TDL3 rootkit problem-Atapi.sys infected

[novemberwhisky]

Hi,

I was wondering if you could help with what seems an identical problem posted on your forum?

Atapi.sys infection? Start of Problems???

Deltalima was the expert involved with solving the TDL3 rootkit problem. How easily can it be fixed?

please see attached scans logs from Mbam, GMER and Hijack this.

It took a bit of work getting Mbam and spybot with the latest updates as they were being blocked. Now the problem seems to be the Atapi.sys. I believe that if I I delete atapi.sys i will not be able to reboot, the system.

I have an IBM system with Rescue and Recover and the PRE-Load is on a partition of the hard drive. I want to avoid reformatting, as i have already done so about 3 months ago.

Many thanks

New member "novemberwhisky"

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-02-24 20:52:41

Windows 5.1.2600 Service Pack 3

Running: 5s9i679h.exe; Driver: C:\DOCUME~1\DAD\LOCALS~1\Temp\awrdapow.sys

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF73FB780]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!CreateWindowExA] [004179E4] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe

IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!CreateWindowExW] [00417A5E] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe

IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\ole32.dll [uSER32.dll!ShowWindow] [00417AD8] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe

IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!CreateWindowExA] [004179E4] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe

IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!CreateWindowExW] [00417A5E] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe

IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!SetWindowPos] [00417B8A] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe

IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!ShowWindow] [00417AD8] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe

IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\wininet.dll [uSER32.dll!SetWindowPos] [00417B8A] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe

IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\wininet.dll [uSER32.dll!CreateWindowExW] [00417A5E] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe

IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\shell32.dll [uSER32.dll!CreateWindowExW] [00417A5E] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe

IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\shell32.dll [uSER32.dll!ShowWindow] [00417AD8] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe

IAT C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe[2904] @ C:\WINDOWS\system32\shell32.dll [uSER32.dll!SetWindowPos] [00417B8A] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ibmfilter.sys (IBM Rescue and Recovery filter driver/IBM)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-1b [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdePort0 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdePort1 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdePort2 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdePort3 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 [F73EEB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\RRbackups\C 0 bytes

File C:\RRbackups\Documents and Settings 0 bytes

File C:\RRbackups\Documents and Settings\All Users 0 bytes

File C:\RRbackups\Documents and Settings\All Users\Application Data 0 bytes

File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft 0 bytes

File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto 0 bytes

File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA 0 bytes

File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys 0 bytes

File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_c90750f4-1a9a-4385-b16f-b780e69ce3dc 52 bytes

File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18 0 bytes

File C:\RRbackups\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_c90750f4-1a9a-4385-b16f-b780e69ce3dc 893 bytes

File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage 0 bytes

File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security 0 bytes

File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\css.ini 26 bytes

File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\encobject.dat 1608 bytes

File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\swkeys.dat 6372 bytes

File C:\RRbackups\Documents and Settings\All Users\Application Data\ThinkVantage\Client Security\symkeys.dat 656 bytes

File C:\RRbackups\Documents and Settings\DAD 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto\RSA 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1006 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1006\095eef4ec6fbefd1e618f6bcc8a2c409_c90750f4-1a9a-4385-b16f-b780e69ce3dc 44 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1006\533145ef011ddf5ca3983e2545a902b4_c90750f4-1a9a-4385-b16f-b780e69ce3dc 2075 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1006\83aa4cc77f591dfc2374580bbd95f6ba_c90750f4-1a9a-4385-b16f-b780e69ce3dc 45 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\CREDHIST 296 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\bcc758da-8202-4f98-8e02-b38aaef0f0a2 388 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\Preferred 24 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\b494fd33-76f6-4b91-9917-7145d83c8e0f 388 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\Preferred 24 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1006 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1006\56bdf13a-bad8-4cd1-ab44-1a2499927ac1 388 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1006\e8018cf0-b6e6-4359-aa8a-6a671f2cae47 388 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1006\Preferred 24 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\SystemCertificates 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\SystemCertificates\My 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage\Client Security 0 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage\Client Security\encobject.dat 6432 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage\Client Security\hibernation.dat 4 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage\Client Security\swkeys.dat 4248 bytes

File C:\RRbackups\Documents and Settings\DAD\Application Data\ThinkVantage\Client Security\symkeys.dat 1968 bytes

File C:\RRbackups\Documents and Settings\Default User 0 bytes

File C:\RRbackups\Documents and Settings\Default User\Application Data 0 bytes

File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft 0 bytes

File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect 0 bytes

File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\CREDHIST 24 bytes

File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003 0 bytes

File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\bcc758da-8202-4f98-8e02-b38aaef0f0a2 388 bytes

File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\Preferred 24 bytes

File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003 0 bytes

File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\b494fd33-76f6-4b91-9917-7145d83c8e0f 388 bytes

File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\Preferred 24 bytes

File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates 0 bytes

File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My 0 bytes

File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes

File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes

File C:\RRbackups\Documents and Settings\Default User\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes

File C:\RRbackups\Documents and Settings\KIDS 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Crypto 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Crypto\RSA 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1007 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Crypto\RSA\S-1-5-21-913010512-750300659-3987821213-1007\533145ef011ddf5ca3983e2545a902b4_c90750f4-1a9a-4385-b16f-b780e69ce3dc 2075 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\CREDHIST 24 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\bcc758da-8202-4f98-8e02-b38aaef0f0a2 388 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\Preferred 24 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\b494fd33-76f6-4b91-9917-7145d83c8e0f 388 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\Preferred 24 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1007 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1007\979da260-4fa4-4938-86a8-22941fb6619c 388 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1007\Preferred 24 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\SystemCertificates 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\SystemCertificates\My 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage\Client Security 0 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage\Client Security\encobject.dat 6432 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage\Client Security\hibernation.dat 4 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage\Client Security\swkeys.dat 4248 bytes

File C:\RRbackups\Documents and Settings\KIDS\Application Data\ThinkVantage\Client Security\symkeys.dat 1968 bytes

File C:\RRbackups\Documents and Settings\LocalService 0 bytes

File C:\RRbackups\Documents and Settings\LocalService\Application Data 0 bytes

File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft 0 bytes

File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates 0 bytes

File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My 0 bytes

File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes

File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes

File C:\RRbackups\Documents and Settings\LocalService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes

File C:\RRbackups\Documents and Settings\NetworkService 0 bytes

File C:\RRbackups\Documents and Settings\NetworkService\Application Data 0 bytes

File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft 0 bytes

File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates 0 bytes

File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My 0 bytes

File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes

File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes

File C:\RRbackups\Documents and Settings\NetworkService\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes

File C:\RRbackups\Documents and Settings\Owner 0 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data 0 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft 0 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Crypto 0 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Crypto\RSA 0 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect 0 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\CREDHIST 24 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003 0 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\bcc758da-8202-4f98-8e02-b38aaef0f0a2 388 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003\Preferred 24 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003 0 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\b494fd33-76f6-4b91-9917-7145d83c8e0f 388 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003\Preferred 24 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\SystemCertificates 0 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\SystemCertificates\My 0 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes

File C:\RRbackups\Documents and Settings\Owner\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes

File C:\RRbackups\Documents and Settings\TEMP 0 bytes

File C:\RRbackups\Documents and Settings\TEMP\Application Data 0 bytes

File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft 0 bytes

File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\Protect 0 bytes

File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\Protect\S-1-5-21-3463794273-3861453470-3792677237-1003 0 bytes

File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\Protect\S-1-5-21-3594824112-253328111-277388107-1003 0 bytes

File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\Protect\S-1-5-21-913010512-750300659-3987821213-1006 0 bytes

File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\SystemCertificates 0 bytes

File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\SystemCertificates\My 0 bytes

File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\SystemCertificates\My\Certificates 0 bytes

File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\SystemCertificates\My\CRLs 0 bytes

File C:\RRbackups\Documents and Settings\TEMP\Application Data\Microsoft\SystemCertificates\My\CTLs 0 bytes

File C:\RRbackups\Documents and Settings\TEMP\Application Data\ThinkVantage 0 bytes

File C:\RRbackups\Documents and Settings\TEMP\Application Data\ThinkVantage\Client Security 0 bytes

File C:\RRbackups\hints.dat 8192 bytes

File C:\RRbackups\osfilter.txt 7563 bytes

File C:\RRbackups\regcerts.dat 8192 bytes

File C:\RRbackups\rr.log 3016 bytes

File C:\RRbackups\SAM 262144 bytes

File C:\RRbackups\system 6815744 bytes

File C:\RRbackups\system.dat 12288 bytes

File C:\RRbackups\tvt.txt 10076 bytes

File C:\RRbackups\usersids.dat 11440 bytes

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:07:33, on 24/02/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe

C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe

C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ICO.EXE

C:\WINDOWS\system32\FSRremoS.EXE

C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe

C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe

C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\SOUNDMAN.EXE

D:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

C:\Documents and Settings\DAD\Application Data\SystemProc\lsass.exe

C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgre.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/us/en/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe

O4 - HKLM\..\Run: [cssauthe] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" silent

O4 - HKLM\..\Run: [sKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [EarthLink Installer] " /C

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon

O4 - HKCU\..\Run: [TOY5KNQ8OC] C:\DOCUME~1\DAD\LOCALS~1\Temp\Ykb.exe

O4 - HKLM\..\Policies\Explorer\Run: [RTHDBPL] C:\Documents and Settings\DAD\Application Data\SystemProc\lsass.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll

O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java142\jre\bin\NPJPI142.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O11 - Options group: [JAVA_IBM] Java (IBM)

O14 - IERESET.INF: START_PAGE_URL=http://www.lenovo.com/us/en/

O16 - DPF: {2DAD3559-2923-4935-AD49-B673D2539944} (IASRunner Class) - http://www-307.ibm.com/pc/support/acpir.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{382CDC68-6BEF-4ADC-B514-E72B86A01101}: NameServer = 93.188.164.224,93.188.166.70

O17 - HKLM\System\CCS\Services\Tcpip\..\{3AB7A6DB-36A0-45D6-8267-468F18D94C87}: NameServer = 93.188.164.224,93.188.166.70

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.224,93.188.166.70

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.164.224,93.188.166.70

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.224,93.188.166.70

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)

O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe

O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe

O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

--

End of file - 10282 bytes

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:31:26, on 28/02/2010Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ICO.EXE

C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe

C:\WINDOWS\system32\FSRremoS.EXE

C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe

C:\Program Files\ThinkVantage\SystemUpdate\PipeServer.exe

C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

D:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgre.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lenovo.com/us/en/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "c:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\Lenovo\LENOVO~2\LPMGR.exe

O4 - HKLM\..\Run: [cssauthe] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" silent

O4 - HKLM\..\Run: [sKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\SKDaemon.exe

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)

--

End of file - 8117 bytes

mbam_log_2010_02_28__20_20_55_.txt

mbam_log_2010_02_23__23_37_51_.txt

[IndiGenus]

Hello and welcome to the Malware removal forums.

