:\Documents and Settings\Phil\NTUSER.DAT.LOG [2009/03/03 12:18:04 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll [2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini [2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini [2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini [2003/06/20 06:00:00 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI ========== LOP Check ========== [2009/05/02 22:25:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Age of Empires 3 [2009/09/27 16:39:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar [2010/01/02 20:17:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite [2009/05/04 14:40:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound [2009/05/08 12:13:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut [2009/09/16 11:05:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\DAEMON Tools Lite [2010/04/06 09:27:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Facebook [2009/06/30 00:22:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\InterVideo [2009/05/20 08:40:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Leadertech [2009/05/08 13:59:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Lexmark Productivity Studio [2009/05/04 14:40:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\NCH Swift Sound [2009/05/04 14:39:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Recordpad [2009/05/08 12:15:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\TaxCut [2009/04/27 22:45:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Windows Desktop Search [2009/04/28 15:30:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Windows Search ========== Purity Check ========== ========== Custom Scans ========== < %SYSTEMDRIVE%\*.exe > [2009/09/12 15:01:01 | 001,374,154 | ---- | M] () -- C:\wrar390.exe < MD5 for: AGP440.SYS > [2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys [2009/04/25 16:20:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys [2009/04/25 16:20:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys [2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys [2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\maxdriver\agp440.sys [2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys [2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys [2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys < MD5 for: ATAPI.SYS > [2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys [2009/04/25 16:20:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys [2009/04/25 16:20:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys [2010/04/13 10:54:31 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys [2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\maxdriver\atapi.sys [2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys [2010/04/13 10:54:31 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys < MD5 for: EVENTLOG.DLL > [2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll [2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll [2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll < MD5 for: IASTOR.SYS > [2005/04/25 09:28:14 | 000,871,040 | ---- | M] (Intel Corporation) MD5=D593517879E65167DF35F6015814AC59 -- C:\WINDOWS\dell\iastor\iastor.sys < MD5 for: NETLOGON.DLL > [2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll [2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll [2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll < MD5 for: NVATABUS.SYS > [2005/05/17 16:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys [2005/05/17 16:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\maxdriver\NvAtaBus.sys [2005/05/17 16:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\system32\drivers\NvAtaBus.sys < MD5 for: NVRAID.SYS > [2005/05/17 16:45:12 | 000,076,288 | ---- | M] (NVIDIA Corporation) MD5=9C8A8E00648EAF7A1D794F7CFB25A6B4 -- C:\WINDOWS\dell\nvraid\nvraid.sys [2005/05/17 16:45:12 | 000,076,288 | ---- | M] (NVIDIA Corporation) MD5=9C8A8E00648EAF7A1D794F7CFB25A6B4 -- C:\WINDOWS\maxdriver\nvraid.sys [2005/05/17 16:45:12 | 000,076,288 | ---- | M] (NVIDIA Corporation) MD5=9C8A8E00648EAF7A1D794F7CFB25A6B4 -- C:\WINDOWS\system32\drivers\nvraid.sys < MD5 for: SCECLI.DLL > [2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll [2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll [2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll < %systemroot%\*. /mp /s > < %systemroot%\system32\*.dll /lockedfiles > [1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ] < %systemroot%\Tasks\*.job /lockedfiles > < %systemroot%\system32\drivers\*.sys /lockedfiles > < %systemroot%\System32\config\*.sav > [2009/04/23 05:26:18 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav [2009/04/23 05:26:18 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav [2009/04/23 05:26:18 | 000,892,928 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav < End of report >
-
Thanks for helping, was there am OTL.exe tool that was supposed to be attached to the last reply you sent?
