Jump to content

Issues with Google Link after Malwarebytes found some issues


Recommended Posts

Hey All, thanks in advance for your help with this.

A couple of days ago I had a rogue virus window pop up saying I was infected, I closed out of the window and ran Malwarebytes, It originially found 4 infections and said that it fixed them correctly, after it was finished I noticed that about 75% of the google links I try and follow get re-directed to advertisement sites. I ran Malwarebytes again it now shows clean, but I am pretty sure that something is still wrong.

Below I have attached all of the scan files requested in the forum, I have also attached both the Malwarebytes log, 1 of them is from when the infections were found and the other is the recent clean one.

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3976

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/10/2010 7:22:05 PM

mbam-log-2010-04-10 (19-22-05).txt

Scan type: Quick scan

Objects scanned: 101650

Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Phil\Local Settings\temp\58.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Phil\Local Settings\temp\5B.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Phil\Local Settings\temp\5D.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Phil\Local Settings\temp\60.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3983

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/12/2010 5:43:23 PM

mbam-log-2010-04-12 (17-43-23).txt

Scan type: Full scan (C:\|E:\|)

Objects scanned: 171632

Time elapsed: 56 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

DDS (Ver_10-03-17.01) - NTFSx86

Run by Phil at 22:57:13.04 on Mon 04/12/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1332 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\lxddcoms.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe

C:\WINDOWS\system32\ICO.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

E:\Program Files\Winamp\winampa.exe

C:\Program Files\Lexmark 2500 Series\lxddmon.exe

C:\Program Files\Lexmark 2500 Series\lxddamon.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Documents and Settings\Phil\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/home.php

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\phil\local settings\application data\google\update\GoogleUpdate.exe" /c

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start

mRun: [Mouse Suite 98 Daemon] ICO.EXE

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [synTPStart] c:\program files\synaptics\syntp\SynTPStart.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [WinampAgent] "e:\program files\winamp\winampa.exe"

mRun: [lxddmon.exe] "c:\program files\lexmark 2500 series\lxddmon.exe"

mRun: [lxddamon] "c:\program files\lexmark 2500 series\lxddamon.exe"

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

StartupFolder: c:\docume~1\phil\startm~1\programs\startup\mobile~1.lnk - c:\program files\watchguard\mobile user vpn\SafeCfg.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\phil\applic~1\mozilla\firefox\profiles\k8l8zeaw.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\phil\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\phil\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-14 335240]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-14 27784]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-14 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-14 297752]

R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [2009-5-5 521786]

R2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [2009-5-5 119864]

R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]

R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [2009-5-5 36188]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]

S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2009-5-8 99248]

S3 jbridgep;jbridgep;\??\c:\docume~1\phil\locals~1\temp\jbridgep.sys --> c:\docume~1\phil\locals~1\temp\jbridgep.sys [?]

S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2010-2-15 9472]

=============== Created Last 30 ================

2010-04-13 04:50:21 156 ----a-w- c:\documents and settings\phil\defogger_reenable

2010-04-11 06:11:15 34 ---ha-w- c:\windows\system32\Converter_sysquict.dat

2010-04-11 06:11:11 0 d-----w- c:\program files\Free Convert WMV MOV MPEG to AVI DIVX Converter

2010-04-11 05:53:43 98816 ----a-w- c:\windows\sed.exe

2010-04-11 05:53:43 77312 ----a-w- c:\windows\MBR.exe

2010-04-11 05:53:43 261632 ----a-w- c:\windows\PEV.exe

2010-04-11 05:53:43 161792 ----a-w- c:\windows\SWREG.exe

2010-04-11 04:37:25 94 ----a-w- c:\documents and settings\phil\default.pls

2010-04-11 03:40:16 116 ----a-w- c:\windows\NeroDigital.ini

2010-04-11 03:18:12 135532 ------w- c:\windows\UNNeroVision.cfg

2010-04-11 03:18:11 2670592 ------w- c:\windows\UNNeroVision.exe

2010-04-11 03:17:59 38912 ------w- c:\windows\system32\picn20.dll

2010-04-11 02:54:00 5888 ------w- c:\windows\system32\drivers\imagedrv.sys

2010-04-11 02:54:00 127488 ------w- c:\windows\system32\drivers\imagesrv.sys

2010-04-11 02:53:38 364544 ------w- c:\windows\system32\TwnLib4.dll

2010-04-11 02:53:38 106496 ------w- c:\windows\system32\TwnLib20.dll

2010-04-11 02:53:37 476320 ------w- c:\windows\system32\ImagXpr7.dll

2010-04-11 02:53:37 471040 ------w- c:\windows\system32\ImagXRA7.dll

2010-04-11 02:53:37 262144 ------w- c:\windows\system32\ImagXR7.dll

2010-04-11 02:53:37 1568768 ------w- c:\windows\system32\ImagX7.dll

2010-04-11 02:53:37 155648 ----a-w- c:\windows\system32\NeroCheck.exe

2010-04-11 02:09:54 0 d-----w- C:\Reg Backups

2010-04-11 02:06:38 0 d-----w- c:\program files\CCleaner

2010-04-06 15:27:21 0 d-----w- c:\docume~1\phil\applic~1\Facebook

2010-04-05 15:21:53 0 d-----w- C:\Temp folder for DVD

2010-04-05 15:08:21 506986496 ----a-w- C:\VOLUME_IDENTIFIER.ISO

2010-04-05 15:00:06 0 d-----w- C:\VOLUME_IDENTIFIER

2010-04-05 05:35:22 0 d-----w- c:\program files\DVD Shrink

2010-04-03 19:13:38 0 d-----w- c:\docume~1\phil\applic~1\AVS4YOU

2010-04-03 19:13:38 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU

2010-04-03 19:12:15 0 d-----w- c:\program files\common files\AVSMedia

2010-04-03 19:12:14 974848 ----a-w- c:\windows\system32\mfc70.dll

2010-04-03 19:12:14 487424 ----a-w- c:\windows\system32\msvcp70.dll

2010-04-03 19:12:14 344064 ----a-w- c:\windows\system32\msvcr70.dll

2010-04-03 19:12:14 24576 ------w- c:\windows\system32\msxml3a.dll

2010-04-03 19:12:14 1700352 ----a-w- c:\windows\system32\GdiPlus.dll

2010-04-03 19:12:13 0 d-----w- c:\program files\AVS4YOU

2010-04-03 04:29:15 0 d-----w- c:\program files\UP

==================== Find3M ====================

2010-04-12 02:50:59 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2010-03-30 06:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 06:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-09 10:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll

2010-02-15 16:22:54 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf

2010-02-15 16:22:14 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf

============= FINISH: 22:59:08.82 ===============

Attach.zip

Link to post
Share on other sites

Hi pvonkaenel,

Welcome to the forum.

My nickname is deltalima and I will be helping you with your computer problems.

The logs can take some time to research, so please be patient with me.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

TDSSKiller

  • Download the file TDSSKiller.zip and save it on your desktop
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
  • Next double-click the tdsskiller Folder on your desktop.
  • Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"


  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdskiller.txt on your desktop and post the contents in your next reply

Link to post
Share on other sites

Thank you very much for the help.

Here is the TDSSKiller.txt you requested

10:52:27:000 1444 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04

10:52:27:000 1444 ================================================================================

10:52:27:000 1444 SystemInfo:

10:52:27:000 1444 OS Version: 5.1.2600 ServicePack: 3.0

10:52:27:000 1444 Product type: Workstation

10:52:27:000 1444 ComputerName: PHILV-T64

10:52:27:000 1444 UserName: Phil

10:52:27:000 1444 Windows directory: C:\WINDOWS

10:52:27:000 1444 Processor architecture: Intel x86

10:52:27:000 1444 Number of processors: 1

10:52:27:000 1444 Page size: 0x1000

10:52:27:015 1444 Boot type: Normal boot

10:52:27:015 1444 ================================================================================

10:52:27:015 1444 UnloadDriverW: NtUnloadDriver error 1

10:52:27:015 1444 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1

10:52:27:031 1444 LoadDriverW: Driver already loaded

10:52:27:031 1444 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

10:52:27:031 1444 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

10:52:27:031 1444 wfopen_ex: Trying to KLMD file open

10:52:27:031 1444 wfopen_ex: File opened ok (Flags 2)

10:52:27:031 1444 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

10:52:27:031 1444 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

10:52:27:031 1444 wfopen_ex: Trying to KLMD file open

10:52:27:031 1444 wfopen_ex: File opened ok (Flags 2)

10:52:27:031 1444 Initialize success

10:52:27:031 1444

10:52:27:031 1444 Scanning Services ...

10:52:29:546 1444 Raw services enum returned 352 services

10:52:29:593 1444

10:52:29:593 1444 Scanning Kernel memory ...