Please read through the instructions to familiarize yourself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  -Tools->Options->Main tab
  -Set to "Always ask me where to Save the files".
  
• During the download, rename Combofix to Combo-Fix as follows:
  

• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  

• Double click on ComboFix.exe & follow the prompts.Close all other windows/browser first.
  

• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do Not run combofix more than once. If you have problems please post back for further instructions.

3.CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

[novemberwhisky]

Hello and welcome to the Malware removal forums.

Please read through the instructions to familiarize yourself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:
  -Tools->Options->Main tab
  -Set to "Always ask me where to Save the files".
  
• During the download, rename Combofix to Combo-Fix as follows:
  

• It is important you rename Combofix during the download, but not after.
  
• Please do not rename Combofix to other names, but only to the one indicated.
  
• Close any open browsers.
  
• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  

• Double click on ComboFix.exe & follow the prompts.Close all other windows/browser first.
  

• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do Not run combofix more than once. If you have problems please post back for further instructions.

3.CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Hi IndiGenus,

Here is the log you asked for.

Thanks

Novemberwhisky

omboFix 10-03-03.03 - DAD 03/03/2010 22:27:09.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.737 [GMT 0:00]

Running from: c:\documents and settings\DAD\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\hpe78.dll

c:\windows\EventSystem.log

.

((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))

.

2010-02-26 17:45 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-25 23:39 . 2010-02-25 23:39 -------- d-----w- c:\windows\system32\NtmsData

2010-02-24 23:16 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-24 23:16 . 2010-02-24 23:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-24 23:16 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-24 22:25 . 2010-02-24 22:27 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-02-24 22:25 . 2010-02-24 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-02-24 22:24 . 2010-02-24 22:24 -------- d-----w- c:\documents and settings\DAD\Application Data\AVG9

2010-02-24 20:56 . 2010-02-24 20:56 -------- d-----w- c:\program files\Trend Micro

2010-02-23 21:39 . 2010-02-23 21:39 -------- d-----w- c:\documents and settings\DAD\Application Data\Malwarebytes

2010-02-23 21:38 . 2010-02-23 21:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-02-22 22:52 . 2010-02-22 22:52 -------- d-----w- c:\documents and settings\DAD\Local Settings\Application Data\Help

2010-02-18 10:49 . 2010-02-18 11:30 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-02-10 21:06 . 2009-11-27 17:11 17920 ------w- c:\windows\system32\dllcache\msyuv.dll

2010-02-05 20:43 . 2010-02-25 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2010-02-05 20:43 . 2010-02-05 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller

2010-02-05 17:41 . 2010-02-17 21:54 -------- d-----w- c:\windows\system32\Adobe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-02-25 17:49 . 2009-12-03 02:05 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-02-21 15:55 . 2009-12-03 02:14 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS

2010-02-05 20:43 . 2009-12-03 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2010-01-23 19:39 . 2010-01-23 19:39 -------- d-----w- c:\documents and settings\KIDS\Application Data\Apple Computer

2010-01-12 13:03 . 2009-12-03 20:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-12-31 16:50 . 1980-01-01 08:00 353792 ------w- c:\windows\system32\drivers\srv.sys

2009-12-26 15:51 . 2009-12-12 14:43 24816 ------w- c:\documents and settings\KIDS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-25 13:10 . 2009-12-25 13:10 26260 ---h--w- c:\windows\system32\mlfcache.dat

2009-12-21 19:14 . 1980-01-01 08:00 916480 ------w- c:\windows\system32\wininet.dll

2009-12-16 18:43 . 2004-08-09 21:22 343040 ------w- c:\windows\system32\mspaint.exe

2009-12-15 19:52 . 2009-12-03 03:13 24816 ------w- c:\documents and settings\DAD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-12-14 07:08 . 1980-01-01 08:00 33280 ------w- c:\windows\system32\csrsrv.dll

2009-12-12 19:29 . 2009-12-12 19:29 10134 ------r- c:\documents and settings\DAD\Application Data\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe

2009-12-12 19:25 . 2009-12-12 19:23 23510720 ------w- c:\documents and settings\DAD\Application Data\Sony Setup\09063B41-0916-4360-A80D-0C2A2B89D300\dotnetfx.exe

2009-12-12 19:19 . 2009-12-12 19:17 32494896 ------w- c:\documents and settings\DAD\Application Data\Sony Setup\9234765D-29DF-48d0-93FB-284B7B6009B9\QuickTimeInstaller.exe

2009-12-09 16:54 . 2009-12-09 16:54 846312 ------w- c:\documents and settings\DAD\Application Data\MSNInstaller\msnauins.exe

2009-12-08 21:46 . 2009-12-08 21:47 25512 ------w- c:\windows\system32\drivers\ggsemc.sys

2009-12-08 21:46 . 2009-12-08 21:47 13224 ------w- c:\windows\system32\drivers\ggflt.sys

2009-12-08 21:46 . 2009-12-08 21:47 1112288 ------w- c:\windows\system32\WdfCoInstaller01007.dll

2009-12-08 19:27 . 1980-01-01 08:00 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:43 . 2004-08-04 06:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

2009-12-04 22:50 . 2009-12-04 22:50 86016 ------w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe

2009-12-04 18:22 . 1980-01-01 08:00 455424 ------w- c:\windows\system32\drivers\mrxsmb.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-11-25 13:01 1230080 ------w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2009-09-24 434176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Mouse Suite 98 Daemon"="ICO.EXE" [2005-04-13 49152]

"suScheduler"="c:\program files\ThinkVantage\SystemUpdate\UCLauncher.exe" [2005-08-02 40960]

"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-03-01 196710]

"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2005-12-07 106496]

"cssauthe"="c:\program files\IBM ThinkVantage\Client Security Solution\cssauthe.exe" [2006-03-01 1992240]

"SKDaemon.exe"="c:\program files\Lenovo\Productivity Keyboard\SKDaemon.exe" [2006-02-06 262144]

"SoundMan"="SOUNDMAN.EXE" [2006-01-11 577536]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-12-03 03:50 12464 ------w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\ThinkVantage\\SystemUpdate\\jre\\bin\\javaw.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"d:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [03/12/2009 03:50 333192]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [03/12/2009 03:50 360584]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [03/12/2009 03:50 906520]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [03/12/2009 03:50 285392]

R2 smi2;smi2;c:\program files\SMI2\smi2.sys [22/12/2005 00:45 3968]

R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [09/12/2009 23:04 27632]

S0 ANCSQ;ANCSQ;c:\windows\system32\drivers\ANCSQ.sys --> c:\windows\system32\drivers\ANCSQ.sys [?]

S2 OMSI download service;Sony Ericsson OMSI download service;c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe [09/12/2009 23:02 90112]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [08/12/2009 21:47 13224]

S3 s3chipid;s3chipid;\??\c:\docume~1\Owner\LOCALS~1\Temp\s3chipid.sys --> c:\docume~1\Owner\LOCALS~1\Temp\s3chipid.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-02-25 c:\windows\Tasks\User_Feed_Synchronization-{A277806A-F328-4CC4-9BA9-41C902613B3B}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]

.

.

------- Supplementary Scan -------

.

uLocal Page = hxxp://www.google.com/

uStart Page = hxxp://home.bt.yahoo.com/

uInternet Connection Wizard,ShellNext = hxxp://www.lenovo.com/us/en/

uInternet Settings,ProxyOverride = *.local

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html

IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

HKLM-Run-ISUSScheduler - c:\program files\Common Files\InstallShield\UpdateService\issch.exe

HKLM-Run-POINTER - point32.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-03 22:34

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2010-03-03 22:35:23

ComboFix-quarantined-files.txt 2010-03-03 22:35

Pre-Run: 41,218,633,728 bytes free

Post-Run: 41,828,462,592 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Home Edition" /fastdetect

- - End Of File - - 719C2E6C9ED7793955116D36AAAE35B5

log.txt

[IndiGenus]

How is it running at this point? I would like to get another scan run here.

Run OTL

• Download OTL to your desktop.
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scan box paste this in
  

  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  /md5stop
  CREATERESTOREPOINT

  
  

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
  

[novemberwhisky]

How is it running at this point? I would like to get another scan run here.

Run OTL

• Download OTL to your desktop.
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• Under the Custom Scan box paste this in
  

  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  eNetHook.dll
  ahcix86.sys
  KR10N.sys
  /md5stop
  CREATERESTOREPOINT

  
  

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
  

IndiGenus,

OTL scans as requested below. My browser is still diverting me to unwanted web pages. I came home from work and the PC was on already (my kids had turn it on by accident) , I had to restart - to enable the wireless connection and which involved a hard shutdown (which has been happening on and off several weeks now).

Thanks

novemberwhisky

OTL logfile created on: 04/03/2010 18:39:53 - Run 1

OTL by OldTimer - Version 3.1.33.0 Folder = C:\Documents and Settings\DAD\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,023.00 Mb Total Physical Memory | 426.00 Mb Available Physical Memory | 42.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 70.29 Gb Total Space | 38.94 Gb Free Space | 55.39% Space Free | Partition Type: NTFS

Drive D: | 14.33 Gb Total Space | 10.50 Gb Free Space | 73.26% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DADKIDS

Current User Name: DAD

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe

PRC - [2009/12/11 18:41:15 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe

PRC - [2009/12/11 18:41:15 | 000,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe

PRC - [2009/12/03 03:50:39 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe

PRC - [2009/12/03 03:50:38 | 000,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe

PRC - [2009/12/03 03:50:31 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe

PRC - [2009/12/03 03:50:30 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe

PRC - [2009/04/30 12:23:26 | 000,090,112 | ---- | M] () -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2006/03/01 19:50:06 | 000,626,810 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

PRC - [2006/03/01 00:05:54 | 002,364,976 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgre.exe

PRC - [2006/03/01 00:00:34 | 001,992,240 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe

PRC - [2006/02/06 22:39:36 | 000,262,144 | R--- | M] (LITE-ON TECHNOLOGY CORP.) -- C:\Program Files\Lenovo\Productivity Keyboard\Skdaemon.exe

PRC - [2006/01/11 23:08:36 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE

PRC - [2005/12/07 09:00:00 | 000,106,496 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE

PRC - [2005/10/28 11:23:10 | 001,404,928 | ---- | M] (Belkin) -- C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

PRC - [2005/08/02 01:33:04 | 000,126,976 | ---- | M] () -- C:\Program Files\ThinkVantage\SystemUpdate\PipeServer.exe

PRC - [2005/04/13 22:34:28 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe

PRC - [2003/11/06 23:51:32 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\FSRremoS.EXE

========== Modules (SafeList) ==========

MOD - [2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/12/03 03:50:31 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)

SRV - [2009/12/03 03:50:30 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)

SRV - [2009/12/03 02:13:32 | 000,032,256 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psasrv.exe -- (PsaSrv)

SRV - [2009/04/30 12:23:26 | 000,090,112 | ---- | M] () [Auto | Running] -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe -- (OMSI download service)

SRV - [2006/03/01 19:50:06 | 000,626,810 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)

SRV - [2005/12/22 02:34:58 | 000,077,824 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe -- (TVT Scheduler)

SRV - [2005/12/22 02:20:56 | 001,384,448 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe -- (TVT Backup Service)

SRV - [2005/08/02 01:32:40 | 000,040,960 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe -- (UCLauncherService)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = http://www.google.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D6 FD 9C 1C FA 83 CA 01 [binary data]

IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found

IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

[2010/02/25 00:05:02 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/02/24 23:01:36 | 000,380,253 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 127.0.0.1 1-2005-search.com

O1 - Hosts: 13102 more lines...