-
Here is the combofix log you requested ComboFix 10-04-13.02 - Phil 04/13/2010 13:44:03.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1376 [GMT -6:00] Running from: c:\documents and settings\Phil\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 ))))))))))))))))))))))))))))))) . 2010-04-11 06:23 . 2010-04-11 06:23 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Ahead 2010-04-11 06:11 . 2010-04-11 06:11 34 ---ha-w- c:\windows\system32\Converter_sysquict.dat 2010-04-11 06:11 . 2010-04-11 06:16 -------- d-----w- c:\program files\Free Convert WMV MOV MPEG to AVI DIVX Converter 2010-04-11 03:18 . 2005-01-04 20:19 2670592 ------w- c:\windows\UNNeroVision.exe 2010-04-11 03:17 . 2001-06-26 13:15 38912 ------w- c:\windows\system32\picn20.dll 2010-04-11 02:54 . 2005-09-01 17:03 5888 ------w- c:\windows\system32\drivers\imagedrv.sys 2010-04-11 02:54 . 2005-09-01 17:03 127488 ------w- c:\windows\system32\drivers\imagesrv.sys 2010-04-11 02:53 . 2004-07-09 14:43 364544 ------w- c:\windows\system32\TwnLib4.dll 2010-04-11 02:53 . 2000-06-26 16:45 106496 ------w- c:\windows\system32\TwnLib20.dll 2010-04-06 15:27 . 2010-04-06 15:27 50354 ----a-w- c:\documents and settings\Phil\Application Data\Facebook\uninstall.exe 2010-04-06 15:27 . 2010-04-06 15:27 -------- d-----w- c:\documents and settings\Phil\Application Data\Facebook 2010-04-05 15:21 . 2010-04-05 15:22 -------- d-----w- C:\Temp folder for DVD 2010-04-05 15:00 . 2010-04-05 15:00 -------- d-----w- C:\VOLUME_IDENTIFIER 2010-04-05 05:35 . 2010-04-05 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink 2010-04-05 05:35 . 2010-04-05 05:35 -------- d-----w- c:\program files\DVD Shrink 2010-04-03 19:13 . 2010-04-03 19:13 -------- d-----w- c:\documents and settings\Phil\Application Data\AVS4YOU 2010-04-03 19:13 . 2010-04-03 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU 2010-04-03 19:12 . 2010-04-11 00:15 -------- d-----w- c:\program files\Common Files\AVSMedia 2010-04-03 19:12 . 2008-09-25 20:36 487424 ----a-w- c:\windows\system32\msvcp70.dll 2010-04-03 19:12 . 2008-09-25 20:36 344064 ----a-w- c:\windows\system32\msvcr70.dll 2010-04-03 19:12 . 2008-09-25 20:36 974848 ----a-w- c:\windows\system32\mfc70.dll 2010-04-03 19:12 . 2008-09-25 20:36 1700352 ----a-w- c:\windows\system32\GdiPlus.dll 2010-04-03 19:12 . 2008-09-25 20:36 24576 ------w- c:\windows\system32\msxml3a.dll 2010-04-03 19:12 . 2010-04-11 00:15 -------- d-----w- c:\program files\AVS4YOU 2010-04-03 04:43 . 2010-04-03 04:43 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Help 2010-04-03 04:29 . 2010-04-03 04:43 -------- d-----w- c:\program files\UP 2010-03-30 22:43 . 2010-03-30 22:43 -------- d-----w- c:\program files\Common Files\Java 2010-03-30 22:42 . 2010-03-30 22:42 503808 ----a-w- c:\documents and settings\Phil\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-69b8d53b-n\msvcp71.dll 2010-03-30 22:42 . 2010-03-30 22:42 499712 ----a-w- c:\documents and settings\Phil\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-69b8d53b-n\jmc.dll 2010-03-30 22:42 . 2010-03-30 22:42 348160 ----a-w- c:\documents and settings\Phil\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-69b8d53b-n\msvcr71.dll 2010-03-30 22:42 . 2010-03-30 22:42 61440 ----a-w- c:\documents and settings\Phil\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28dfe275-n\decora-sse.dll 2010-03-30 22:42 . 2010-03-30 22:42 12800 ----a-w- c:\documents and settings\Phil\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28dfe275-n\decora-d3d.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-13 16:54 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys 2010-04-12 02:50 . 2009-04-23 11:30 57600 ----a-w- c:\windows\system32\drivers\redbook.sys 2010-04-11 04:41 . 2010-04-11 00:20 -------- d-----w- c:\documents and settings\Phil\Application Data\Ahead 2010-04-11 03:18 . 2010-04-11 02:53 -------- d-----w- c:\program files\Ahead 2010-04-11 02:53 . 2010-04-11 00:12 -------- d-----w- c:\program files\Common Files\Ahead 2010-04-11 02:06 . 2010-04-11 02:06 -------- d-----w- c:\program files\CCleaner 2010-04-11 01:12 . 2009-09-14 19:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-04-11 01:10 . 2010-02-16 03:31 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-04-11 00:18 . 2010-04-11 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead 2010-04-03 19:13 . 