10:52:29:593 1444 Devices to scan: 4

10:52:29:593 1444

10:52:29:593 1444 Driver Name: Disk

10:52:29:593 1444 IRP_MJ_CREATE : F74EDBB0

10:52:29:593 1444 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

10:52:29:593 1444 IRP_MJ_CLOSE : F74EDBB0

10:52:29:593 1444 IRP_MJ_READ : F74E7D1F

10:52:29:593 1444 IRP_MJ_WRITE : F74E7D1F

10:52:29:593 1444 IRP_MJ_QUERY_INFORMATION : 804F355A

10:52:29:593 1444 IRP_MJ_SET_INFORMATION : 804F355A

10:52:29:593 1444 IRP_MJ_QUERY_EA : 804F355A

10:52:29:593 1444 IRP_MJ_SET_EA : 804F355A

10:52:29:593 1444 IRP_MJ_FLUSH_BUFFERS : F74E82E2

10:52:29:593 1444 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

10:52:29:593 1444 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

10:52:29:593 1444 IRP_MJ_DIRECTORY_CONTROL : 804F355A

10:52:29:593 1444 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

10:52:29:593 1444 IRP_MJ_DEVICE_CONTROL : F74E83BB

10:52:29:593 1444 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74EBF28

10:52:29:593 1444 IRP_MJ_SHUTDOWN : F74E82E2

10:52:29:593 1444 IRP_MJ_LOCK_CONTROL : 804F355A

10:52:29:593 1444 IRP_MJ_CLEANUP : 804F355A

10:52:29:593 1444 IRP_MJ_CREATE_MAILSLOT : 804F355A

10:52:29:593 1444 IRP_MJ_QUERY_SECURITY : 804F355A

10:52:29:593 1444 IRP_MJ_SET_SECURITY : 804F355A

10:52:29:593 1444 IRP_MJ_POWER : F74E9C82

10:52:29:593 1444 IRP_MJ_SYSTEM_CONTROL : F74EE99E

10:52:29:593 1444 IRP_MJ_DEVICE_CHANGE : 804F355A

10:52:29:593 1444 IRP_MJ_QUERY_QUOTA : 804F355A

10:52:29:593 1444 IRP_MJ_SET_QUOTA : 804F355A

10:52:29:593 1444 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

10:52:29:593 1444

10:52:29:593 1444 Driver Name: Disk

10:52:29:593 1444 IRP_MJ_CREATE : F74EDBB0

10:52:29:593 1444 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

10:52:29:593 1444 IRP_MJ_CLOSE : F74EDBB0

10:52:29:593 1444 IRP_MJ_READ : F74E7D1F

10:52:29:593 1444 IRP_MJ_WRITE : F74E7D1F

10:52:29:593 1444 IRP_MJ_QUERY_INFORMATION : 804F355A

10:52:29:593 1444 IRP_MJ_SET_INFORMATION : 804F355A

10:52:29:593 1444 IRP_MJ_QUERY_EA : 804F355A

10:52:29:593 1444 IRP_MJ_SET_EA : 804F355A

10:52:29:593 1444 IRP_MJ_FLUSH_BUFFERS : F74E82E2

10:52:29:593 1444 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

10:52:29:593 1444 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

10:52:29:593 1444 IRP_MJ_DIRECTORY_CONTROL : 804F355A

10:52:29:593 1444 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

10:52:29:593 1444 IRP_MJ_DEVICE_CONTROL : F74E83BB

10:52:29:593 1444 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74EBF28

10:52:29:593 1444 IRP_MJ_SHUTDOWN : F74E82E2

10:52:29:593 1444 IRP_MJ_LOCK_CONTROL : 804F355A

10:52:29:593 1444 IRP_MJ_CLEANUP : 804F355A

10:52:29:593 1444 IRP_MJ_CREATE_MAILSLOT : 804F355A

10:52:29:593 1444 IRP_MJ_QUERY_SECURITY : 804F355A

10:52:29:593 1444 IRP_MJ_SET_SECURITY : 804F355A

10:52:29:593 1444 IRP_MJ_POWER : F74E9C82

10:52:29:593 1444 IRP_MJ_SYSTEM_CONTROL : F74EE99E

10:52:29:593 1444 IRP_MJ_DEVICE_CHANGE : 804F355A

10:52:29:593 1444 IRP_MJ_QUERY_QUOTA : 804F355A

10:52:29:593 1444 IRP_MJ_SET_QUOTA : 804F355A

10:52:29:593 1444 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

10:52:29:593 1444

10:52:29:593 1444 Driver Name: atapi

10:52:29:593 1444 IRP_MJ_CREATE : F72D66F2

10:52:29:593 1444 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

10:52:29:593 1444 IRP_MJ_CLOSE : F72D66F2

10:52:29:593 1444 IRP_MJ_READ : 804F355A

10:52:29:593 1444 IRP_MJ_WRITE : 804F355A

10:52:29:593 1444 IRP_MJ_QUERY_INFORMATION : 804F355A

10:52:29:593 1444 IRP_MJ_SET_INFORMATION : 804F355A

10:52:29:593 1444 IRP_MJ_QUERY_EA : 804F355A

10:52:29:593 1444 IRP_MJ_SET_EA : 804F355A

10:52:29:593 1444 IRP_MJ_FLUSH_BUFFERS : 804F355A

10:52:29:593 1444 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

10:52:29:593 1444 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

10:52:29:593 1444 IRP_MJ_DIRECTORY_CONTROL : 804F355A

10:52:29:593 1444 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

10:52:29:593 1444 IRP_MJ_DEVICE_CONTROL : F72D6712

10:52:29:593 1444 IRP_MJ_INTERNAL_DEVICE_CONTROL : F72D2852

10:52:29:593 1444 IRP_MJ_SHUTDOWN : 804F355A

10:52:29:593 1444 IRP_MJ_LOCK_CONTROL : 804F355A

10:52:29:593 1444 IRP_MJ_CLEANUP : 804F355A

10:52:29:593 1444 IRP_MJ_CREATE_MAILSLOT : 804F355A

10:52:29:593 1444 IRP_MJ_QUERY_SECURITY : 804F355A

10:52:29:593 1444 IRP_MJ_SET_SECURITY : 804F355A

10:52:29:593 1444 IRP_MJ_POWER : F72D673C

10:52:29:593 1444 IRP_MJ_SYSTEM_CONTROL : F72DD336

10:52:29:593 1444 IRP_MJ_DEVICE_CHANGE : 804F355A

10:52:29:593 1444 IRP_MJ_QUERY_QUOTA : 804F355A

10:52:29:593 1444 IRP_MJ_SET_QUOTA : 804F355A

10:52:29:593 1444 C:\WINDOWS\system32\drivers\tsk5.tmp - Verdict: 3

10:52:29:593 1444

10:52:29:593 1444 Driver Name: atapi

10:52:29:593 1444 IRP_MJ_CREATE : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_CREATE_NAMED_PIPE : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_CLOSE : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_READ : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_WRITE : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_QUERY_INFORMATION : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_SET_INFORMATION : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_QUERY_EA : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_SET_EA : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_FLUSH_BUFFERS : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_SET_VOLUME_INFORMATION : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_DIRECTORY_CONTROL : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_FILE_SYSTEM_CONTROL : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_DEVICE_CONTROL : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_SHUTDOWN : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_LOCK_CONTROL : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_CLEANUP : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_CREATE_MAILSLOT : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_QUERY_SECURITY : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_SET_SECURITY : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_POWER : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_SYSTEM_CONTROL : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_DEVICE_CHANGE : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_QUERY_QUOTA : 8A3A9AC8

10:52:29:593 1444 IRP_MJ_SET_QUOTA : 8A3A9AC8

10:52:29:593 1444 Driver "atapi" infected by TDSS rootkit!

10:52:29:593 1444 C:\WINDOWS\system32\drivers\tsk5.tmp - Verdict: 3

10:52:29:593 1444

10:52:29:593 1444 Completed

10:52:29:593 1444

10:52:29:593 1444 Results:

10:52:29:593 1444 Memory objects infected / cured / cured on reboot: 1 / 0 / 0

10:52:29:593 1444 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

10:52:29:593 1444 File objects infected / cured / cured on reboot: 0 / 0 / 0

10:52:29:593 1444

10:52:29:593 1444 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

10:52:29:593 1444 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

10:52:29:593 1444 UnloadDriverW: NtUnloadDriver error 1

10:52:29:593 1444 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

Here is the new Gmer log

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-13 12:50:08

Windows 5.1.2600 Service Pack 3

Running: 9yhey3sg.exe; Driver: C:\DOCUME~1\Phil\LOCALS~1\Temp\pgloapod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwClose [0xA83F0A1C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateDirectoryObject [0xA83F0A48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateFile [0xA83F0A7C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateKey [0xA83F0AD0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwDeleteKey [0xA83F0B14]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateKey [0xA83F0B40]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateValueKey [0xA83F0B80]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwFlushKey [0xA83F0BC0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMakeTemporaryObject [0xA83F0BEC]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMapViewOfSection [0xA83F0C18]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenKey [0xA83F0C68]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenSection [0xA83F0C9C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryInformationFile [0xA83F0CD0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryKey [0xA83F0D0C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryValueKey [0xA83F0D48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwReadFile [0xA83F0D88]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationFile [0xA83F0DD4]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationThread [0xA83F0E10]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetValueKey [0xA83F0E48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwUnmapViewOfSection [0xA83F0E88]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwWriteFile [0xA83F0EB8]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3AEAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi pvonkaenel,

Run Combofix:

Temporarily disable any antispyware, antivirus and or antimalware real-time protection as they may interfere with running of ComboFix.