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()

O3 - HKCU\..\Toolbar\ShellBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()

O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [cssauthe] C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe (Lenovo Group Limited)

O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation)

O4 - HKLM..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [LPManager] C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE (Lenovo Group Limited)

O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)

O4 - HKLM..\Run: [sKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\Skdaemon.exe (LITE-ON TECHNOLOGY CORP.)

O4 - HKLM..\Run: [soundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe ()

O4 - HKCU..\Run: [sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe (Sony Ericsson Mobile Communications AB)

O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe (Belkin)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O8 - Extra context menu item: &Translate English Word - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O8 - Extra context menu item: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O8 - Extra context menu item: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O8 - Extra context menu item: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O8 - Extra context menu item: Translate Page into English - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.4.2/...all-142-win.cab (Java Plug-in 1.4.2)

O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.2/...all-142-win.cab (Java Plug-in 1.4.2)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)

O24 - Desktop WallPaper: C:\Documents and Settings\DAD\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\DAD\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/12/03 02:34:50 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - comfile [open] -- "%1" %*

O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/09 21:12:00 | 000,000,000 | ---D | M]

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)

NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT

Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/03/04 18:34:55 | 000,552,960 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe

[2010/03/04 16:32:28 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/03/03 22:06:19 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/03/03 22:04:38 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/03/03 22:04:38 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/03/03 22:04:38 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/03/03 22:04:38 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/03/03 22:04:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/03/03 22:04:29 | 000,000,000 | ---D | C] -- C:\Combo-Fix

[2010/03/03 22:04:16 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/02/25 23:39:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData

[2010/02/24 23:16:18 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/02/24 23:16:16 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/02/24 23:16:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2010/02/24 22:25:41 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy

[2010/02/24 22:25:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

[2010/02/24 22:24:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\DAD\Application Data\AVG9

[2010/02/24 20:56:41 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2010/02/24 01:13:10 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

[2010/02/23 23:37:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft

[2010/02/23 21:39:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\DAD\Application Data\Malwarebytes

[2010/02/23 21:38:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2010/02/22 22:52:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\DAD\Local Settings\Application Data\Help

[2010/02/22 22:52:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\DAD\Application Data\Help

[2009/12/04 22:54:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2009/12/03 03:31:59 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[2009/12/03 03:31:59 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[2004/08/09 21:33:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/03/04 18:35:21 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A277806A-F328-4CC4-9BA9-41C902613B3B}.job

[2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe

[2010/03/04 18:30:36 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/03/04 18:30:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/03/04 18:30:30 | 1073,270,784 | -HS- | M] () -- C:\hiberfil.sys

[2010/03/04 18:24:23 | 009,175,040 | -H-- | M] () -- C:\Documents and Settings\DAD\NTUSER.DAT

[2010/03/04 18:24:23 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\DAD\ntuser.ini

[2010/03/04 18:24:18 | 007,464,274 | -H-- | M] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\IconCache.db

[2010/03/03 23:11:36 | 056,626,860 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm

[2010/03/03 22:33:37 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/03/03 22:06:24 | 000,000,254 | RHS- | M] () -- C:\BOOT.INI

[2010/03/03 21:46:57 | 004,118,254 | R--- | M] () -- C:\Documents and Settings\DAD\Desktop\Combo-Fix.exe

[2010/03/03 19:34:02 | 000,010,973 | ---- | M] () -- C:\Documents and Settings\DAD\My Documents\1.docx

[2010/02/27 18:29:37 | 000,018,944 | ---- | M] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/02/26 20:22:16 | 000,001,514 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk

[2010/02/25 22:16:07 | 000,462,454 | ---- | M] () -- C:\Documents and Settings\DAD\Desktop\over confident.bmp

[2010/02/25 21:59:08 | 000,038,118 | ---- | M] () -- C:\Documents and Settings\DAD\Desktop\the hostile world awaits.jpg

[2010/02/25 21:11:54 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/02/24 23:16:20 | 000,000,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/02/24 23:01:36 | 000,380,253 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/02/24 22:25:48 | 000,000,944 | ---- | M] () -- C:\Documents and Settings\DAD\Desktop\Spybot - Search & Destroy.lnk

[2010/02/24 20:56:42 | 000,001,745 | ---- | M] () -- C:\Documents and Settings\DAD\Desktop\HijackThis.lnk

[2010/02/19 17:23:51 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/03 22:06:24 | 000,000,184 | ---- | C] () -- C:\Boot.bak

[2010/03/03 22:06:21 | 000,260,272 | ---- | C] () -- C:\cmldr

[2010/03/03 22:04:38 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/03/03 22:04:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/03/03 22:04:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/03/03 22:04:38 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/03/03 22:04:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/03/03 21:46:51 | 004,118,254 | R--- | C] () -- C:\Documents and Settings\DAD\Desktop\Combo-Fix.exe

[2010/03/03 19:34:02 | 000,010,973 | ---- | C] () -- C:\Documents and Settings\DAD\My Documents\1.docx

[2010/02/26 20:22:16 | 000,001,514 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk

[2010/02/25 22:16:07 | 000,462,454 | ---- | C] () -- C:\Documents and Settings\DAD\Desktop\over confident.bmp

[2010/02/25 22:08:34 | 000,038,118 | ---- | C] () -- C:\Documents and Settings\DAD\Desktop\the hostile world awaits.jpg

[2010/02/24 23:16:20 | 000,000,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/02/24 22:25:48 | 000,000,944 | ---- | C] () -- C:\Documents and Settings\DAD\Desktop\Spybot - Search & Destroy.lnk

[2010/02/24 20:56:42 | 000,001,745 | ---- | C] () -- C:\Documents and Settings\DAD\Desktop\HijackThis.lnk

[2009/12/10 20:30:43 | 000,018,944 | ---- | C] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/12/03 21:18:10 | 000,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini

[2009/12/03 02:33:54 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\fusioncache.dat

[2009/12/03 02:16:06 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2009/12/03 02:05:14 | 000,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys

[2009/12/03 02:03:39 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll

[2009/12/03 02:03:39 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll

[2009/12/03 02:03:39 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll

[2009/12/03 02:03:39 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll

[2009/12/03 02:03:39 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll

[2009/12/03 02:03:39 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll

[2009/12/03 02:03:18 | 000,000,032 | ---- | C] () -- C:\WINDOWS\WININIT.INI

[2009/12/03 01:58:25 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll

[2009/12/03 01:57:38 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\FSRremoC.DLL

[2009/12/03 01:57:38 | 000,005,528 | ---- | C] () -- C:\WINDOWS\System32\Setup2k.ini

[2009/12/03 01:57:38 | 000,000,296 | ---- | C] () -- C:\WINDOWS\System32\presetup.ini

[2006/02/03 00:37:10 | 000,004,676 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2006/01/19 20:46:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2006/01/10 21:38:30 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll

[2005/07/12 22:44:42 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL

[2004/08/09 21:34:32 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2004/03/24 00:38:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll

[2002/04/11 18:47:52 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\msmscoin.dll

========== LOP Check ==========

[2009/12/02 22:12:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar

[2009/12/03 03:50:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9

[2009/12/10 00:11:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software

[2009/12/03 02:01:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo

[2010/02/18 11:30:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2009/12/03 02:35:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ThinkVantage

[2009/12/25 09:53:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

[2010/02/24 22:24:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\AVG9

[2009/12/03 20:48:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\GetRightToGo

[2009/12/03 02:04:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\IBM

[2009/12/03 19:46:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\InterVideo

[2009/12/03 19:50:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Leadertech

[2009/12/06 19:06:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\LEGO Company

[2009/12/06 20:13:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Lenovo

[2009/12/09 16:54:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\MSNInstaller

[2009/12/12 19:33:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Sony

[2009/12/12 19:23:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Sony Setup

[2009/12/03 02:35:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\ThinkVantage

[2009/12/09 19:44:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\TrueSwitch

[2010/03/04 18:35:21 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{A277806A-F328-4CC4-9BA9-41C902613B3B}.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >

[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys

[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

[2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

[2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys

[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys

[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys

[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

[2004/08/04 07:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >

[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys

[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys

[2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys

[2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys

[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys

[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys

[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys

[2004/08/04 06:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >

[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll

[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll

[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

[2004/08/04 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >

[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll

[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll

[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

[2009/02/06 18:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

[2009/02/06 18:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtUninstallKB975467_0$\netlogon.dll

[2004/08/04 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389_0$\netlogon.dll

< MD5 for: SCECLI.DLL >

[2004/08/04 13:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll

[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll

[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

< End of report >

OTL Extras logfile created on: 04/03/2010 18:39:53 - Run 1

OTL by OldTimer - Version 3.1.33.0 Folder = C:\Documents and Settings\DAD\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,023.00 Mb Total Physical Memory | 426.00 Mb Available Physical Memory | 42.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 80.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 70.29 Gb Total Space | 38.94 Gb Free Space | 55.39% Space Free | Partition Type: NTFS

Drive D: | 14.33 Gb Total Space | 10.50 Gb Free Space | 73.26% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DADKIDS

Current User Name: DAD

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

exefile [open] -- "%1" %*

htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008

"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004

"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005

"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001

"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe" = C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe:*:Enabled:ThinkVantage System Update -- (IBM)