2009-04-23 17:48 46080 -c--a-w- c:\documents and settings\Phil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-03-30 22:42 . 2009-11-28 05:54 -------- d-----w- c:\program files\Java 2010-03-30 06:46 . 2009-09-14 19:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 06:45 . 2009-09-14 19:11 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-26 06:14 . 2009-05-08 19:59 -------- d-----w- c:\program files\Lx_cats 2010-03-09 10:28 . 2009-11-28 05:54 411368 ----a-w- c:\windows\system32\deploytk.dll 2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Phil\Application Data\Facebook\axfbootloader.dll 2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Phil\Application Data\Facebook\npfbplugin_1_0_3.dll 2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll 2010-02-15 16:22 . 2010-02-15 16:22 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf 2010-02-15 16:22 . 2010-02-15 16:22 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf . ((((((((((((((((((((((((((((( SnapShot_2010-04-11_06.03.03 ))))))))))))))))))))))))))))))))))))))))) . + 2010-04-13 18:44 . 2010-04-13 18:44 16384 c:\windows\Temp\Perflib_Perfdata_388.dat + 2010-04-11 15:41 . 2008-04-14 00:11 21504 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\hidserv.dll + 2004-08-04 12:00 . 2010-04-13 18:48 79360 c:\windows\system32\perfc009.dat - 2004-08-04 12:00 . 2010-04-11 05:45 79360 c:\windows\system32\perfc009.dat + 2009-04-23 11:30 . 2010-04-12 02:50 57600 c:\windows\system32\dllcache\redbook.sys + 2004-08-04 12:00 . 2010-04-13 18:48 465640 c:\windows\system32\perfh009.dat - 2004-08-04 12:00 . 2010-04-11 05:45 465640 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}] 2009-11-25 20:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser] "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080] [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Google Update"="c:\documents and settings\Phil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-13 136176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-02 344064] "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 202032] "Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 57344] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808] "SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "WinampAgent"="e:\program files\Winamp\winampa.exe" [2009-04-10 37888] "lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-12 291760] "lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-21 2046816] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] c:\documents and settings\Phil\Start Menu\Programs\Startup\ Mobile User VPN.lnk - c:\program files\WatchGuard\Mobile User VPN\SafeCfg.exe [2009-5-5 65588] c:\documents and settings\All Users\Start Menu\Programs\Startup\ InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-5-20 114688] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-09-14 19:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\World of Warcraft\\Launcher.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Ventrilo\\Ventrilo.exe"= "e:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"= "c:\\WINDOWS\\system32\\lxddcoms.exe"= "c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"= "c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"= "c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"= "c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"= "e:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"= "c:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe"= "c:\program files\WatchGuard\Mobile User VPN\ViewLog.exe"= c:\program files\WatchGuard\Mobile User VPN\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog "c:\program files\WatchGuard\Mobile User VPN\CmonApp.exe"= c:\program files\WatchGuard\Mobile User VPN\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp "c:\program files\WatchGuard\Mobile User VPN\vpn.exe"= c:\program files\WatchGuard\Mobile User VPN\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager "c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/14/2009 1:01 PM 335240] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/14/2009 1:01 PM 108552] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/14/2009 1:00 PM 297752] R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [5/5/2009 10:21 PM 521786] R2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [5/5/2009 10:21 PM 119864] R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?] R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [5/5/2009 10:19 PM 36188] R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 2:06 PM 231424] S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [5/8/2009 1:58 PM 99248] S3 jbridgep;jbridgep;\??