Download ComboFix from here to your Desktop.

For more information about Combofix please see here.

Close all programs.

Double click combofix.exe and follow the prompts.

If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it

Link to post
Share on other sites

Here is the combofix log you requested

ComboFix 10-04-13.02 - Phil 04/13/2010 13:44:03.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1376 [GMT -6:00]

Running from: c:\documents and settings\Phil\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))

.

2010-04-11 06:23 . 2010-04-11 06:23 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Ahead

2010-04-11 06:11 . 2010-04-11 06:11 34 ---ha-w- c:\windows\system32\Converter_sysquict.dat

2010-04-11 06:11 . 2010-04-11 06:16 -------- d-----w- c:\program files\Free Convert WMV MOV MPEG to AVI DIVX Converter

2010-04-11 03:18 . 2005-01-04 20:19 2670592 ------w- c:\windows\UNNeroVision.exe

2010-04-11 03:17 . 2001-06-26 13:15 38912 ------w- c:\windows\system32\picn20.dll

2010-04-11 02:54 . 2005-09-01 17:03 5888 ------w- c:\windows\system32\drivers\imagedrv.sys

2010-04-11 02:54 . 2005-09-01 17:03 127488 ------w- c:\windows\system32\drivers\imagesrv.sys

2010-04-11 02:53 . 2004-07-09 14:43 364544 ------w- c:\windows\system32\TwnLib4.dll

2010-04-11 02:53 . 2000-06-26 16:45 106496 ------w- c:\windows\system32\TwnLib20.dll

2010-04-06 15:27 . 2010-04-06 15:27 50354 ----a-w- c:\documents and settings\Phil\Application Data\Facebook\uninstall.exe

2010-04-06 15:27 . 2010-04-06 15:27 -------- d-----w- c:\documents and settings\Phil\Application Data\Facebook

2010-04-05 15:21 . 2010-04-05 15:22 -------- d-----w- C:\Temp folder for DVD

2010-04-05 15:00 . 2010-04-05 15:00 -------- d-----w- C:\VOLUME_IDENTIFIER

2010-04-05 05:35 . 2010-04-05 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink

2010-04-05 05:35 . 2010-04-05 05:35 -------- d-----w- c:\program files\DVD Shrink

2010-04-03 19:13 . 2010-04-03 19:13 -------- d-----w- c:\documents and settings\Phil\Application Data\AVS4YOU

2010-04-03 19:13 . 2010-04-03 19:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU

2010-04-03 19:12 . 2010-04-11 00:15 -------- d-----w- c:\program files\Common Files\AVSMedia

2010-04-03 19:12 . 2008-09-25 20:36 487424 ----a-w- c:\windows\system32\msvcp70.dll

2010-04-03 19:12 . 2008-09-25 20:36 344064 ----a-w- c:\windows\system32\msvcr70.dll

2010-04-03 19:12 . 2008-09-25 20:36 974848 ----a-w- c:\windows\system32\mfc70.dll

2010-04-03 19:12 . 2008-09-25 20:36 1700352 ----a-w- c:\windows\system32\GdiPlus.dll

2010-04-03 19:12 . 2008-09-25 20:36 24576 ------w- c:\windows\system32\msxml3a.dll

2010-04-03 19:12 . 2010-04-11 00:15 -------- d-----w- c:\program files\AVS4YOU

2010-04-03 04:43 . 2010-04-03 04:43 -------- d-----w- c:\documents and settings\Phil\Local Settings\Application Data\Help

2010-04-03 04:29 . 2010-04-03 04:43 -------- d-----w- c:\program files\UP

2010-03-30 22:43 . 2010-03-30 22:43 -------- d-----w- c:\program files\Common Files\Java

2010-03-30 22:42 . 2010-03-30 22:42 503808 ----a-w- c:\documents and settings\Phil\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-69b8d53b-n\msvcp71.dll

2010-03-30 22:42 . 2010-03-30 22:42 499712 ----a-w- c:\documents and settings\Phil\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-69b8d53b-n\jmc.dll

2010-03-30 22:42 . 2010-03-30 22:42 348160 ----a-w- c:\documents and settings\Phil\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-69b8d53b-n\msvcr71.dll

2010-03-30 22:42 . 2010-03-30 22:42 61440 ----a-w- c:\documents and settings\Phil\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28dfe275-n\decora-sse.dll

2010-03-30 22:42 . 2010-03-30 22:42 12800 ----a-w- c:\documents and settings\Phil\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-28dfe275-n\decora-d3d.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-13 16:54 . 2004-08-04 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-04-12 02:50 . 2009-04-23 11:30 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2010-04-11 04:41 . 2010-04-11 00:20 -------- d-----w- c:\documents and settings\Phil\Application Data\Ahead

2010-04-11 03:18 . 2010-04-11 02:53 -------- d-----w- c:\program files\Ahead

2010-04-11 02:53 . 2010-04-11 00:12 -------- d-----w- c:\program files\Common Files\Ahead

2010-04-11 02:06 . 2010-04-11 02:06 -------- d-----w- c:\program files\CCleaner

2010-04-11 01:12 . 2009-09-14 19:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-04-11 01:10 . 2010-02-16 03:31 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-04-11 00:18 . 2010-04-11 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead

2010-04-03 19:13 . 2009-04-23 17:48 46080 -c--a-w- c:\documents and settings\Phil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-03-30 22:42 . 2009-11-28 05:54 -------- d-----w- c:\program files\Java

2010-03-30 06:46 . 2009-09-14 19:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-30 06:45 . 2009-09-14 19:11 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-26 06:14 . 2009-05-08 19:59 -------- d-----w- c:\program files\Lx_cats

2010-03-09 10:28 . 2009-11-28 05:54 411368 ----a-w- c:\windows\system32\deploytk.dll

2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Phil\Application Data\Facebook\axfbootloader.dll

2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Phil\Application Data\Facebook\npfbplugin_1_0_3.dll

2010-02-25 06:24 . 2004-08-04 12:00 916480 ------w- c:\windows\system32\wininet.dll

2010-02-15 16:22 . 2010-02-15 16:22 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf

2010-02-15 16:22 . 2010-02-15 16:22 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf

.

((((((((((((((((((((((((((((( SnapShot_2010-04-11_06.03.03 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-04-13 18:44 . 2010-04-13 18:44 16384 c:\windows\Temp\Perflib_Perfdata_388.dat

+ 2010-04-11 15:41 . 2008-04-14 00:11 21504 c:\windows\system32\ReinstallBackups\0005\DriverFiles\i386\hidserv.dll

+ 2004-08-04 12:00 . 2010-04-13 18:48 79360 c:\windows\system32\perfc009.dat

- 2004-08-04 12:00 . 2010-04-11 05:45 79360 c:\windows\system32\perfc009.dat

+ 2009-04-23 11:30 . 2010-04-12 02:50 57600 c:\windows\system32\dllcache\redbook.sys

+ 2004-08-04 12:00 . 2010-04-13 18:48 465640 c:\windows\system32\perfh009.dat

- 2004-08-04 12:00 . 2010-04-11 05:45 465640 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2009-11-25 20:01 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="c:\documents and settings\Phil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-04-13 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-02 344064]

"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 202032]

"Mouse Suite 98 Daemon"="ICO.EXE" [2004-07-14 57344]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]

"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"WinampAgent"="e:\program files\Winamp\winampa.exe" [2009-04-10 37888]

"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-12 291760]

"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-03-21 2046816]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

c:\documents and settings\Phil\Start Menu\Programs\Startup\

Mobile User VPN.lnk - c:\program files\WatchGuard\Mobile User VPN\SafeCfg.exe [2009-5-5 65588]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2009-5-20 114688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-09-14 19:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

"e:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=

"c:\\WINDOWS\\system32\\lxddcoms.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"e:\\Program Files\\Call of Duty Game of the Year Edition\\CoDMP.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=

"c:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe"=

"c:\program files\WatchGuard\Mobile User VPN\ViewLog.exe"= c:\program files\WatchGuard\Mobile User VPN\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog

"c:\program files\WatchGuard\Mobile User VPN\CmonApp.exe"= c:\program files\WatchGuard\Mobile User VPN\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp

"c:\program files\WatchGuard\Mobile User VPN\vpn.exe"= c:\program files\WatchGuard\Mobile User VPN\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/14/2009 1:01 PM 335240]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/14/2009 1:01 PM 108552]

R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/14/2009 1:00 PM 297752]

R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [5/5/2009 10:21 PM 521786]

R2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [5/5/2009 10:21 PM 119864]

R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]

R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [5/5/2009 10:19 PM 36188]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 2:06 PM 231424]

S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [5/8/2009 1:58 PM 99248]

S3 jbridgep;jbridgep;\??\c:\docume~1\Phil\LOCALS~1\Temp\jbridgep.sys --> c:\docume~1\Phil\LOCALS~1\Temp\jbridgep.sys [?]