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe" = C:\Program Files\ThinkVantage\SystemUpdate\jre\bin\javaw.exe:*:Enabled:ThinkVantage System Update -- (IBM)

"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)

"C:\Program Files\Sony Ericsson\Update Service\Update Service.exe" = C:\Program Files\Sony Ericsson\Update Service\Update Service.exe:*:Enabled:Update Service -- ()

"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)

"D:\Program Files\iTunes\iTunes.exe" = D:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)

"C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" = C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware -- (Malwarebytes Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour

"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data

"{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}" = PlayStation®Store

"{1007F41F-7D69-468E-8017-3849A5A973C2}" = ThinkVantage Technologies Welcome Message

"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime

"{1A07F627-0F8F-43EE-B667-38908DF85911}" = Rescue and Recovery

"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148

"{1FD0C5C1-B01B-4B4C-9607-E5D3B3D1318F}" = Microsoft IntelliPoint 4.1

"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool

"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT

"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer

"{2A43FF29-0D97-4445-B82D-9324F176AED5}" = ThinkVantage System Update

"{2C7A0299-5A88-41D2-B687-512DA6892058}" = USB Enhanced Performance Keyboard Software

"{2FFE93F0-BB72-4E52-8761-354D1AAA9387}" = Sony Ericsson PC Suite

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support

"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant

"{6280149E-EFF3-4F1B-BD43-5B7EDD6F620A}" = Lenovo Care Supplement

"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update

"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com

"{6E7DD182-9FC6-4651-0095-2E666CC6AF35}" = The Sims 2

"{7B3577F5-1D82-4C9B-008B-69D026FD8BCA}" = The Sims 2 Open For Business

"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials

"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable

"{8E726115-FCBE-43B1-9FB7-06E8E25F9ABE}" = Diskeeper Lite

"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12

"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007

"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007

"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007

"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007

"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007

"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007

"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007

"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007

"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007

"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)

"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)

"{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}" = InterVideo WinDVD

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{986F64DC-FF15-449D-998F-EE3BCEC6666A}" = Help Center

"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI

"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR

"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2

"{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility

"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes

"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger

"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support

"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio

"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2

"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy

"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy

"{B6659DD8-00A7-4A24-BBFB-C1F6982E5D66}" = PlayStation®Network Downloader

"{BEAD39CD-901D-4267-8B8B-EAA83CB4B70D}" = Pivot Stickfigure Animator

"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2

"{C54ED2B6-1AF2-416F-BBA8-5E2B8CDCB5C4}" = XP Themes

"{C6FA39A7-26B1-480A-BC74-6D17531AC222}" = Access Help

"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{CF52099A-3BEA-4C41-AEA8-1E190F04D737}" = Lenovo Care

"{DB71210F-8314-4AE3-B7A7-EBAF85BD30E9}" = Wallpapers

"{E7E836B8-4BDD-454F-82E6-5FEA17C83AD4}" = Message Center

"{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2

"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform

"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard

"{F6869CD2-3DB4-476D-A4C7-B3AE7C3ACF7B}" = Windows Media Connect

"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call

"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio

"{FBE5AA96-22F0-4C4A-8E92-4BE3498D4CCB}" = Media Go

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Shockwave Player" = Adobe Shockwave Player 11.5

"AVG9Uninstall" = AVG Free 9.0

"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com

"Digital Media LE Uninstall" = Roxio Digital Media LE

"HijackThis" = HijackThis 2.0.2

"HOMESTUDENTR" = Microsoft Office Home and Student 2007

"ie8" = Windows Internet Explorer 8

"InstallShield_{A6359CCF-215D-43D9-8366-479D231F2A72}" = Belkin Wireless USB Utility

"InstallShield_{E922961C-6DB6-41DE-9FEA-426DF3E9F81C}" = IBM 32-bit Runtime Environment for Java 2, v1.4.2

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"MouseSuite98" = Mouse Suite

"MSNINST" = MSN

"PC-Doctor 5 for Windows" = PC-Doctor 5 for Windows

"RollerCoaster Tycoon Setup" = Roll

"Update Service" = Update Service

"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter

"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7

"Windows Media Connect" = Windows Media Connect

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 10

"Windows XP Service Pack" = Windows XP Service Pack 3

"WinLiveSuite_Wave3" = Windows Live Essentials

"WMFDist11" = Windows Media Format 11 runtime

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ System Events ]

Error - 23/02/2010 15:29:46 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7024

Description = The Messenger service terminated with service-specific error 2270

(0x8DE).

Error - 24/02/2010 13:54:49 | Computer Name = DADKIDS | Source = Server | ID = 2505

Description = The server could not bind to the transport \Device\NwlnkNb because

another computer on the network has the same name. The server could not start.

Error - 24/02/2010 13:54:49 | Computer Name = DADKIDS | Source = Server | ID = 2505

Description = The server could not bind to the transport \Device\NwlnkIpx because

another computer on the network has the same name. The server could not start.

Error - 25/02/2010 13:45:26 | Computer Name = DADKIDS | Source = Windows Update Agent | ID = 16

Description = Unable to Connect: Windows is unable to connect to the automatic updates

service and therefore cannot download and install updates according to the set

schedule. Windows will continue to try to establish a connection.

Error - 25/02/2010 18:24:24 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7034

Description = The Application Layer Gateway Service service terminated unexpectedly.

It has done this 1 time(s).

Error - 25/02/2010 19:42:49 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7034

Description = The TVT Scheduler service terminated unexpectedly. It has done this

1 time(s).

Error - 28/02/2010 11:48:39 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7024

Description = The Messenger service terminated with service-specific error 2137

(0x859).

Error - 01/03/2010 06:33:47 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7024

Description = The Messenger service terminated with service-specific error 2270

(0x8DE).

Error - 03/03/2010 18:08:16 | Computer Name = DADKIDS | Source = Service Control Manager | ID = 7034

Description = The Sony Ericsson OMSI download service service terminated unexpectedly.

It has done this 1 time(s).

Error - 03/03/2010 18:26:51 | Computer Name = DADKIDS | Source = atapi | ID = 262153

Description = The device, \Device\Ide\IdePort0, did not respond within the timeout

period.

< End of report >

[IndiGenus]

Looks like a newer variant of one of the nastiest rootkits we are seeing lately. Let's see if this will help.

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  
• Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  
• If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  
• When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
  

[novemberwhisky]

Looks like a newer variant of one of the nastiest rootkits we are seeing lately. Let's see if this will help.

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  
• Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  
• If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  
• When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
  

Indigenus

TDSS found a corrupt Atapi.sys file. Here is the log.

17:24:16:937 1460 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25

17:24:16:937 1460 ================================================================================

17:24:16:937 1460 SystemInfo:

17:24:16:937 1460 OS Version: 5.1.2600 ServicePack: 3.0

17:24:16:937 1460 Product type: Workstation

17:24:16:937 1460 ComputerName: DADKIDS

17:24:16:937 1460 UserName: DAD

17:24:16:937 1460 Windows directory: C:\WINDOWS

17:24:16:937 1460 Processor architecture: Intel x86

17:24:16:937 1460 Number of processors: 1

17:24:16:937 1460 Page size: 0x1000

17:24:16:937 1460 Boot type: Normal boot

17:24:16:937 1460 ================================================================================

17:24:16:937 1460 UnloadDriverW: NtUnloadDriver error 2

17:24:16:937 1460 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

17:24:17:015 1460 Initialize success

17:24:17:015 1460

17:24:17:015 1460 Scanning Services ...

17:24:17:015 1460 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

17:24:17:015 1460 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

17:24:17:015 1460 wfopen_ex: Trying to KLMD file open

17:24:17:015 1460 wfopen_ex: File opened ok (Flags 2)

17:24:17:015 1460 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

17:24:17:031 1460 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

17:24:17:031 1460 wfopen_ex: Trying to KLMD file open

17:24:17:031 1460 wfopen_ex: File opened ok (Flags 2)

17:24:17:312 1460 GetAdvancedServicesInfo: Raw services enum returned 354 services

17:24:17:328 1460 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

17:24:17:328 1460 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

17:24:17:328 1460

17:24:17:328 1460 Scanning Kernel memory ...