\c:\docume~1\Phil\LOCALS~1\Temp\jbridgep.sys --> c:\docume~1\Phil\LOCALS~1\Temp\jbridgep.sys [?] S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2/15/2010 11:31 AM 9472] S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/16/2009 10:59 AM 691696] --- Other Services/Drivers In Memory --- *Deregistered* - pgloapod . Contents of the 'Scheduled Tasks' folder 2010-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003Core.job - c:\documents and settings\Phil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-13 04:20] 2010-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003UA.job - c:\documents and settings\Phil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-13 04:20] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.facebook.com/home.php IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\k8l8zeaw.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p= FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll FF - plugin: c:\documents and settings\Phil\Application Data\Facebook\npfbplugin_1_0_3.dll FF - plugin: c:\documents and settings\Phil\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); . - - - - ORPHANS REMOVED - - - - SafeBoot-klmdb.sys ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-13 13:51 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A3AEAC8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS @ 0xf74ebf28 \Driver\ACPI -> ACPI.sys @ 0xf735ecb8 \Driver\atapi -> atapi.sys @ 0xf72d2852 IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022 ParseProcedure -> ntkrnlpa.exe @ 0x80577c84 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022 ParseProcedure -> ntkrnlpa.exe @ 0x80577c84 NDIS: Broadcom 802.11b/g WLAN -> SendCompleteHandler -> NDIS.sys @ 0xf71c6bb0 PacketIndicateHandler -> NDIS.sys @ 0xf71d3a21 SendHandler -> NDIS.sys @ 0xf71b187b user & kernel MBR OK ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1252) c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll - - - - - - - > 'lsass.exe'(1312) c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(3796) c:\windows\system32\WININET.dll c:\program files\Windows Desktop Search\deskbar.dll c:\program files\Windows Desktop Search\en-us\dbres.dll.mui c:\program files\Windows Desktop Search\dbres.dll c:\program files\Windows Desktop Search\wordwheel.dll c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui c:\program files\Windows Desktop Search\msnlExtRes.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-04-13 13:54:49 ComboFix-quarantined-files.txt 2010-04-13 19:54 ComboFix2.txt 2010-04-11 06:06 ComboFix3.txt 2010-02-16 02:22 Pre-Run: 31,597,973,504 bytes free Post-Run: 31,586,906,112 bytes free - - End Of File - - C9155FF9D2CE86C5F996C90910492C93
-
Here is the new Gmer log GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-04-13 12:50:08 Windows 5.1.2600 Service Pack 3 Running: 9yhey3sg.exe; Driver: C:\DOCUME~1\Phil\LOCALS~1\Temp\pgloapod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwClose [0xA83F0A1C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateDirectoryObject [0xA83F0A48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateFile [0xA83F0A7C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateKey [0xA83F0AD0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwDeleteKey [0xA83F0B14] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateKey [0xA83F0B40] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateValueKey [0xA83F0B80] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwFlushKey [0xA83F0BC0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMakeTemporaryObject [0xA83F0BEC] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMapViewOfSection [0xA83F0C18] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenKey [0xA83F0C68] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenSection [0xA83F0C9C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryInformationFile [0xA83F0CD0] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryKey [0xA83F0D0C] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryValueKey [0xA83F0D48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwReadFile [0xA83F0D88] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationFile [0xA83F0DD4] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationThread [0xA83F0E10] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetValueKey [0xA83F0E48] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwUnmapViewOfSection [0xA83F0E88] SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwWriteFile [0xA83F0EB8] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3AEAC8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ... ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ----
-
Thank you very much for the help. Here is the TDSSKiller.txt you requested 10:52:27:000 1444 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04 10:52:27:000 1444 ================================================================================ 10:52:27:000 1444 SystemInfo: 10:52:27:000 1444 OS Version: 5.1.2600 ServicePack: 3.0 10:52:27:000 1444 Product type: Workstation 10:52:27:000 1444 ComputerName: PHILV-T64 10:52:27:000 1444 UserName: Phil 10:52:27:000 1444 Windows directory: C:\WINDOWS 10:52:27:000 1444 Processor architecture: Intel x86 10:52:27:000 1444 Number of processors: 1 10:52:27:000 1444 Page size: 0x1000 10:52:27:015 1444 Boot type: Normal boot 10:52:27:015 1444 ================================================================================ 10:52:27:015 1444 UnloadDriverW: NtUnloadDriver error 1 10:52:27:015 1444 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1 10:52:27:031 1444 LoadDriverW: Driver already loaded 10:52:27:031 1444 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 10:52:27:031 1444 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 10:52:27:031 1444 wfopen_ex: Trying to KLMD file open 10:52:27:031 1444 wfopen_ex: File opened ok (Flags 2) 10:52:27:031 1444 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 10:52:27:031 1444 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 10:52:27:031 1444 wfopen_ex: Trying to KLMD file open 10:52:27:031 1444 wfopen_ex: File opened ok (Flags 2) 10:52:27:031 1444 Initialize success 10:52:27:031 1444 10:52:27:031 1444 Scanning Services ... 10:52:29:546 1444 Raw services enum returned 352 services 10:52:29:593 1444 10:52:29:593 1444 Scanning Kernel memory ... 10:52:29:593 1444 Devices to scan: 4 10:52:29:593 1444 10:52:29:593 1444 Driver Name: Disk 10:52:29:593 1444 IRP_MJ_CREATE : F74EDBB0 10:52:29:593 1444 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 10:52:29:593 1444 IRP_MJ_CLOSE : F74EDBB0 10:52:29:593 1444 IRP_MJ_READ : F74E7D1F 10:52:29:593 1444 IRP_MJ_WRITE : F74E7D1F 10:52:29:593 1444 IRP_MJ_QUERY_INFORMATION : 804F355A 10:52:29:593 1444 IRP_MJ_SET_INFORMATION : 804F355A 10:52:29:593 1444 IRP_MJ_QUERY_EA : 804F355A 10:52:29:593 1444 IRP_MJ_SET_EA : 804F355A 10:52:29:593 1444 IRP_MJ_FLUSH_BUFFERS : F74E82E2 10:52:29:593 1444 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 10:52:29:593 1444 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 10:52:29:593 1444 IRP_MJ_DIRECTORY_CONTROL : 804F355A 10:52:29:593 1444 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 10:52:29:593 1444 IRP_MJ_DEVICE_CONTROL : F74E83BB 10:52:29:593 1444 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74EBF28 10:52:29:593 1444 IRP_MJ_SHUTDOWN : F74E82E2 10:52:29:593 1444 IRP_MJ_LOCK_CONTROL : 804F355A 10:52:29:593 1444 IRP_MJ_CLEANUP : 804F355A 10:52:29:593 1444 IRP_MJ_CREATE_MAILSLOT : 804F355A 10:52:29:593 1444 IRP_MJ_QUERY_SECURITY : 804F355A 10:52:29:593 1444 IRP_MJ_SET_SECURITY : 804F355A 10:52:29:593 1444 IRP_MJ_POWER : F74E9C82 10:52:29:593 1444 IRP_MJ_SYSTEM_CONTROL : F74EE99E 10:52:29:593 1444 IRP_MJ_DEVICE_CHANGE : 804F355A 10:52:29:593 1444 IRP_MJ_QUERY_QUOTA : 804F355A 10:52:29:593 1444 IRP_MJ_SET_QUOTA : 804F355A 10:52:29:593 1444 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 10:52:29:593 1444 10:52:29:593 1444 Driver Name: Disk 10:52:29:593 1444 IRP_MJ_CREATE : F74EDBB0 10:52:29:593 1444 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 10:52:29:593 1444 IRP_MJ_CLOSE : F74EDBB0 10:52:29:593 1444 IRP_MJ_READ : F74E7D1F 10:52:29:593 1444 IRP_MJ_WRITE : F74E7D1F 10:52:29:593 1444 IRP_MJ_QUERY_INFORMATION : 804F355A 10:52:29:593 1444 IRP_MJ_SET_INFORMATION : 804F355A 10:52:29:593 1444 