S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2/15/2010 11:31 AM 9472]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/16/2009 10:59 AM 691696]

--- Other Services/Drivers In Memory ---

*Deregistered* - pgloapod

.

Contents of the 'Scheduled Tasks' folder

2010-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003Core.job

- c:\documents and settings\Phil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-13 04:20]

2010-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003UA.job

- c:\documents and settings\Phil\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-13 04:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.facebook.com/home.php

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\k8l8zeaw.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll

FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll

FF - plugin: c:\documents and settings\Phil\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\Phil\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-13 13:51

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A3AEAC8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf74ebf28

\Driver\ACPI -> ACPI.sys @ 0xf735ecb8

\Driver\atapi -> atapi.sys @ 0xf72d2852

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579022

ParseProcedure -> ntkrnlpa.exe @ 0x80577c84

NDIS: Broadcom 802.11b/g WLAN -> SendCompleteHandler -> NDIS.sys @ 0xf71c6bb0

PacketIndicateHandler -> NDIS.sys @ 0xf71d3a21

SendHandler -> NDIS.sys @ 0xf71b187b

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1252)

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1312)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3796)

c:\windows\system32\WININET.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-04-13 13:54:49

ComboFix-quarantined-files.txt 2010-04-13 19:54

ComboFix2.txt 2010-04-11 06:06

ComboFix3.txt 2010-02-16 02:22

Pre-Run: 31,597,973,504 bytes free

Post-Run: 31,586,906,112 bytes free

- - End Of File - - C9155FF9D2CE86C5F996C90910492C93

Link to post
Share on other sites

Hi pvonkaenel,

This looks to be a new variant of the rootkit, I have escalated this to a group of experts for a method to remove and will be back to you as soon as we have more information.

Please be assured that I will reply as soon as we have identified a suitable fix.

While this is happening please run the following -

Custom OTL scan

  • Double click on OTL.exe to run it.
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • Please post the contents of OTL.txt in your next reply.

Link to post
Share on other sites

Here is the OTL.exe log

OTL logfile created on: 4/13/2010 3:10:12 PM - Run 1

OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Phil\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.52 Gb Total Space | 29.44 Gb Free Space | 39.50% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 74.52 Gb Total Space | 33.09 Gb Free Space | 44.41% Space Free | Partition Type: NTFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: PHILV-T64

Current User Name: Phil

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/13 15:08:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTL.exe

PRC - [2010/04/11 01:52:33 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2010/03/20 18:33:08 | 002,046,816 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe

PRC - [2009/09/14 13:01:01 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe

PRC - [2009/09/14 13:01:01 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe

PRC - [2009/09/14 13:00:49 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe

PRC - [2008/10/15 17:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\winvnc4.exe

PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/06/11 19:27:24 | 000,291,760 | ---- | M] () -- C:\Program Files\Lexmark 2500 Series\lxddmon.exe

PRC - [2007/05/25 09:41:38 | 000,537,520 | ---- | M] ( ) -- C:\WINDOWS\system32\lxddcoms.exe

PRC - [2006/04/12 21:22:42 | 000,114,688 | ---- | M] (InterVideo Inc.) -- C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

PRC - [2004/08/11 13:22:52 | 000,065,588 | ---- | M] (SafeNet) -- C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe

PRC - [2004/08/11 13:22:46 | 000,057,398 | ---- | M] (SafeNet) -- C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe

PRC - [2004/08/11 13:22:44 | 000,319,538 | ---- | M] (SafeNet) -- C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe

PRC - [2004/07/14 15:36:54 | 000,057,344 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ICO.EXE

========== Modules (SafeList) ==========

MOD - [2010/04/13 15:08:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/09/14 13:00:49 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)

SRV - [2008/10/15 17:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)

SRV - [2007/05/25 09:41:54 | 000,099,248 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe -- (lxddCATSCustConnectService)

SRV - [2007/05/25 09:41:38 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxddcoms.exe -- (lxdd_device)

SRV - [2004/08/11 13:22:46 | 000,057,398 | ---- | M] (SafeNet) [Auto | Running] -- C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe -- (IPSECMON)

SRV - [2004/08/11 13:22:44 | 000,319,538 | ---- | M] (SafeNet) [Auto | Running] -- C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe -- (IREIKE)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php

IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found

IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.facebook.com/home.php"

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.429

FF - prefs.js..extensions.enabledItems: avg@igeared:3.011.025.005

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p="

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/12/21 10:44:49 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2009/12/28 19:49:18 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/11 01:52:48 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/11 01:52:47 | 000,000,000 | ---D | M]

[2009/07/27 20:02:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Mozilla\Extensions

[2010/04/12 22:30:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\k8l8zeaw.default\extensions

[2009/09/27 16:33:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\k8l8zeaw.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/04/11 21:25:32 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()

O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()

O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()

O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)

O4 - HKLM..\Run: [lxddamon] C:\Program Files\Lexmark 2500 Series\lxddamon.exe ()

O4 - HKLM..\Run: [lxddmon.exe] C:\Program Files\Lexmark 2500 Series\lxddmon.exe ()

O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ICO.EXE (Primax Electronics Ltd.)

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)

O4 - HKLM..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)

O4 - HKLM..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe (InterVideo Inc.)

O4 - Startup: C:\Documents and Settings\Phil\Start Menu\Programs\Startup\Mobile User VPN.lnk = C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe (SafeNet)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.16.1.20 205.171.3.65 205.171.2.65

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 205.171.3.65 205.171.2.65

O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/04/23 11:38:57 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found

NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/04/23 05:19:43 | 000,000,000 | ---D | M]

NetSvcs: Iprip - File not found

NetSvcs: Irmon - File not found

NetSvcs: NWCWorkstation - File not found

NetSvcs: Nwsapagent - File not found

NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT

Restore point Set: OTL Restore Point (17746534284132352)

========== Files/Folders - Created Within 14 Days ==========

[2010/04/13 15:08:43 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTL.exe

[2010/04/13 10:50:16 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Phil\Desktop\TDSSKiller.exe

[2010/04/11 00:23:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Local Settings\Application Data\Ahead

[2010/04/11 00:11:11 | 000,000,000 | ---D | C] -- C:\Program Files\Free Convert WMV MOV MPEG to AVI DIVX Converter

[2010/04/10 23:53:43 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/04/10 23:53:43 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/04/10 23:53:43 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/04/10 23:53:43 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/04/10 23:37:01 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Phil\Recent

[2010/04/10 21:17:59 | 000,038,912 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\picn20.dll

[2010/04/10 20:53:38 | 000,364,544 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\TwnLib4.dll

[2010/04/10 20:53:38 | 000,106,496 | ---- | C] (Pegasus Software) -- C:\WINDOWS\System32\TwnLib20.dll

[2010/04/10 20:53:37 | 001,568,768 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagX7.dll

[2010/04/10 20:53:37 | 000,476,320 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXpr7.dll

[2010/04/10 20:53:37 | 000,471,040 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXRA7.dll

[2010/04/10 20:53:37 | 000,262,144 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXR7.dll

[2010/04/10 20:53:37 | 000,155,648 | ---- | C] (Ahead Software Gmbh) -- C:\WINDOWS\System32\NeroCheck.exe

[2010/04/10 20:53:35 | 000,000,000 | ---D | C] -- C:\Program Files\Ahead

[2010/04/10 20:09:54 | 000,000,000 | ---D | C] -- C:\Reg Backups

[2010/04/10 20:06:38 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner

[2010/04/10 18:49:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\My Documents\NeroVision

[2010/04/10 18:37:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/04/10 18:37:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/04/10 18:20:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\Ahead