17:24:17:328 1460 Devices to scan: 13

17:24:17:328 1460

17:24:17:328 1460 Driver Name: Disk

17:24:17:328 1460 IRP_MJ_CREATE : F75A2BB0

17:24:17:328 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

17:24:17:328 1460 IRP_MJ_CLOSE : F75A2BB0

17:24:17:328 1460 IRP_MJ_READ : F759CD1F

17:24:17:328 1460 IRP_MJ_WRITE : F759CD1F

17:24:17:328 1460 IRP_MJ_QUERY_INFORMATION : 804F355A

17:24:17:328 1460 IRP_MJ_SET_INFORMATION : 804F355A

17:24:17:328 1460 IRP_MJ_QUERY_EA : 804F355A

17:24:17:328 1460 IRP_MJ_SET_EA : 804F355A

17:24:17:328 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2

17:24:17:328 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

17:24:17:328 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

17:24:17:328 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A

17:24:17:328 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

17:24:17:328 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB

17:24:17:328 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28

17:24:17:328 1460 IRP_MJ_SHUTDOWN : F759D2E2

17:24:17:328 1460 IRP_MJ_LOCK_CONTROL : 804F355A

17:24:17:328 1460 IRP_MJ_CLEANUP : 804F355A

17:24:17:328 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A

17:24:17:328 1460 IRP_MJ_QUERY_SECURITY : 804F355A

17:24:17:328 1460 IRP_MJ_SET_SECURITY : 804F355A

17:24:17:328 1460 IRP_MJ_POWER : F759EC82

17:24:17:328 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E

17:24:17:328 1460 IRP_MJ_DEVICE_CHANGE : 804F355A

17:24:17:328 1460 IRP_MJ_QUERY_QUOTA : 804F355A

17:24:17:328 1460 IRP_MJ_SET_QUOTA : 804F355A

17:24:17:328 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code

17:24:17:328 1460 sion

17:24:17:343 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

17:24:17:343 1460

17:24:17:343 1460 Driver Name: Disk

17:24:17:343 1460 IRP_MJ_CREATE : F75A2BB0

17:24:17:343 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

17:24:17:343 1460 IRP_MJ_CLOSE : F75A2BB0

17:24:17:343 1460 IRP_MJ_READ : F759CD1F

17:24:17:343 1460 IRP_MJ_WRITE : F759CD1F

17:24:17:343 1460 IRP_MJ_QUERY_INFORMATION : 804F355A

17:24:17:343 1460 IRP_MJ_SET_INFORMATION : 804F355A

17:24:17:343 1460 IRP_MJ_QUERY_EA : 804F355A

17:24:17:343 1460 IRP_MJ_SET_EA : 804F355A

17:24:17:343 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2

17:24:17:343 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

17:24:17:343 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

17:24:17:343 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A

17:24:17:343 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

17:24:17:343 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB

17:24:17:343 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28

17:24:17:343 1460 IRP_MJ_SHUTDOWN : F759D2E2

17:24:17:343 1460 IRP_MJ_LOCK_CONTROL : 804F355A

17:24:17:343 1460 IRP_MJ_CLEANUP : 804F355A

17:24:17:343 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A

17:24:17:343 1460 IRP_MJ_QUERY_SECURITY : 804F355A

17:24:17:343 1460 IRP_MJ_SET_SECURITY : 804F355A

17:24:17:343 1460 IRP_MJ_POWER : F759EC82

17:24:17:343 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E

17:24:17:343 1460 IRP_MJ_DEVICE_CHANGE : 804F355A

17:24:17:343 1460 IRP_MJ_QUERY_QUOTA : 804F355A

17:24:17:343 1460 IRP_MJ_SET_QUOTA : 804F355A

17:24:17:343 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code

17:24:17:343 1460 sion

17:24:17:359 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

17:24:17:359 1460

17:24:17:359 1460 Driver Name: Disk

17:24:17:359 1460 IRP_MJ_CREATE : F75A2BB0

17:24:17:359 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

17:24:17:359 1460 IRP_MJ_CLOSE : F75A2BB0

17:24:17:359 1460 IRP_MJ_READ : F759CD1F

17:24:17:359 1460 IRP_MJ_WRITE : F759CD1F

17:24:17:359 1460 IRP_MJ_QUERY_INFORMATION : 804F355A

17:24:17:359 1460 IRP_MJ_SET_INFORMATION : 804F355A

17:24:17:359 1460 IRP_MJ_QUERY_EA : 804F355A

17:24:17:359 1460 IRP_MJ_SET_EA : 804F355A

17:24:17:359 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2

17:24:17:359 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

17:24:17:359 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

17:24:17:359 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A

17:24:17:359 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

17:24:17:359 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB

17:24:17:359 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28

17:24:17:359 1460 IRP_MJ_SHUTDOWN : F759D2E2

17:24:17:359 1460 IRP_MJ_LOCK_CONTROL : 804F355A

17:24:17:359 1460 IRP_MJ_CLEANUP : 804F355A

17:24:17:359 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A

17:24:17:359 1460 IRP_MJ_QUERY_SECURITY : 804F355A

17:24:17:359 1460 IRP_MJ_SET_SECURITY : 804F355A

17:24:17:359 1460 IRP_MJ_POWER : F759EC82

17:24:17:359 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E

17:24:17:359 1460 IRP_MJ_DEVICE_CHANGE : 804F355A

17:24:17:359 1460 IRP_MJ_QUERY_QUOTA : 804F355A

17:24:17:359 1460 IRP_MJ_SET_QUOTA : 804F355A

17:24:17:359 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code

17:24:17:359 1460 sion

17:24:17:359 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

17:24:17:359 1460

17:24:17:359 1460 Driver Name: Disk

17:24:17:359 1460 IRP_MJ_CREATE : F75A2BB0

17:24:17:359 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

17:24:17:359 1460 IRP_MJ_CLOSE : F75A2BB0

17:24:17:359 1460 IRP_MJ_READ : F759CD1F

17:24:17:359 1460 IRP_MJ_WRITE : F759CD1F

17:24:17:359 1460 IRP_MJ_QUERY_INFORMATION : 804F355A

17:24:17:359 1460 IRP_MJ_SET_INFORMATION : 804F355A

17:24:17:359 1460 IRP_MJ_QUERY_EA : 804F355A

17:24:17:359 1460 IRP_MJ_SET_EA : 804F355A

17:24:17:359 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2

17:24:17:359 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

17:24:17:359 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

17:24:17:359 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A

17:24:17:359 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

17:24:17:359 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB

17:24:17:359 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28

17:24:17:359 1460 IRP_MJ_SHUTDOWN : F759D2E2

17:24:17:359 1460 IRP_MJ_LOCK_CONTROL : 804F355A

17:24:17:359 1460 IRP_MJ_CLEANUP : 804F355A

17:24:17:359 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A

17:24:17:359 1460 IRP_MJ_QUERY_SECURITY : 804F355A

17:24:17:359 1460 IRP_MJ_SET_SECURITY : 804F355A

17:24:17:359 1460 IRP_MJ_POWER : F759EC82

17:24:17:359 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E

17:24:17:359 1460 IRP_MJ_DEVICE_CHANGE : 804F355A

17:24:17:359 1460 IRP_MJ_QUERY_QUOTA : 804F355A

17:24:17:359 1460 IRP_MJ_SET_QUOTA : 804F355A

17:24:17:359 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code

17:24:17:359 1460 sion

17:24:17:375 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

17:24:17:375 1460

17:24:17:375 1460 Driver Name: USBSTOR

17:24:17:375 1460 IRP_MJ_CREATE : F7901218

17:24:17:375 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

17:24:17:375 1460 IRP_MJ_CLOSE : F7901218

17:24:17:375 1460 IRP_MJ_READ : F790123C

17:24:17:375 1460 IRP_MJ_WRITE : F790123C

17:24:17:375 1460 IRP_MJ_QUERY_INFORMATION : 804F355A

17:24:17:375 1460 IRP_MJ_SET_INFORMATION : 804F355A

17:24:17:375 1460 IRP_MJ_QUERY_EA : 804F355A

17:24:17:375 1460 IRP_MJ_SET_EA : 804F355A

17:24:17:375 1460 IRP_MJ_FLUSH_BUFFERS : 804F355A

17:24:17:375 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

17:24:17:375 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

17:24:17:375 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A

17:24:17:375 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

17:24:17:375 1460 IRP_MJ_DEVICE_CONTROL : F7901180

17:24:17:375 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78FC9E6

17:24:17:375 1460 IRP_MJ_SHUTDOWN : 804F355A

17:24:17:375 1460 IRP_MJ_LOCK_CONTROL : 804F355A

17:24:17:375 1460 IRP_MJ_CLEANUP : 804F355A

17:24:17:375 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A

17:24:17:375 1460 IRP_MJ_QUERY_SECURITY : 804F355A

17:24:17:375 1460 IRP_MJ_SET_SECURITY : 804F355A

17:24:17:375 1460 IRP_MJ_POWER : F79005F0

17:24:17:375 1460 IRP_MJ_SYSTEM_CONTROL : F78FEA6E

17:24:17:375 1460 IRP_MJ_DEVICE_CHANGE : 804F355A

17:24:17:375 1460 IRP_MJ_QUERY_QUOTA : 804F355A

17:24:17:375 1460 IRP_MJ_SET_QUOTA : 804F355A

17:24:17:375 1460 siohd: 0

17:24:17:375 1460 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean

17:24:17:375 1460

17:24:17:375 1460 Driver Name: USBSTOR

17:24:17:375 1460 IRP_MJ_CREATE : F7901218

17:24:17:375 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

17:24:17:375 1460 IRP_MJ_CLOSE : F7901218

17:24:17:375 1460 IRP_MJ_READ : F790123C

17:24:17:375 1460 IRP_MJ_WRITE : F790123C

17:24:17:375 1460 IRP_MJ_QUERY_INFORMATION : 804F355A

17:24:17:375 1460 IRP_MJ_SET_INFORMATION : 804F355A

17:24:17:375 1460 IRP_MJ_QUERY_EA : 804F355A

17:24:17:375 1460 IRP_MJ_SET_EA : 804F355A

17:24:17:375 1460 IRP_MJ_FLUSH_BUFFERS : 804F355A

17:24:17:375 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

17:24:17:375 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

17:24:17:375 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A

17:24:17:375 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

17:24:17:375 1460 IRP_MJ_DEVICE_CONTROL : F7901180

17:24:17:375 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78FC9E6

17:24:17:375 1460 IRP_MJ_SHUTDOWN : 804F355A

17:24:17:375 1460 IRP_MJ_LOCK_CONTROL : 804F355A

17:24:17:375 1460 IRP_MJ_CLEANUP : 804F355A

17:24:17:375 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A

17:24:17:375 1460 IRP_MJ_QUERY_SECURITY : 804F355A

17:24:17:375 1460 IRP_MJ_SET_SECURITY : 804F355A

17:24:17:375 1460 IRP_MJ_POWER : F79005F0

17:24:17:375 1460 IRP_MJ_SYSTEM_CONTROL : F78FEA6E

17:24:17:375 1460 IRP_MJ_DEVICE_CHANGE : 804F355A

17:24:17:375 1460 IRP_MJ_QUERY_QUOTA : 804F355A

17:24:17:375 1460 IRP_MJ_SET_QUOTA : 804F355A

17:24:17:375 1460 siohd: 0

17:24:17:375 1460 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean

17:24:17:375 1460

17:24:17:375 1460 Driver Name: USBSTOR

17:24:17:375 1460 IRP_MJ_CREATE : F7901218

17:24:17:375 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

17:24:17:375 1460 IRP_MJ_CLOSE : F7901218