IRP_MJ_QUERY_EA : 804F355A 10:52:29:593 1444 IRP_MJ_SET_EA : 804F355A 10:52:29:593 1444 IRP_MJ_FLUSH_BUFFERS : F74E82E2 10:52:29:593 1444 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 10:52:29:593 1444 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 10:52:29:593 1444 IRP_MJ_DIRECTORY_CONTROL : 804F355A 10:52:29:593 1444 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 10:52:29:593 1444 IRP_MJ_DEVICE_CONTROL : F74E83BB 10:52:29:593 1444 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74EBF28 10:52:29:593 1444 IRP_MJ_SHUTDOWN : F74E82E2 10:52:29:593 1444 IRP_MJ_LOCK_CONTROL : 804F355A 10:52:29:593 1444 IRP_MJ_CLEANUP : 804F355A 10:52:29:593 1444 IRP_MJ_CREATE_MAILSLOT : 804F355A 10:52:29:593 1444 IRP_MJ_QUERY_SECURITY : 804F355A 10:52:29:593 1444 IRP_MJ_SET_SECURITY : 804F355A 10:52:29:593 1444 IRP_MJ_POWER : F74E9C82 10:52:29:593 1444 IRP_MJ_SYSTEM_CONTROL : F74EE99E 10:52:29:593 1444 IRP_MJ_DEVICE_CHANGE : 804F355A 10:52:29:593 1444 IRP_MJ_QUERY_QUOTA : 804F355A 10:52:29:593 1444 IRP_MJ_SET_QUOTA : 804F355A 10:52:29:593 1444 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1 10:52:29:593 1444 10:52:29:593 1444 Driver Name: atapi 10:52:29:593 1444 IRP_MJ_CREATE : F72D66F2 10:52:29:593 1444 IRP_MJ_CREATE_NAMED_PIPE : 804F355A 10:52:29:593 1444 IRP_MJ_CLOSE : F72D66F2 10:52:29:593 1444 IRP_MJ_READ : 804F355A 10:52:29:593 1444 IRP_MJ_WRITE : 804F355A 10:52:29:593 1444 IRP_MJ_QUERY_INFORMATION : 804F355A 10:52:29:593 1444 IRP_MJ_SET_INFORMATION : 804F355A 10:52:29:593 1444 IRP_MJ_QUERY_EA : 804F355A 10:52:29:593 1444 IRP_MJ_SET_EA : 804F355A 10:52:29:593 1444 IRP_MJ_FLUSH_BUFFERS : 804F355A 10:52:29:593 1444 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A 10:52:29:593 1444 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A 10:52:29:593 1444 IRP_MJ_DIRECTORY_CONTROL : 804F355A 10:52:29:593 1444 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A 10:52:29:593 1444 IRP_MJ_DEVICE_CONTROL : F72D6712 10:52:29:593 1444 IRP_MJ_INTERNAL_DEVICE_CONTROL : F72D2852 10:52:29:593 1444 IRP_MJ_SHUTDOWN : 804F355A 10:52:29:593 1444 IRP_MJ_LOCK_CONTROL : 804F355A 10:52:29:593 1444 IRP_MJ_CLEANUP : 804F355A 10:52:29:593 1444 IRP_MJ_CREATE_MAILSLOT : 804F355A 10:52:29:593 1444 IRP_MJ_QUERY_SECURITY : 804F355A 10:52:29:593 1444 IRP_MJ_SET_SECURITY : 804F355A 10:52:29:593 1444 IRP_MJ_POWER : F72D673C 10:52:29:593 1444 IRP_MJ_SYSTEM_CONTROL : F72DD336 10:52:29:593 1444 IRP_MJ_DEVICE_CHANGE : 804F355A 10:52:29:593 1444 IRP_MJ_QUERY_QUOTA : 804F355A 10:52:29:593 1444 IRP_MJ_SET_QUOTA : 804F355A 10:52:29:593 1444 C:\WINDOWS\system32\drivers\tsk5.tmp - Verdict: 3 10:52:29:593 1444 10:52:29:593 1444 Driver Name: atapi 10:52:29:593 1444 IRP_MJ_CREATE : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_CREATE_NAMED_PIPE : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_CLOSE : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_READ : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_WRITE : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_QUERY_INFORMATION : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_SET_INFORMATION : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_QUERY_EA : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_SET_EA : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_FLUSH_BUFFERS : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_SET_VOLUME_INFORMATION : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_DIRECTORY_CONTROL : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_FILE_SYSTEM_CONTROL : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_DEVICE_CONTROL : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_SHUTDOWN : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_LOCK_CONTROL : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_CLEANUP : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_CREATE_MAILSLOT : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_QUERY_SECURITY : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_SET_SECURITY : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_POWER : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_SYSTEM_CONTROL : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_DEVICE_CHANGE : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_QUERY_QUOTA : 8A3A9AC8 10:52:29:593 1444 IRP_MJ_SET_QUOTA : 8A3A9AC8 10:52:29:593 1444 Driver "atapi" infected by TDSS rootkit! 