[2010/04/10 18:18:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ahead

[2010/04/10 18:12:59 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Ahead

[2010/04/06 09:27:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\Facebook

[2010/04/05 09:21:53 | 000,000,000 | ---D | C] -- C:\Temp folder for DVD

[2010/04/05 09:00:06 | 000,000,000 | ---D | C] -- C:\VOLUME_IDENTIFIER

[2010/04/04 23:35:22 | 000,000,000 | ---D | C] -- C:\Program Files\DVD Shrink

[2010/04/04 23:35:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink

[2010/04/03 13:13:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\AVS4YOU

[2010/04/03 13:13:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVS4YOU

[2010/04/03 13:12:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AVSMedia

[2010/04/03 13:12:13 | 000,000,000 | ---D | C] -- C:\Program Files\AVS4YOU

[2010/04/02 22:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Local Settings\Application Data\Help

[2010/04/02 22:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\Help

[2010/04/02 22:29:15 | 000,000,000 | ---D | C] -- C:\Program Files\UP

[2010/03/30 16:43:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun

[2010/03/30 16:43:06 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

[2009/09/18 21:48:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe

[2009/09/14 12:59:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[2009/09/14 12:59:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[2009/09/14 12:59:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2009/09/14 12:59:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2009/05/08 13:57:55 | 001,232,896 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddserv.dll

[2009/05/08 13:57:55 | 000,999,424 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddusb1.dll

[2009/05/08 13:57:55 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddpmui.dll

[2009/05/08 13:57:55 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddlmpm.dll

[2009/05/08 13:57:55 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddinpa.dll

[2009/05/08 13:57:55 | 000,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddiesc.dll

[2009/05/08 13:57:55 | 000,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDDhcp.dll

[2009/05/08 13:57:55 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddprox.dll

[2009/05/08 13:57:55 | 000,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddpplc.dll

[2009/05/08 13:57:54 | 000,700,416 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddhbn3.dll

[2009/05/08 13:57:54 | 000,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddcomc.dll

[2009/05/08 13:57:54 | 000,425,984 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddcomm.dll

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/13 15:08:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTL.exe

[2010/04/13 14:25:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003UA.job

[2010/04/13 13:54:51 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/04/13 13:51:44 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/04/13 13:41:12 | 003,914,375 | R--- | M] () -- C:\Documents and Settings\Phil\Desktop\ComboFix.exe

[2010/04/13 13:39:10 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\Phil\NTUSER.DAT

[2010/04/13 12:48:54 | 000,555,168 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/04/13 12:48:54 | 000,465,640 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/04/13 12:48:54 | 000,079,360 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/04/13 12:45:55 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/04/13 12:44:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/04/13 12:43:08 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Phil\ntuser.ini

[2010/04/13 10:49:03 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\tdsskiller.zip

[2010/04/13 10:48:42 | 058,857,433 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm

[2010/04/12 23:34:36 | 000,004,208 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\Attach.zip

[2010/04/12 22:59:51 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\9yhey3sg.exe

[2010/04/12 22:56:13 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\dds.scr

[2010/04/12 22:50:24 | 000,000,156 | ---- | M] () -- C:\Documents and Settings\Phil\defogger_reenable

[2010/04/12 22:49:03 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\Defogger.exe

[2010/04/12 22:25:01 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003Core.job

[2010/04/12 22:22:32 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\Google Chrome.lnk

[2010/04/11 21:22:40 | 000,000,094 | ---- | M] () -- C:\Documents and Settings\Phil\default.pls

[2010/04/11 21:21:54 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2010/04/11 09:03:38 | 000,115,200 | ---- | M] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/04/11 00:11:15 | 000,000,034 | -H-- | M] () -- C:\WINDOWS\System32\Converter_sysquict.dat

[2010/04/10 19:01:27 | 000,193,776 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/04/09 23:28:51 | 000,001,722 | -H-- | M] () -- C:\Documents and Settings\Phil\My Documents\Default.rdp

[2010/04/05 09:09:30 | 506,986,496 | ---- | M] () -- C:\VOLUME_IDENTIFIER.ISO

[2010/04/04 23:35:22 | 000,000,670 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\DVD Shrink 3.2.lnk

[2010/04/03 13:13:36 | 000,046,080 | ---- | M] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/04/02 00:03:24 | 006,397,780 | -H-- | M] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\IconCache.db

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/13 10:48:55 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\tdsskiller.zip

[2010/04/12 23:34:36 | 000,004,208 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\Attach.zip

[2010/04/12 22:59:49 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\9yhey3sg.exe

[2010/04/12 22:56:11 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\dds.scr

[2010/04/12 22:50:21 | 000,000,156 | ---- | C] () -- C:\Documents and Settings\Phil\defogger_reenable

[2010/04/12 22:49:02 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\Defogger.exe

[2010/04/12 22:22:32 | 000,002,277 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\Google Chrome.lnk

[2010/04/12 22:20:53 | 000,000,974 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003UA.job

[2010/04/12 22:20:52 | 000,000,922 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003Core.job

[2010/04/11 00:11:15 | 000,000,034 | -H-- | C] () -- C:\WINDOWS\System32\Converter_sysquict.dat

[2010/04/10 23:53:43 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/04/10 23:53:43 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/04/10 23:53:43 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/04/10 23:53:43 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/04/10 23:53:43 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/04/10 23:51:44 | 003,914,375 | R--- | C] () -- C:\Documents and Settings\Phil\Desktop\ComboFix.exe

[2010/04/10 22:37:25 | 000,000,094 | ---- | C] () -- C:\Documents and Settings\Phil\default.pls

[2010/04/10 21:40:16 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2010/04/10 21:18:12 | 000,135,532 | ---- | C] () -- C:\WINDOWS\UNNeroVision.cfg

[2010/04/05 09:08:21 | 506,986,496 | ---- | C] () -- C:\VOLUME_IDENTIFIER.ISO

[2010/04/04 23:35:22 | 000,000,670 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\DVD Shrink 3.2.lnk

[2009/10/18 20:51:23 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL

[2009/10/09 17:31:42 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll

[2009/10/09 17:31:30 | 000,000,032 | ---- | C] () -- C:\WINDOWS\sierra.ini

[2009/09/18 18:37:00 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll

[2009/09/13 01:06:16 | 000,000,745 | ---- | C] () -- C:\WINDOWS\CoD.INI

[2009/09/07 22:56:11 | 000,000,765 | ---- | C] () -- C:\Documents and Settings\All Users\lxdd

[2009/07/27 20:49:42 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI

[2009/05/20 08:39:57 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll

[2009/05/20 08:39:57 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll

[2009/05/20 08:39:57 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll

[2009/05/20 08:39:57 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll

[2009/05/20 08:39:57 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll

[2009/05/20 08:39:57 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll

[2009/05/15 10:25:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI

[2009/05/08 13:58:58 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxddvs.dll

[2009/05/08 13:58:56 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\lxddcoin.dll

[2009/05/08 13:58:30 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxdddrs.dll

[2009/05/08 13:58:30 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxddcnv4.dll

[2009/05/08 13:58:30 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxddcaps.dll

[2009/05/08 13:58:13 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxddrwrd.ini

[2009/05/08 13:57:55 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\LXDDinst.dll

[2009/05/08 13:57:54 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxddgrd.dll

[2009/05/05 22:19:14 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\nsldap32v50.dll

[2009/05/03 14:37:12 | 000,115,200 | ---- | C] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/05/02 22:22:38 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

[2009/04/26 07:51:04 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

[2009/04/23 14:54:05 | 000,008,181 | ---- | C] () -- C:\WINDOWS\System32\Setup2k.ini

[2009/04/23 14:54:05 | 000,000,184 | ---- | C] () -- C:\WINDOWS\System32\presetup.ini

[2009/04/23 14:48:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\QSwitch.txt

[2009/04/23 14:48:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\DSwitch.txt

[2009/04/23 14:48:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\AtStart.txt

[2009/04/23 12:16:47 | 000,000,484 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2009/04/23 11:46:38 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Phil\ntuser.ini

[2009/04/23 11:46:37 | 004,194,304 | -H-- | C] () -- C:\Documents and Settings\Phil\NTUSER.DAT

[2009/04/23 11:46:37 | 000,024,576 | -H-- | C] () -- C:\Documents and Settings\Phil\NTUSER.DAT.LOG

[2009/03/03 12:18:04 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll

[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini

[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini

[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

[2003/06/20 06:00:00 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/05/02 22:25:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Age of Empires 3

[2009/09/27 16:39:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar

[2010/01/02 20:17:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite

[2009/05/04 14:40:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound

[2009/05/08 12:13:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut

[2009/09/16 11:05:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\DAEMON Tools Lite

[2010/04/06 09:27:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Facebook

[2009/06/30 00:22:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\InterVideo

[2009/05/20 08:40:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Leadertech

[2009/05/08 13:59:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Lexmark Productivity Studio

[2009/05/04 14:40:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\NCH Swift Sound

[2009/05/04 14:39:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Recordpad

[2009/05/08 12:15:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\TaxCut

[2009/04/27 22:45:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Windows Desktop Search