17:24:17:375 1460 IRP_MJ_READ : F790123C

17:24:17:375 1460 IRP_MJ_WRITE : F790123C

17:24:17:375 1460 IRP_MJ_QUERY_INFORMATION : 804F355A

17:24:17:375 1460 IRP_MJ_SET_INFORMATION : 804F355A

17:24:17:375 1460 IRP_MJ_QUERY_EA : 804F355A

17:24:17:375 1460 IRP_MJ_SET_EA : 804F355A

17:24:17:375 1460 IRP_MJ_FLUSH_BUFFERS : 804F355A

17:24:17:375 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

17:24:17:375 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

17:24:17:375 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A

17:24:17:375 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

17:24:17:375 1460 IRP_MJ_DEVICE_CONTROL : F7901180

17:24:17:375 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78FC9E6

17:24:17:375 1460 IRP_MJ_SHUTDOWN : 804F355A

17:24:17:375 1460 IRP_MJ_LOCK_CONTROL : 804F355A

17:24:17:375 1460 IRP_MJ_CLEANUP : 804F355A

17:24:17:375 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A

17:24:17:375 1460 IRP_MJ_QUERY_SECURITY : 804F355A

17:24:17:375 1460 IRP_MJ_SET_SECURITY : 804F355A

17:24:17:375 1460 IRP_MJ_POWER : F79005F0

17:24:17:375 1460 IRP_MJ_SYSTEM_CONTROL : F78FEA6E

17:24:17:375 1460 IRP_MJ_DEVICE_CHANGE : 804F355A

17:24:17:375 1460 IRP_MJ_QUERY_QUOTA : 804F355A

17:24:17:375 1460 IRP_MJ_SET_QUOTA : 804F355A

17:24:17:375 1460 siohd: 0

17:24:17:390 1460 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean

17:24:17:390 1460

17:24:17:390 1460 Driver Name: USBSTOR

17:24:17:390 1460 IRP_MJ_CREATE : F7901218

17:24:17:390 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

17:24:17:390 1460 IRP_MJ_CLOSE : F7901218

17:24:17:390 1460 IRP_MJ_READ : F790123C

17:24:17:390 1460 IRP_MJ_WRITE : F790123C

17:24:17:390 1460 IRP_MJ_QUERY_INFORMATION : 804F355A

17:24:17:390 1460 IRP_MJ_SET_INFORMATION : 804F355A

17:24:17:390 1460 IRP_MJ_QUERY_EA : 804F355A

17:24:17:390 1460 IRP_MJ_SET_EA : 804F355A

17:24:17:390 1460 IRP_MJ_FLUSH_BUFFERS : 804F355A

17:24:17:390 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

17:24:17:390 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

17:24:17:390 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A

17:24:17:390 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

17:24:17:390 1460 IRP_MJ_DEVICE_CONTROL : F7901180

17:24:17:390 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F78FC9E6

17:24:17:390 1460 IRP_MJ_SHUTDOWN : 804F355A

17:24:17:390 1460 IRP_MJ_LOCK_CONTROL : 804F355A

17:24:17:390 1460 IRP_MJ_CLEANUP : 804F355A

17:24:17:390 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A

17:24:17:390 1460 IRP_MJ_QUERY_SECURITY : 804F355A

17:24:17:390 1460 IRP_MJ_SET_SECURITY : 804F355A

17:24:17:390 1460 IRP_MJ_POWER : F79005F0

17:24:17:390 1460 IRP_MJ_SYSTEM_CONTROL : F78FEA6E

17:24:17:390 1460 IRP_MJ_DEVICE_CHANGE : 804F355A

17:24:17:390 1460 IRP_MJ_QUERY_QUOTA : 804F355A

17:24:17:390 1460 IRP_MJ_SET_QUOTA : 804F355A

17:24:17:390 1460 siohd: 0

17:24:17:390 1460 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean

17:24:17:390 1460

17:24:17:390 1460 Driver Name: Disk

17:24:17:390 1460 IRP_MJ_CREATE : F75A2BB0

17:24:17:390 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

17:24:17:390 1460 IRP_MJ_CLOSE : F75A2BB0

17:24:17:390 1460 IRP_MJ_READ : F759CD1F

17:24:17:390 1460 IRP_MJ_WRITE : F759CD1F

17:24:17:390 1460 IRP_MJ_QUERY_INFORMATION : 804F355A

17:24:17:390 1460 IRP_MJ_SET_INFORMATION : 804F355A

17:24:17:390 1460 IRP_MJ_QUERY_EA : 804F355A

17:24:17:390 1460 IRP_MJ_SET_EA : 804F355A

17:24:17:390 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2

17:24:17:390 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

17:24:17:390 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

17:24:17:390 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A

17:24:17:390 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

17:24:17:390 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB

17:24:17:390 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28

17:24:17:390 1460 IRP_MJ_SHUTDOWN : F759D2E2

17:24:17:390 1460 IRP_MJ_LOCK_CONTROL : 804F355A

17:24:17:390 1460 IRP_MJ_CLEANUP : 804F355A

17:24:17:390 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A

17:24:17:390 1460 IRP_MJ_QUERY_SECURITY : 804F355A

17:24:17:390 1460 IRP_MJ_SET_SECURITY : 804F355A

17:24:17:390 1460 IRP_MJ_POWER : F759EC82

17:24:17:390 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E

17:24:17:390 1460 IRP_MJ_DEVICE_CHANGE : 804F355A

17:24:17:390 1460 IRP_MJ_QUERY_QUOTA : 804F355A

17:24:17:390 1460 IRP_MJ_SET_QUOTA : 804F355A

17:24:17:390 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code

17:24:17:390 1460 sion

17:24:17:390 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

17:24:17:390 1460

17:24:17:390 1460 Driver Name: Disk

17:24:17:390 1460 IRP_MJ_CREATE : F75A2BB0

17:24:17:390 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

17:24:17:390 1460 IRP_MJ_CLOSE : F75A2BB0

17:24:17:390 1460 IRP_MJ_READ : F759CD1F

17:24:17:390 1460 IRP_MJ_WRITE : F759CD1F

17:24:17:390 1460 IRP_MJ_QUERY_INFORMATION : 804F355A

17:24:17:390 1460 IRP_MJ_SET_INFORMATION : 804F355A

17:24:17:390 1460 IRP_MJ_QUERY_EA : 804F355A

17:24:17:390 1460 IRP_MJ_SET_EA : 804F355A

17:24:17:390 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2

17:24:17:390 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

17:24:17:390 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

17:24:17:390 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A

17:24:17:390 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

17:24:17:390 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB

17:24:17:390 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28

17:24:17:390 1460 IRP_MJ_SHUTDOWN : F759D2E2

17:24:17:390 1460 IRP_MJ_LOCK_CONTROL : 804F355A

17:24:17:390 1460 IRP_MJ_CLEANUP : 804F355A

17:24:17:390 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A

17:24:17:390 1460 IRP_MJ_QUERY_SECURITY : 804F355A

17:24:17:390 1460 IRP_MJ_SET_SECURITY : 804F355A

17:24:17:390 1460 IRP_MJ_POWER : F759EC82

17:24:17:390 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E

17:24:17:390 1460 IRP_MJ_DEVICE_CHANGE : 804F355A

17:24:17:390 1460 IRP_MJ_QUERY_QUOTA : 804F355A

17:24:17:390 1460 IRP_MJ_SET_QUOTA : 804F355A

17:24:17:390 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code

17:24:17:390 1460 sion

17:24:17:406 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

17:24:17:406 1460

17:24:17:406 1460 Driver Name: Disk

17:24:17:406 1460 IRP_MJ_CREATE : F75A2BB0

17:24:17:406 1460 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

17:24:17:406 1460 IRP_MJ_CLOSE : F75A2BB0

17:24:17:406 1460 IRP_MJ_READ : F759CD1F

17:24:17:406 1460 IRP_MJ_WRITE : F759CD1F

17:24:17:406 1460 IRP_MJ_QUERY_INFORMATION : 804F355A

17:24:17:406 1460 IRP_MJ_SET_INFORMATION : 804F355A

17:24:17:406 1460 IRP_MJ_QUERY_EA : 804F355A

17:24:17:406 1460 IRP_MJ_SET_EA : 804F355A

17:24:17:406 1460 IRP_MJ_FLUSH_BUFFERS : F759D2E2

17:24:17:406 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

17:24:17:406 1460 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

17:24:17:406 1460 IRP_MJ_DIRECTORY_CONTROL : 804F355A

17:24:17:406 1460 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

17:24:17:406 1460 IRP_MJ_DEVICE_CONTROL : F759D3BB

17:24:17:406 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F75A0F28

17:24:17:406 1460 IRP_MJ_SHUTDOWN : F759D2E2

17:24:17:406 1460 IRP_MJ_LOCK_CONTROL : 804F355A

17:24:17:406 1460 IRP_MJ_CLEANUP : 804F355A

17:24:17:406 1460 IRP_MJ_CREATE_MAILSLOT : 804F355A

17:24:17:406 1460 IRP_MJ_QUERY_SECURITY : 804F355A

17:24:17:406 1460 IRP_MJ_SET_SECURITY : 804F355A

17:24:17:406 1460 IRP_MJ_POWER : F759EC82

17:24:17:406 1460 IRP_MJ_SYSTEM_CONTROL : F75A399E

17:24:17:406 1460 IRP_MJ_DEVICE_CHANGE : 804F355A

17:24:17:406 1460 IRP_MJ_QUERY_QUOTA : 804F355A

17:24:17:406 1460 IRP_MJ_SET_QUOTA : 804F355A

17:24:17:406 1460 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code

17:24:17:406 1460 sion

17:24:17:406 1460 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean

17:24:17:406 1460

17:24:17:406 1460 Driver Name: atapi

17:24:17:406 1460 IRP_MJ_CREATE : F73EEB3A

17:24:17:406 1460 IRP_MJ_CREATE_NAMED_PIPE : F73EEB3A

17:24:17:406 1460 IRP_MJ_CLOSE : F73EEB3A

17:24:17:406 1460 IRP_MJ_READ : F73EEB3A

17:24:17:406 1460 IRP_MJ_WRITE : F73EEB3A

17:24:17:406 1460 IRP_MJ_QUERY_INFORMATION : F73EEB3A

17:24:17:406 1460 IRP_MJ_SET_INFORMATION : F73EEB3A

17:24:17:406 1460 IRP_MJ_QUERY_EA : F73EEB3A

17:24:17:406 1460 IRP_MJ_SET_EA : F73EEB3A

17:24:17:406 1460 IRP_MJ_FLUSH_BUFFERS : F73EEB3A

17:24:17:406 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : F73EEB3A

17:24:17:406 1460 IRP_MJ_SET_VOLUME_INFORMATION : F73EEB3A

17:24:17:406 1460 IRP_MJ_DIRECTORY_CONTROL : F73EEB3A

17:24:17:406 1460 IRP_MJ_FILE_SYSTEM_CONTROL : F73EEB3A

17:24:17:406 1460 IRP_MJ_DEVICE_CONTROL : F73EEB3A

17:24:17:406 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F73EEB3A

17:24:17:406 1460 IRP_MJ_SHUTDOWN : F73EEB3A

17:24:17:406 1460 IRP_MJ_LOCK_CONTROL : F73EEB3A

17:24:17:406 1460 IRP_MJ_CLEANUP : F73EEB3A

17:24:17:406 1460 IRP_MJ_CREATE_MAILSLOT : F73EEB3A

17:24:17:406 1460 IRP_MJ_QUERY_SECURITY : F73EEB3A

17:24:17:406 1460 IRP_MJ_SET_SECURITY : F73EEB3A

17:24:17:406 1460 IRP_MJ_POWER : F73EEB3A

17:24:17:406 1460 IRP_MJ_SYSTEM_CONTROL : F73EEB3A

17:24:17:406 1460 IRP_MJ_DEVICE_CHANGE : F73EEB3A

17:24:17:406 1460 IRP_MJ_QUERY_QUOTA : F73EEB3A

17:24:17:406 1460 IRP_MJ_SET_QUOTA : F73EEB3A

17:24:17:406 1460 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr

17:24:17:406 1460 TDL3_IrpHookDetect: New IrpHandler addr: 86F0B8C8

17:24:17:406 1460 ihd: 10, FFDF0308, 510, 134, 3, 120, 0

17:24:17:406 1460 Driver "atapi" Irp handler infected by TDSS rootkit ... 17:24:17:406 1460 cured

17:24:17:406 1460 siohd: 0

17:24:17:437 1460 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected

17:24:17:437 1460 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 17:24:17:437 1460 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys

17:24:17:437 1460 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3

17:24:17:671 1460 vfvi6

17:24:17:843 1460 !dsvbh1

17:24:19:500 1460 dsvbh2

17:24:19:515 1460 fdfb2

17:24:19:515 1460 Backup copy found, using it..