10:52:29:593 1444 C:\WINDOWS\system32\drivers\tsk5.tmp - Verdict: 3 10:52:29:593 1444 10:52:29:593 1444 Completed 10:52:29:593 1444 10:52:29:593 1444 Results: 10:52:29:593 1444 Memory objects infected / cured / cured on reboot: 1 / 0 / 0 10:52:29:593 1444 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 10:52:29:593 1444 File objects infected / cured / cured on reboot: 0 / 0 / 0 10:52:29:593 1444 10:52:29:593 1444 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 10:52:29:593 1444 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 10:52:29:593 1444 UnloadDriverW: NtUnloadDriver error 1 10:52:29:593 1444 KLMD(ARK) unloaded successfully
-
Hey All, thanks in advance for your help with this. A couple of days ago I had a rogue virus window pop up saying I was infected, I closed out of the window and ran Malwarebytes, It originially found 4 infections and said that it fixed them correctly, after it was finished I noticed that about 75% of the google links I try and follow get re-directed to advertisement sites. I ran Malwarebytes again it now shows clean, but I am pretty sure that something is still wrong. Below I have attached all of the scan files requested in the forum, I have also attached both the Malwarebytes log, 1 of them is from when the infections were found and the other is the recent clean one. Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3976 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/10/2010 7:22:05 PM mbam-log-2010-04-10 (19-22-05).txt Scan type: Quick scan Objects scanned: 101650 Time elapsed: 6 minute(s), 21 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Phil\Local Settings\temp\58.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Phil\Local Settings\temp\5B.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Phil\Local Settings\temp\5D.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Phil\Local Settings\temp\60.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 3983 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 4/12/2010 5:43:23 PM mbam-log-2010-04-12 (17-43-23).txt Scan type: Full scan (C:\|E:\|) Objects scanned: 171632 Time elapsed: 56 minute(s), 33 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS (Ver_10-03-17.01) - NTFSx86 Run by Phil at 22:57:13.04 on Mon 04/12/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1332 [GMT -6:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE svchost.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\lxddcoms.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\WINDOWS\system32\ICO.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe E:\Program Files\Winamp\winampa.exe C:\Program Files\Lexmark 2500 Series\lxddmon.exe C:\Program Files\Lexmark 2500 Series\lxddamon.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\system32\SearchProtocolHost.exe C:\Documents and Settings\Phil\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.facebook.com/home.php uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll uURLSearchHooks: H - No File BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [Google Update] "c:\documents and settings\phil\local settings\application data\google\update\GoogleUpdate.exe" /c mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe" mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start mRun: [Mouse Suite 98 Daemon] ICO.EXE mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [synTPStart] c:\program files\synaptics\syntp\SynTPStart.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [WinampAgent] "e:\program files\winamp\winampa.exe" mRun: [lxddmon.exe] "c:\program files\lexmark 2500 series\lxddmon.exe" mRun: [lxddamon] "c:\program files\lexmark 2500 series\lxddamon.exe" mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe StartupFolder: c:\docume~1\phil\startm~1\programs\startup\mobile~1.lnk - c:\program files\watchguard\mobile user vpn\SafeCfg.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: AtiExtEvent - Ati2evxx.dll Notify: avgrsstarter - avgrsstx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\phil\applic~1\mozilla\firefox\profiles\k8l8zeaw.