[2009/04/28 15:30:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Windows Search

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

[2009/09/12 15:01:01 | 001,374,154 | ---- | M] () -- C:\wrar390.exe

< MD5 for: AGP440.SYS >

[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys

[2009/04/25 16:20:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

[2009/04/25 16:20:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys

[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys

[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\maxdriver\agp440.sys

[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys

[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\dllcache\agp440.sys

[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >

[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys

[2009/04/25 16:20:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys

[2009/04/25 16:20:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys

[2010/04/13 10:54:31 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys

[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\maxdriver\atapi.sys

[2008/04/13 12:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys

[2010/04/13 10:54:31 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >

[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll

[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll

[2008/04/13 18:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: IASTOR.SYS >

[2005/04/25 09:28:14 | 000,871,040 | ---- | M] (Intel Corporation) MD5=D593517879E65167DF35F6015814AC59 -- C:\WINDOWS\dell\iastor\iastor.sys

< MD5 for: NETLOGON.DLL >

[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll

[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll

[2008/04/13 18:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATABUS.SYS >

[2005/05/17 16:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\dell\nvraid\NvAtaBus.sys

[2005/05/17 16:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\maxdriver\NvAtaBus.sys

[2005/05/17 16:45:08 | 000,092,800 | ---- | M] (NVIDIA Corporation) MD5=DCE353985C988BFB7E84FD942068151F -- C:\WINDOWS\system32\drivers\NvAtaBus.sys

< MD5 for: NVRAID.SYS >

[2005/05/17 16:45:12 | 000,076,288 | ---- | M] (NVIDIA Corporation) MD5=9C8A8E00648EAF7A1D794F7CFB25A6B4 -- C:\WINDOWS\dell\nvraid\nvraid.sys

[2005/05/17 16:45:12 | 000,076,288 | ---- | M] (NVIDIA Corporation) MD5=9C8A8E00648EAF7A1D794F7CFB25A6B4 -- C:\WINDOWS\maxdriver\nvraid.sys

[2005/05/17 16:45:12 | 000,076,288 | ---- | M] (NVIDIA Corporation) MD5=9C8A8E00648EAF7A1D794F7CFB25A6B4 -- C:\WINDOWS\system32\drivers\nvraid.sys

< MD5 for: SCECLI.DLL >

[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll

[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll

[2008/04/13 18:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

[2009/04/23 05:26:18 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav

[2009/04/23 05:26:18 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav

[2009/04/23 05:26:18 | 000,892,928 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< End of report >

Link to post
Share on other sites

Her are both the new TDSSKiller and GMER logs. The TDSKiller did have me reboot during the process.

08:48:50:812 0312 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04

08:48:50:812 0312 ================================================================================

08:48:50:812 0312 SystemInfo:

08:48:50:812 0312 OS Version: 5.1.2600 ServicePack: 3.0

08:48:50:812 0312 Product type: Workstation

08:48:50:812 0312 ComputerName: PHILV-T64

08:48:50:812 0312 UserName: Phil

08:48:50:812 0312 Windows directory: C:\WINDOWS

08:48:50:812 0312 Processor architecture: Intel x86

08:48:50:812 0312 Number of processors: 1

08:48:50:812 0312 Page size: 0x1000

08:48:50:812 0312 Boot type: Normal boot

08:48:50:812 0312 ================================================================================

08:48:50:890 0312 UnloadDriverW: NtUnloadDriver error 2

08:48:50:890 0312 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

08:48:50:968 0312 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

08:48:50:968 0312 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

08:48:50:968 0312 wfopen_ex: Trying to KLMD file open

08:48:50:968 0312 wfopen_ex: File opened ok (Flags 2)

08:48:50:968 0312 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

08:48:50:968 0312 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

08:48:50:968 0312 wfopen_ex: Trying to KLMD file open

08:48:50:968 0312 wfopen_ex: File opened ok (Flags 2)

08:48:50:968 0312 Initialize success

08:48:50:968 0312

08:48:50:968 0312 Scanning Services ...

08:48:52:078 0312 Raw services enum returned 351 services

08:48:52:093 0312

08:48:52:093 0312 Scanning Kernel memory ...