17:24:19:562 1460 will be cured on next reboot

17:24:19:562 1460

17:24:19:562 1460 Driver Name: atapi

17:24:19:562 1460 IRP_MJ_CREATE : F73EEB3A

17:24:19:562 1460 IRP_MJ_CREATE_NAMED_PIPE : F73EEB3A

17:24:19:562 1460 IRP_MJ_CLOSE : F73EEB3A

17:24:19:562 1460 IRP_MJ_READ : F73EEB3A

17:24:19:562 1460 IRP_MJ_WRITE : F73EEB3A

17:24:19:562 1460 IRP_MJ_QUERY_INFORMATION : F73EEB3A

17:24:19:562 1460 IRP_MJ_SET_INFORMATION : F73EEB3A

17:24:19:562 1460 IRP_MJ_QUERY_EA : F73EEB3A

17:24:19:562 1460 IRP_MJ_SET_EA : F73EEB3A

17:24:19:562 1460 IRP_MJ_FLUSH_BUFFERS : F73EEB3A

17:24:19:562 1460 IRP_MJ_QUERY_VOLUME_INFORMATION : F73EEB3A

17:24:19:562 1460 IRP_MJ_SET_VOLUME_INFORMATION : F73EEB3A

17:24:19:562 1460 IRP_MJ_DIRECTORY_CONTROL : F73EEB3A

17:24:19:562 1460 IRP_MJ_FILE_SYSTEM_CONTROL : F73EEB3A

17:24:19:562 1460 IRP_MJ_DEVICE_CONTROL : F73EEB3A

17:24:19:562 1460 IRP_MJ_INTERNAL_DEVICE_CONTROL : F73EEB3A

17:24:19:562 1460 IRP_MJ_SHUTDOWN : F73EEB3A

17:24:19:562 1460 IRP_MJ_LOCK_CONTROL : F73EEB3A

17:24:19:562 1460 IRP_MJ_CLEANUP : F73EEB3A

17:24:19:562 1460 IRP_MJ_CREATE_MAILSLOT : F73EEB3A

17:24:19:562 1460 IRP_MJ_QUERY_SECURITY : F73EEB3A

17:24:19:562 1460 IRP_MJ_SET_SECURITY : F73EEB3A

17:24:19:562 1460 IRP_MJ_POWER : F73EEB3A

17:24:19:562 1460 IRP_MJ_SYSTEM_CONTROL : F73EEB3A

17:24:19:562 1460 IRP_MJ_DEVICE_CHANGE : F73EEB3A

17:24:19:562 1460 IRP_MJ_QUERY_QUOTA : F73EEB3A

17:24:19:562 1460 IRP_MJ_SET_QUOTA : F73EEB3A

17:24:19:562 1460 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr

17:24:19:562 1460 TDL3_IrpHookDetect: New IrpHandler addr: 86F0B8C8

17:24:19:562 1460 ihd1

17:24:19:562 1460 siohd: 0

17:24:19:578 1460 C:\WINDOWS\system32\drivers\tskC.tmp - Verdict: Clean

17:24:19:578 1460 Reboot required for cure complete..

17:24:19:578 1460 Cure on reboot scheduled successfully

17:24:19:578 1460

17:24:19:578 1460 Completed

17:24:19:578 1460

17:24:19:578 1460 Results:

17:24:19:578 1460 Memory objects infected / cured / cured on reboot: 1 / 1 / 0

17:24:19:578 1460 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

17:24:19:578 1460 File objects infected / cured / cured on reboot: 1 / 0 / 1

17:24:19:578 1460

17:24:19:578 1460 UnloadDriverW: NtUnloadDriver error 1

17:24:19:578 1460 KLMD_Unload: UnloadDriverW(klmd21) error 1

17:24:19:578 1460 KLMD(ARK) unloaded successfully

I can't thank you enough. will this be the end of it?

Novemberwhisky

[IndiGenus]

TDSS found a corrupt Atapi.sys file. Here is the log.

Yes, I knew Atapi.sys was infected. That's what was causing the redirects. It was just a matter of getting a tool that would work to fix it, as it can be risky fixing it manually. Have the redirects stopped?

Run and post a new OTL log as instructed earlier. There will be no extras log this time.

[IndiGenus]

Did you still want our help?

[novemberwhisky]

Did you still want our help?

Sorry,

I have been out of the country for a week.

See the OTL log as requested.

Thanks

NW

OTL logfile created on: 12/03/2010 19:31:28 - Run 2

OTL by OldTimer - Version 3.1.33.0 Folder = C:\Documents and Settings\DAD\Desktop

Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,023.00 Mb Total Physical Memory | 487.00 Mb Available Physical Memory | 48.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 75.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 70.29 Gb Total Space | 38.08 Gb Free Space | 54.18% Space Free | Partition Type: NTFS

Drive D: | 14.33 Gb Total Space | 10.46 Gb Free Space | 72.98% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: DADKIDS

Current User Name: DAD

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe

PRC - [2009/12/11 18:41:15 | 000,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe

PRC - [2009/12/11 18:41:15 | 000,503,576 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe

PRC - [2009/12/03 03:50:39 | 001,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe

PRC - [2009/12/03 03:50:38 | 000,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe

PRC - [2009/12/03 03:50:31 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe

PRC - [2009/12/03 03:50:30 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe

PRC - [2009/09/24 14:41:58 | 000,434,176 | ---- | M] (Sony Ericsson Mobile Communications AB) -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe

PRC - [2009/04/30 12:23:26 | 000,090,112 | ---- | M] () -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2006/03/01 19:50:06 | 000,626,810 | ---- | M] (Diskeeper Corporation) -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

PRC - [2006/03/01 00:05:54 | 002,364,976 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\IBM ThinkVantage\Client Security Solution\pwmgre.exe

PRC - [2006/03/01 00:00:34 | 001,992,240 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe

PRC - [2006/02/06 22:39:36 | 000,262,144 | R--- | M] (LITE-ON TECHNOLOGY CORP.) -- C:\Program Files\Lenovo\Productivity Keyboard\Skdaemon.exe

PRC - [2006/01/11 23:08:36 | 000,577,536 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE

PRC - [2005/12/07 09:00:00 | 000,106,496 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE

PRC - [2005/10/28 11:23:10 | 001,404,928 | ---- | M] (Belkin) -- C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe

PRC - [2005/08/02 01:33:04 | 000,126,976 | ---- | M] () -- C:\Program Files\ThinkVantage\SystemUpdate\PipeServer.exe

PRC - [2005/04/13 22:34:28 | 000,049,152 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ico.exe

PRC - [2003/11/06 23:51:32 | 000,020,480 | ---- | M] () -- C:\WINDOWS\system32\FSRremoS.EXE

========== Modules (SafeList) ==========

MOD - [2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/12/03 03:50:31 | 000,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)

SRV - [2009/12/03 03:50:30 | 000,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)

SRV - [2009/12/03 02:13:32 | 000,032,256 | ---- | M] () [On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\psasrv.exe -- (PsaSrv)

SRV - [2009/04/30 12:23:26 | 000,090,112 | ---- | M] () [Auto | Running] -- C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe -- (OMSI download service)

SRV - [2006/03/01 19:50:06 | 000,626,810 | ---- | M] (Diskeeper Corporation) [Auto | Running] -- C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe -- (Diskeeper)

SRV - [2005/12/22 02:34:58 | 000,077,824 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe -- (TVT Scheduler)

SRV - [2005/12/22 02:20:56 | 001,384,448 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe -- (TVT Backup Service)

SRV - [2005/08/02 01:32:40 | 000,040,960 | ---- | M] () [Disabled | Stopped] -- C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe -- (UCLauncherService)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = http://www.google.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://news.bbc.co.uk/ [binary data]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = D6 FD 9C 1C FA 83 CA 01 [binary data]

IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found

IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

[2010/02/25 00:05:02 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2010/02/24 23:01:36 | 000,380,253 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 www.007guard.com

O1 - Hosts: 127.0.0.1 007guard.com

O1 - Hosts: 127.0.0.1 008i.com

O1 - Hosts: 127.0.0.1 www.008k.com

O1 - Hosts: 127.0.0.1 008k.com

O1 - Hosts: 127.0.0.1 www.00hq.com

O1 - Hosts: 127.0.0.1 00hq.com

O1 - Hosts: 127.0.0.1 010402.com

O1 - Hosts: 127.0.0.1 www.032439.com

O1 - Hosts: 127.0.0.1 032439.com

O1 - Hosts: 127.0.0.1 www.0scan.com

O1 - Hosts: 127.0.0.1 0scan.com

O1 - Hosts: 127.0.0.1 1000gratisproben.com

O1 - Hosts: 127.0.0.1 www.1000gratisproben.com

O1 - Hosts: 127.0.0.1 1001namen.com

O1 - Hosts: 127.0.0.1 www.1001namen.com

O1 - Hosts: 127.0.0.1 100888290cs.com

O1 - Hosts: 127.0.0.1 www.100888290cs.com

O1 - Hosts: 127.0.0.1 www.100sexlinks.com

O1 - Hosts: 127.0.0.1 100sexlinks.com

O1 - Hosts: 127.0.0.1 10sek.com

O1 - Hosts: 127.0.0.1 www.10sek.com

O1 - Hosts: 127.0.0.1 www.1-2005-search.com

O1 - Hosts: 127.0.0.1 1-2005-search.com

O1 - Hosts: 13102 more lines...