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p= FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll FF - plugin: c:\documents and settings\phil\application data\facebook\npfbplugin_1_0_3.dll FF - plugin: c:\documents and settings\phil\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-14 335240] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-14 27784] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-14 108552] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-14 297752] R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [2009-5-5 521786] R2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [2009-5-5 119864] R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?] R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [2009-5-5 36188] R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424] S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2009-5-8 99248] S3 jbridgep;jbridgep;\??\c:\docume~1\phil\locals~1\temp\jbridgep.sys --> c:\docume~1\phil\locals~1\temp\jbridgep.sys [?] S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2010-2-15 9472] =============== Created Last 30 ================ 2010-04-13 04:50:21 156 ----a-w- c:\documents and settings\phil\defogger_reenable 2010-04-11 06:11:15 34 ---ha-w- c:\windows\system32\Converter_sysquict.dat 2010-04-11 06:11:11 0 d-----w- c:\program files\Free Convert WMV MOV MPEG to AVI DIVX Converter 2010-04-11 05:53:43 98816 ----a-w- c:\windows\sed.exe 2010-04-11 05:53:43 77312 ----a-w- c:\windows\MBR.exe 2010-04-11 05:53:43 261632 ----a-w- c:\windows\PEV.exe 2010-04-11 05:53:43 161792 ----a-w- c:\windows\SWREG.exe 2010-04-11 04:37:25 94 ----a-w- c:\documents and settings\phil\default.pls 2010-04-11 03:40:16 116 ----a-w- c:\windows\NeroDigital.ini 2010-04-11 03:18:12 135532 ------w- c:\windows\UNNeroVision.cfg 2010-04-11 03:18:11 2670592 ------w- c:\windows\UNNeroVision.exe 2010-04-11 03:17:59 38912 ------w- c:\windows\system32\picn20.dll 2010-04-11 02:54:00 5888 ------w- c:\windows\system32\drivers\imagedrv.sys 2010-04-11 02:54:00 127488 ------w- c:\windows\system32\drivers\imagesrv.sys 2010-04-11 02:53:38 364544 ------w- c:\windows\system32\TwnLib4.dll 2010-04-11 02:53:38 106496 ------w- c:\windows\system32\TwnLib20.dll 2010-04-11 02:53:37 476320 ------w- c:\windows\system32\ImagXpr7.dll 2010-04-11 02:53:37 471040 ------w- c:\windows\system32\ImagXRA7.dll 2010-04-11 02:53:37 262144 ------w- c:\windows\system32\ImagXR7.dll 2010-04-11 02:53:37 1568768 ------w- c:\windows\system32\ImagX7.dll 2010-04-11 02:53:37 155648 ----a-w- c:\windows\system32\NeroCheck.exe 2010-04-11 02:09:54 0 d-----w- C:\Reg Backups 2010-04-11 02:06:38 0 d-----w- c:\program files\CCleaner 2010-04-06 15:27:21 0 d-----w- c:\docume~1\phil\applic~1\Facebook 2010-04-05 15:21:53 0 d-----w- C:\Temp folder for DVD 2010-04-05 15:08:21 506986496 ----a-w- C:\VOLUME_IDENTIFIER.ISO 2010-04-05 15:00:06 0 d-----w- C:\VOLUME_IDENTIFIER 2010-04-05 05:35:22 0 d-----w- c:\program files\DVD Shrink 2010-04-03 19:13:38 0 d-----w- c:\docume~1\phil\applic~1\AVS4YOU 2010-04-03 19:13:38 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU 2010-04-03 19:12:15 0 d-----w- c:\program files\common files\AVSMedia 2010-04-03 19:12:14 974848 ----a-w- c:\windows\system32\mfc70.dll 2010-04-03 19:12:14 487424 ----a-w- c:\windows\system32\msvcp70.dll 2010-04-03 19:12:14 344064 ----a-w- c:\windows\system32\msvcr70.dll 2010-04-03 19:12:14 24576 ------w- c:\windows\system32\msxml3a.dll 2010-04-03 19:12:14 1700352 ----a-w- c:\windows\system32\GdiPlus.dll 2010-04-03 19:12:13 0 d-----w- c:\program files\AVS4YOU 2010-04-03 04:29:15 0 d-----w- c:\program files\UP ==================== Find3M ==================== 2010-04-12 02:50:59 57600 ----a-w- c:\windows\system32\drivers\redbook.sys 2010-03-30 06:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-30 06:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-03-09 10:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll 2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll 2010-02-15 16:22:54 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf 2010-02-15 16:22:14 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf ============= FINISH: 22:59:08.82 =============== Attach.zip
-
Go ahead and close it. Thanks again
-
thank you for your help, but I decided to go ahead and Re-install the OS on the Machine. When I tried to run the GMER again it would go to the BSOD every time so I said the heck with it Thanks again for your time and assistance
-
Oh, I didn't add to the last reply. I do thank you very much for your help.