08:48:52:093 0312 Devices to scan: 4

08:48:52:093 0312

08:48:52:093 0312 Driver Name: Disk

08:48:52:093 0312 IRP_MJ_CREATE : F74EDBB0

08:48:52:093 0312 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

08:48:52:093 0312 IRP_MJ_CLOSE : F74EDBB0

08:48:52:093 0312 IRP_MJ_READ : F74E7D1F

08:48:52:093 0312 IRP_MJ_WRITE : F74E7D1F

08:48:52:093 0312 IRP_MJ_QUERY_INFORMATION : 804F355A

08:48:52:093 0312 IRP_MJ_SET_INFORMATION : 804F355A

08:48:52:093 0312 IRP_MJ_QUERY_EA : 804F355A

08:48:52:093 0312 IRP_MJ_SET_EA : 804F355A

08:48:52:093 0312 IRP_MJ_FLUSH_BUFFERS : F74E82E2

08:48:52:093 0312 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

08:48:52:093 0312 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

08:48:52:093 0312 IRP_MJ_DIRECTORY_CONTROL : 804F355A

08:48:52:093 0312 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

08:48:52:093 0312 IRP_MJ_DEVICE_CONTROL : F74E83BB

08:48:52:093 0312 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74EBF28

08:48:52:093 0312 IRP_MJ_SHUTDOWN : F74E82E2

08:48:52:093 0312 IRP_MJ_LOCK_CONTROL : 804F355A

08:48:52:093 0312 IRP_MJ_CLEANUP : 804F355A

08:48:52:093 0312 IRP_MJ_CREATE_MAILSLOT : 804F355A

08:48:52:093 0312 IRP_MJ_QUERY_SECURITY : 804F355A

08:48:52:093 0312 IRP_MJ_SET_SECURITY : 804F355A

08:48:52:093 0312 IRP_MJ_POWER : F74E9C82

08:48:52:093 0312 IRP_MJ_SYSTEM_CONTROL : F74EE99E

08:48:52:093 0312 IRP_MJ_DEVICE_CHANGE : 804F355A

08:48:52:093 0312 IRP_MJ_QUERY_QUOTA : 804F355A

08:48:52:093 0312 IRP_MJ_SET_QUOTA : 804F355A

08:48:52:109 0312 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

08:48:52:109 0312

08:48:52:109 0312 Driver Name: Disk

08:48:52:109 0312 IRP_MJ_CREATE : F74EDBB0

08:48:52:109 0312 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

08:48:52:109 0312 IRP_MJ_CLOSE : F74EDBB0

08:48:52:109 0312 IRP_MJ_READ : F74E7D1F

08:48:52:109 0312 IRP_MJ_WRITE : F74E7D1F

08:48:52:109 0312 IRP_MJ_QUERY_INFORMATION : 804F355A

08:48:52:109 0312 IRP_MJ_SET_INFORMATION : 804F355A

08:48:52:109 0312 IRP_MJ_QUERY_EA : 804F355A

08:48:52:109 0312 IRP_MJ_SET_EA : 804F355A

08:48:52:109 0312 IRP_MJ_FLUSH_BUFFERS : F74E82E2

08:48:52:109 0312 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

08:48:52:109 0312 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

08:48:52:109 0312 IRP_MJ_DIRECTORY_CONTROL : 804F355A

08:48:52:109 0312 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

08:48:52:109 0312 IRP_MJ_DEVICE_CONTROL : F74E83BB

08:48:52:109 0312 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74EBF28

08:48:52:109 0312 IRP_MJ_SHUTDOWN : F74E82E2

08:48:52:109 0312 IRP_MJ_LOCK_CONTROL : 804F355A

08:48:52:109 0312 IRP_MJ_CLEANUP : 804F355A

08:48:52:109 0312 IRP_MJ_CREATE_MAILSLOT : 804F355A

08:48:52:109 0312 IRP_MJ_QUERY_SECURITY : 804F355A

08:48:52:109 0312 IRP_MJ_SET_SECURITY : 804F355A

08:48:52:109 0312 IRP_MJ_POWER : F74E9C82

08:48:52:109 0312 IRP_MJ_SYSTEM_CONTROL : F74EE99E

08:48:52:109 0312 IRP_MJ_DEVICE_CHANGE : 804F355A

08:48:52:109 0312 IRP_MJ_QUERY_QUOTA : 804F355A

08:48:52:109 0312 IRP_MJ_SET_QUOTA : 804F355A

08:48:52:109 0312 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

08:48:52:109 0312

08:48:52:109 0312 Driver Name: atapi

08:48:52:109 0312 IRP_MJ_CREATE : F72D66F2

08:48:52:109 0312 IRP_MJ_CREATE_NAMED_PIPE : 804F355A

08:48:52:109 0312 IRP_MJ_CLOSE : F72D66F2

08:48:52:109 0312 IRP_MJ_READ : 804F355A

08:48:52:109 0312 IRP_MJ_WRITE : 804F355A

08:48:52:109 0312 IRP_MJ_QUERY_INFORMATION : 804F355A

08:48:52:109 0312 IRP_MJ_SET_INFORMATION : 804F355A

08:48:52:109 0312 IRP_MJ_QUERY_EA : 804F355A

08:48:52:109 0312 IRP_MJ_SET_EA : 804F355A

08:48:52:125 0312 IRP_MJ_FLUSH_BUFFERS : 804F355A

08:48:52:125 0312 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A

08:48:52:125 0312 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A

08:48:52:125 0312 IRP_MJ_DIRECTORY_CONTROL : 804F355A

08:48:52:125 0312 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A

08:48:52:125 0312 IRP_MJ_DEVICE_CONTROL : F72D6712

08:48:52:125 0312 IRP_MJ_INTERNAL_DEVICE_CONTROL : F72D2852

08:48:52:125 0312 IRP_MJ_SHUTDOWN : 804F355A

08:48:52:125 0312 IRP_MJ_LOCK_CONTROL : 804F355A

08:48:52:125 0312 IRP_MJ_CLEANUP : 804F355A

08:48:52:125 0312 IRP_MJ_CREATE_MAILSLOT : 804F355A

08:48:52:125 0312 IRP_MJ_QUERY_SECURITY : 804F355A

08:48:52:125 0312 IRP_MJ_SET_SECURITY : 804F355A

08:48:52:125 0312 IRP_MJ_POWER : F72D673C

08:48:52:125 0312 IRP_MJ_SYSTEM_CONTROL : F72DD336

08:48:52:125 0312 IRP_MJ_DEVICE_CHANGE : 804F355A

08:48:52:125 0312 IRP_MJ_QUERY_QUOTA : 804F355A

08:48:52:125 0312 IRP_MJ_SET_QUOTA : 804F355A

08:48:52:140 0312 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1

08:48:52:140 0312

08:48:52:140 0312 Driver Name: atapi

08:48:52:140 0312 IRP_MJ_CREATE : 8A38DAC8

08:48:52:140 0312 IRP_MJ_CREATE_NAMED_PIPE : 8A38DAC8

08:48:52:140 0312 IRP_MJ_CLOSE : 8A38DAC8

08:48:52:140 0312 IRP_MJ_READ : 8A38DAC8

08:48:52:140 0312 IRP_MJ_WRITE : 8A38DAC8

08:48:52:140 0312 IRP_MJ_QUERY_INFORMATION : 8A38DAC8

08:48:52:140 0312 IRP_MJ_SET_INFORMATION : 8A38DAC8

08:48:52:140 0312 IRP_MJ_QUERY_EA : 8A38DAC8

08:48:52:140 0312 IRP_MJ_SET_EA : 8A38DAC8

08:48:52:140 0312 IRP_MJ_FLUSH_BUFFERS : 8A38DAC8

08:48:52:140 0312 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A38DAC8

08:48:52:140 0312 IRP_MJ_SET_VOLUME_INFORMATION : 8A38DAC8

08:48:52:140 0312 IRP_MJ_DIRECTORY_CONTROL : 8A38DAC8

08:48:52:140 0312 IRP_MJ_FILE_SYSTEM_CONTROL : 8A38DAC8

08:48:52:140 0312 IRP_MJ_DEVICE_CONTROL : 8A38DAC8

08:48:52:140 0312 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A38DAC8

08:48:52:140 0312 IRP_MJ_SHUTDOWN : 8A38DAC8

08:48:52:140 0312 IRP_MJ_LOCK_CONTROL : 8A38DAC8

08:48:52:140 0312 IRP_MJ_CLEANUP : 8A38DAC8

08:48:52:140 0312 IRP_MJ_CREATE_MAILSLOT : 8A38DAC8

08:48:52:140 0312 IRP_MJ_QUERY_SECURITY : 8A38DAC8

08:48:52:140 0312 IRP_MJ_SET_SECURITY : 8A38DAC8

08:48:52:140 0312 IRP_MJ_POWER : 8A38DAC8

08:48:52:140 0312 IRP_MJ_SYSTEM_CONTROL : 8A38DAC8

08:48:52:140 0312 IRP_MJ_DEVICE_CHANGE : 8A38DAC8

08:48:52:140 0312 IRP_MJ_QUERY_QUOTA : 8A38DAC8

08:48:52:140 0312 IRP_MJ_SET_QUOTA : 8A38DAC8

08:48:52:140 0312 Driver "atapi" infected by TDSS rootkit!

08:48:52:156 0312 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1

08:48:52:156 0312 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 08:48:52:156 0312 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys

08:48:52:156 0312 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3

08:48:52:593 0312 vfvi6

08:48:52:781 0312 !dsvbh1

08:48:56:265 0312 dsvbh2

08:48:56:265 0312 fdfb2

08:48:56:265 0312 Backup copy found, using it..

08:48:56:328 0312 will be cured on next reboot

08:48:56:328 0312 Reboot required for cure complete..

08:48:56:343 0312 Cure on reboot scheduled successfully

08:48:56:343 0312

08:48:56:343 0312 Completed

08:48:56:343 0312

08:48:56:343 0312 Results:

08:48:56:343 0312 Memory objects infected / cured / cured on reboot: 1 / 0 / 0

08:48:56:343 0312 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

08:48:56:343 0312 File objects infected / cured / cured on reboot: 1 / 0 / 1

08:48:56:343 0312

08:48:56:343 0312 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

08:48:56:343 0312 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

08:48:56:343 0312 UnloadDriverW: NtUnloadDriver error 1

08:48:56:343 0312 KLMD(ARK) unloaded successfully

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-14 08:53:47

Windows 5.1.2600 Service Pack 3

Running: 9yhey3sg.exe; Driver: C:\DOCUME~1\Phil\LOCALS~1\Temp\pgloapod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwClose [0xA83A5A1C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateDirectoryObject [0xA83A5A48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateFile [0xA83A5A7C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateKey [0xA83A5AD0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwDeleteKey [0xA83A5B14]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateKey [0xA83A5B40]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateValueKey [0xA83A5B80]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwFlushKey [0xA83A5BC0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMakeTemporaryObject [0xA83A5BEC]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMapViewOfSection [0xA83A5C18]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenKey [0xA83A5C68]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenSection [0xA83A5C9C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryInformationFile [0xA83A5CD0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryKey [0xA83A5D0C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryValueKey [0xA83A5D48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwReadFile [0xA83A5D88]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationFile [0xA83A5DD4]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationThread [0xA83A5E10]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetValueKey [0xA83A5E48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwUnmapViewOfSection [0xA83A5E88]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwWriteFile [0xA83A5EB8]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi \Device\Ide\IdePort0 tsk3.tmp

Device \Driver\atapi \Device\Ide\IdePort1 tsk3.tmp

Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c tsk3.tmp

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 tsk3.tmp

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A39BAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi pvonkaenel,

Please print these instructions.

Next reboot your computer.

As soon as the computer starts there will be a black screen with white writing displayed for a few seconds.

On this screen there will be the options to boot Microsoft Windows XP or

Microsoft Windows Recovery Console

Use the cursor keys to select Microsoft Windows Recovery Console then press enter.

Windows will boot to a text based screen and ask you to select the installation to log into, please choose the correct one, usually option 1 and press enter.

Type in

ren C:\WINDOWS\system32\drivers\atapi.sys atapi-old.sys
copy C:\WINDOWS\ERDNT\cache\atapi.sys C:\WINDOWS\system32\drivers\atapi.sys
exit

If it asks if you want to replace the file or not, click Yes/Y.

Ensure you type it in exactly the same as written above.

Let the machine reboot into normal mode and then run a new GMER scan and post the log in your next reply.

.

Link to post
Share on other sites

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-14 14:00:33

Windows 5.1.2600 Service Pack 3

Running: 9yhey3sg.exe; Driver: C:\DOCUME~1\Phil\LOCALS~1\Temp\pgloapod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwClose [0xA82BFA1C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateDirectoryObject [0xA82BFA48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateFile [0xA82BFA7C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateKey [0xA82BFAD0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwDeleteKey [0xA82BFB14]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateKey [0xA82BFB40]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateValueKey [0xA82BFB80]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwFlushKey [0xA82BFBC0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMakeTemporaryObject [0xA82BFBEC]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMapViewOfSection [0xA82BFC18]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenKey [0xA82BFC68]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenSection [0xA82BFC9C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryInformationFile [0xA82BFCD0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryKey [0xA82BFD0C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryValueKey [0xA82BFD48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwReadFile [0xA82BFD88]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationFile [0xA82BFDD4]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationThread [0xA82BFE10]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetValueKey [0xA82BFE48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwUnmapViewOfSection [0xA82BFE88]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwWriteFile [0xA82BFEB8]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3AEAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ...