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()

O3 - HKCU\..\Toolbar\ShellBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()

O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)

O4 - HKLM..\Run: [cssauthe] C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauthe.exe (Lenovo Group Limited)

O4 - HKLM..\Run: [DiskeeperSystray] C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe (Diskeeper Corporation)

O4 - HKLM..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [LPManager] C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE (Lenovo Group Limited)

O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (Primax Electronics Ltd.)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)

O4 - HKLM..\Run: [sKDaemon.exe] C:\Program Files\Lenovo\Productivity Keyboard\Skdaemon.exe (LITE-ON TECHNOLOGY CORP.)

O4 - HKLM..\Run: [soundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)

O4 - HKLM..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe ()

O4 - HKCU..\Run: [sony Ericsson PC Suite] C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe (Sony Ericsson Mobile Communications AB)

O4 - HKCU..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe (Belkin)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O8 - Extra context menu item: &Google Search - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O8 - Extra context menu item: &Translate English Word - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O8 - Extra context menu item: Backward Links - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O8 - Extra context menu item: Cached Snapshot of Page - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O8 - Extra context menu item: Similar Pages - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O8 - Extra context menu item: Translate Page into English - C:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.4.2/...all-142-win.cab (Java Plug-in 1.4.2)

O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4.2/...all-142-win.cab (Java Plug-in 1.4.2)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254

O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)

O24 - Desktop WallPaper: C:\Documents and Settings\DAD\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\DAD\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/12/03 02:34:50 | 000,000,000 | -H-- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - comfile [open] -- "%1" %*

O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/09 21:12:00 | 000,000,000 | ---D | M]

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)

NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT

Restore point Set: OTL Restore Point (16891891626803200)

========== Files/Folders - Created Within 14 Days ==========

[2010/03/12 19:20:26 | 000,000,000 | ---D | C] -- C:\Program Files\iPod

[2010/03/04 18:34:55 | 000,552,960 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe

[2010/03/04 16:32:28 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/03/03 22:06:19 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/03/03 22:04:38 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/03/03 22:04:38 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/03/03 22:04:38 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/03/03 22:04:38 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/03/03 22:04:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/03/03 22:04:29 | 000,000,000 | ---D | C] -- C:\Combo-Fix

[2010/03/03 22:04:16 | 000,000,000 | ---D | C] -- C:\Qoobox

[2009/12/04 22:54:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2009/12/03 03:31:59 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[2009/12/03 03:31:59 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[2004/08/09 21:33:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/03/12 19:25:06 | 000,002,055 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2010/03/12 17:04:03 | 057,018,777 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm

[2010/03/12 16:45:01 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/03/12 16:44:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/03/12 16:44:55 | 1073,270,784 | -HS- | M] () -- C:\hiberfil.sys

[2010/03/12 16:43:42 | 009,175,040 | -H-- | M] () -- C:\Documents and Settings\DAD\NTUSER.DAT

[2010/03/12 16:43:42 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\DAD\ntuser.ini

[2010/03/12 16:43:35 | 007,469,944 | -H-- | M] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\IconCache.db

[2010/03/12 13:48:40 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A277806A-F328-4CC4-9BA9-41C902613B3B}.job

[2010/03/12 12:57:31 | 000,002,278 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/03/04 18:34:59 | 000,552,960 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\DAD\Desktop\OTL.exe

[2010/03/03 22:33:37 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/03/03 22:06:24 | 000,000,254 | RHS- | M] () -- C:\BOOT.INI

[2010/03/03 19:34:02 | 000,010,973 | ---- | M] () -- C:\Documents and Settings\DAD\My Documents\1.docx

[2010/02/27 18:29:37 | 000,018,944 | ---- | M] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/02/26 20:22:16 | 000,001,514 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/12 19:21:06 | 000,002,055 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2010/03/03 22:06:24 | 000,000,184 | ---- | C] () -- C:\Boot.bak

[2010/03/03 22:06:21 | 000,260,272 | ---- | C] () -- C:\cmldr

[2010/03/03 22:04:38 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/03/03 22:04:38 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/03/03 22:04:38 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/03/03 22:04:38 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/03/03 22:04:38 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/03/03 19:34:02 | 000,010,973 | ---- | C] () -- C:\Documents and Settings\DAD\My Documents\1.docx

[2010/02/26 20:22:16 | 000,001,514 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk

[2009/12/10 20:30:43 | 000,018,944 | ---- | C] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/12/03 21:18:10 | 000,000,204 | ---- | C] () -- C:\WINDOWS\RtlRack.ini

[2009/12/03 02:33:54 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\DAD\Local Settings\Application Data\fusioncache.dat

[2009/12/03 02:16:06 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2009/12/03 02:05:14 | 000,028,848 | ---- | C] () -- C:\WINDOWS\System32\drivers\USBkey.sys

[2009/12/03 02:03:39 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll

[2009/12/03 02:03:39 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll

[2009/12/03 02:03:39 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll

[2009/12/03 02:03:39 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll

[2009/12/03 02:03:39 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll

[2009/12/03 02:03:39 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll

[2009/12/03 02:03:18 | 000,000,032 | ---- | C] () -- C:\WINDOWS\WININIT.INI

[2009/12/03 01:58:25 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll

[2009/12/03 01:57:38 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\FSRremoC.DLL

[2009/12/03 01:57:38 | 000,005,528 | ---- | C] () -- C:\WINDOWS\System32\Setup2k.ini

[2009/12/03 01:57:38 | 000,000,296 | ---- | C] () -- C:\WINDOWS\System32\presetup.ini

[2006/02/03 00:37:10 | 000,004,676 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI

[2006/01/19 20:46:22 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini

[2006/01/10 21:38:30 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RTLCPAPI.dll

[2005/07/12 22:44:42 | 000,015,872 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD64.DLL

[2004/08/09 21:34:32 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini

[2004/03/24 00:38:00 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\InsDrvZD.dll

[2002/04/11 18:47:52 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\msmscoin.dll

========== LOP Check ==========

[2009/12/02 22:12:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar

[2009/12/03 03:50:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\avg9

[2009/12/10 00:11:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software

[2009/12/03 02:01:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo

[2010/02/18 11:30:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

[2009/12/03 02:35:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ThinkVantage

[2009/12/25 09:53:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

[2010/02/24 22:24:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\AVG9

[2009/12/03 20:48:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\GetRightToGo

[2009/12/03 02:04:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\IBM

[2009/12/03 19:46:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\InterVideo

[2009/12/03 19:50:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Leadertech

[2009/12/06 19:06:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\LEGO Company

[2009/12/06 20:13:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Lenovo

[2009/12/09 16:54:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\MSNInstaller

[2009/12/12 19:33:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Sony

[2009/12/12 19:23:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\Sony Setup

[2009/12/03 02:35:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\ThinkVantage

[2009/12/09 19:44:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\DAD\Application Data\TrueSwitch

[2010/03/12 13:48:40 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{A277806A-F328-4CC4-9BA9-41C902613B3B}.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >

[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:AGP440.sys

[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

[2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

[2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys

[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys

[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys

[2008/04/13 18:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

[2004/08/04 07:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >

[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\I386\sp2.cab:atapi.sys

[2004/08/04 13:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys

[2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys

[2009/12/02 21:35:40 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys

[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys

[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys

[2008/04/13 18:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys

[2010/03/05 17:26:47 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

[2004/08/04 06:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >

[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll

[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll

[2008/04/14 00:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

[2004/08/04 13:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >

[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll

[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll

[2008/04/14 00:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

[2009/02/06 18:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

[2009/02/06 18:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$NtUninstallKB975467_0$\netlogon.dll

[2004/08/04 13:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtUninstallKB968389_0$\netlogon.dll

< MD5 for: SCECLI.DLL >

[2004/08/04 13:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll

[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll

[2008/04/14 00:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D1B5B4F1

< End of report >

[novemberwhisky]

Oh, The redirects have stopped.

[IndiGenus]

Great, glad it's running better. No problem on the delay, just thought I'd check in.

I see you have MalwareBytes installed. I would suggest you run a quick scan with it and have it fix whatever it finds. Post the log if it does.

Also,

Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
   
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
   
3. When the downloads have finished, click on Settings.
   
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   • Spyware, Adware, Dialers, and other potentially dangerous programs
     Archives
     Mail databases
     

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

[IndiGenus]

Still with us here?

[novemberwhisky]

Still with us here?

Sorry - I've been away from my pc again. Thanks for your time helping me

The Kaspersky report is below - it looks all good to me:

KASPERSKY ONLINE SCANNER 7.0: scan reportKASPERSKY ONLINE SCANNER 7.0:

scan report

Monday, March 22, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build

2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Monday, March 22, 2010 12:34:19

Records in database: 3846667

Scan settings

scan using the following databaseextended

Scan archivesyes

Scan e-mail databasesyes

Scan areaMy Computer

C:\

D:\

E:\

F:\

G:\

H:\

I:\

Scan statistics

Objects scanned83895

Threats found0

Infected objects found0

Suspicious objects found0

Scan duration02:42:24

No threats found. Scanned area is clean.

Selected area has been scanned.

[IndiGenus]

Okay great. If MalwareBytes comes up clean I think you're good to go. Just some cleanup...

Uninstall Combofix

• Click START then RUN
  
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  

The above procedure will:

• Delete the following: ComboFix and its associated files and folders.
  
• Reset the clock settings.
  
• Hide file extensions, if required.
  
• Hide System/Hidden files, if required.
  
• Reset System Restore.
  

++++++++++++++++++++++

Now to remove most of the rest of the tools that we have used in fixing your machine:

• Make sure you have an Internet Connection.
  
• Download OTC to your desktop and run it
  
• A list of tool components used in the Cleanup of malware will be downloaded.
  
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  
• Click Yes to beging the Cleanup process and remove these components, including this application.
  
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
  

++++++++++++++++++++++

In addition to updating and using what you currently have you may want to consider the following:

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some free and evalutation versions that provide

better security than the Windows Firewall.

Online-Armor
Outpost Firewall

For a tutorial on Firewalls and a listing of some other available ones see the link below:

Understanding and Using Firewalls

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

Install Winpatrol -

Use Winpatrol to take control of your PC and provide another layer of security.

Help file and tutorial can be found Here

Block unwanted parasites with a custom hosts file -

http://www.mvps.org/winhelp2002/hosts.htm

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly or set your computer to receive automatic updates. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update all of your Anti-Malware programs regularly - Make sure you update all the programs I have listed and the ones you are currently running regularly. Without regular updates you Will Not be protected when new malicious programs are released.

Keep your applications up to date -

Use Secunia Personal Software Inspector to help stay on top of application updates that could leave your PC vulnerable to attack.

I'll leave the thread open a few days in case you have questions or issues.

Regards,

Dave