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update@BalloonTime 2010-04-14 14:52:01

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi pvonkaenel,

Let's try again with a different file.

Please print these instructions.

Next reboot your computer.

As soon as the computer starts there will be a black screen with white writing displayed for a few seconds.

On this screen there will be the options to boot Microsoft Windows XP or

Microsoft Windows Recovery Console

Use the cursor keys to select Microsoft Windows Recovery Console then press enter.

Windows will boot to a text based screen and ask you to select the installation to log into, please choose the correct one, usually option 1 and press enter.

Type in

ren C:\WINDOWS\system32\drivers\atapi.sys atapi-old2.sys
copy C:\WINDOWS\ServicePackFiles\i386\atapi.sys C:\WINDOWS\system32\drivers\atapi.sys
exit

If it asks if you want to replace the file or not, click Yes/Y.

Ensure you type it in exactly the same as written above.

Let the machine reboot into normal mode and then run a new GMER scan and post the log in your next reply.

.

Link to post
Share on other sites

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-14 15:30:10

Windows 5.1.2600 Service Pack 3

Running: 9yhey3sg.exe; Driver: C:\DOCUME~1\Phil\LOCALS~1\Temp\pgloapod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwClose [0xA838CA1C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateDirectoryObject [0xA838CA48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateFile [0xA838CA7C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateKey [0xA838CAD0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwDeleteKey [0xA838CB14]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateKey [0xA838CB40]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateValueKey [0xA838CB80]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwFlushKey [0xA838CBC0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMakeTemporaryObject [0xA838CBEC]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMapViewOfSection [0xA838CC18]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenKey [0xA838CC68]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenSection [0xA838CC9C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryInformationFile [0xA838CCD0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryKey [0xA838CD0C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryValueKey [0xA838CD48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwReadFile [0xA838CD88]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationFile [0xA838CDD4]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationThread [0xA838CE10]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetValueKey [0xA838CE48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwUnmapViewOfSection [0xA838CE88]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwWriteFile [0xA838CEB8]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3A3AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi pvonkaenel,

<EDIT>

Before attempting to copy the file accross please run a new GMER scan and make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All"

Please post this log and wait for me to get back to you before attempting the file copy

***********

I do have another XP Pro Operating system as my disposal, how about using the working file from that machine? and doing the same recovery console file copy?

It may be worth a try.

Please download OTL onto the working computer.

Custom OTL scan

  • Double click on OTL.exe to run it.
  • Under the Custom Scan box paste this in
    /md5start
    atapi.sys
    /md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

Please ensure that the version of atapi.sys that you copy from the clean machine has the same MD5 value as the one on the infected computer 9F3A2F5AA6875C72BF062C712CFA2674

Please reboot and run a new GMER scan and post the log in your next reply.

Link to post
Share on other sites

Here is the GMER log with everything checked except "Show all" I also did not realize until it wa half way through that I did not have the secondary Data E: drive checked. While I wait for your response I will probably go ahead and run it. I will post below when it is done

Thanks again.

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-15 08:57:37

Windows 5.1.2600 Service Pack 3

Running: 9yhey3sg.exe; Driver: C:\DOCUME~1\Phil\LOCALS~1\Temp\pgloapod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwClose [0xA83BDA1C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateDirectoryObject [0xA83BDA48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateFile [0xA83BDA7C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateKey [0xA83BDAD0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwDeleteKey [0xA83BDB14]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateKey [0xA83BDB40]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateValueKey [0xA83BDB80]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwFlushKey [0xA83BDBC0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMakeTemporaryObject [0xA83BDBEC]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMapViewOfSection [0xA83BDC18]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenKey [0xA83BDC68]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenSection [0xA83BDC9C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryInformationFile [0xA83BDCD0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryKey [0xA83BDD0C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryValueKey [0xA83BDD48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwReadFile [0xA83BDD88]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationFile [0xA83BDDD4]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationThread [0xA83BDE10]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetValueKey [0xA83BDE48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwUnmapViewOfSection [0xA83BDE88]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwWriteFile [0xA83BDEB8]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\DRIVERS\redbook.sys entry point in ".rsrc" section [0xF7542F94]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[248] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B9000A

.text C:\WINDOWS\system32\wuauclt.exe[248] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BA000A

.text C:\WINDOWS\system32\wuauclt.exe[248] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C

.text C:\WINDOWS\system32\SearchIndexer.exe[1520] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

.text C:\WINDOWS\System32\svchost.exe[1648] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A

.text C:\WINDOWS\System32\svchost.exe[1648] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]

.text C:\WINDOWS\System32\svchost.exe[1648] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A

.text C:\WINDOWS\System32\svchost.exe[1648] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C

.text C:\WINDOWS\System32\svchost.exe[1648] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 03A6000A

.text C:\WINDOWS\System32\svchost.exe[1648] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 02B3000A

.text C:\WINDOWS\Explorer.EXE[3896] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A

.text C:\WINDOWS\Explorer.EXE[3896] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A

.text C:\WINDOWS\Explorer.EXE[3896] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3A6AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ...

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\redbook.sys suspicious modification

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

I did Redo the GMER scan having both Drives checked and since it did find a couple of more suspicious items I went ahead and attached the new file.

For future reference I did check the MD5 Value on the clean computer and it does match the infected computer, but per your instruction I have not copied the file

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-15 10:04:48

Windows 5.1.2600 Service Pack 3

Running: 9yhey3sg.exe; Driver: C:\DOCUME~1\Phil\LOCALS~1\Temp\pgloapod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwClose [0xA8015A1C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateDirectoryObject [0xA8015A48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateFile [0xA8015A7C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwCreateKey [0xA8015AD0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwDeleteKey [0xA8015B14]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateKey [0xA8015B40]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwEnumerateValueKey [0xA8015B80]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwFlushKey [0xA8015BC0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMakeTemporaryObject [0xA8015BEC]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwMapViewOfSection [0xA8015C18]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenKey [0xA8015C68]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwOpenSection [0xA8015C9C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryInformationFile [0xA8015CD0]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryKey [0xA8015D0C]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwQueryValueKey [0xA8015D48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwReadFile [0xA8015D88]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationFile [0xA8015DD4]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetInformationThread [0xA8015E10]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwSetValueKey [0xA8015E48]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwUnmapViewOfSection [0xA8015E88]

SSDT \SystemRoot\System32\Drivers\Crypto.SYS (SafeNet Crypto Driver/SafeNet) ZwWriteFile [0xA8015EB8]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\DRIVERS\redbook.sys entry point in ".rsrc" section [0xF681FF94]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[1440] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

.text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A

.text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]

.text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A

.text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C

.text C:\WINDOWS\system32\wuauclt.exe[2028] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A

.text C:\WINDOWS\system32\wuauclt.exe[2028] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]

.text C:\WINDOWS\system32\wuauclt.exe[2028] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A

.text C:\WINDOWS\system32\wuauclt.exe[2028] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C

.text C:\WINDOWS\system32\wuauclt.exe[2600] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B9000A

.text C:\WINDOWS\system32\wuauclt.exe[2600] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BA000A

.text C:\WINDOWS\system32\wuauclt.exe[2600] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C

.text C:\WINDOWS\Explorer.EXE[3460] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A

.text C:\WINDOWS\Explorer.EXE[3460] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BC000A

.text C:\WINDOWS\Explorer.EXE[3460] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A3AAAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x80 0x68 0x46 0x66 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xBE 0x69 0x30 0xE3 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0xA7 0x1B 0xF7 ...

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Cookies\system@bidsystem[2].txt 0 bytes

File C:\Documents and Settings\NetworkService\Cookies\system@64.111.196[2].txt 0 bytes

File C:\Documents and Settings\NetworkService\Cookies\system@mygeek[4].txt 0 bytes

File C:\WINDOWS\system32\DRIVERS\redbook.sys suspicious modification

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi pvonkaenel,

Here is the GMER log with everything checked except "Show all"

That's better!

C:\WINDOWS\system32\DRIVERS\redbook.sys is the infected file we need to replace.

Custom OTL scan

  • Double click on OTL.exe to run it.
  • Under the Custom Scan box paste this in
    /md5start
    redbook.sys
    /md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • Please post the contents of OTL.txt in your next reply.

Link to post
Share on other sites

OTL logfile created on: 4/15/2010 1:08:26 PM - Run 2

OTL by OldTimer - Version 3.2.1.1 Folder = C:\Documents and Settings\Phil\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 54.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 81.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 74.52 Gb Total Space | 29.39 Gb Free Space | 39.44% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 74.52 Gb Total Space | 33.09 Gb Free Space | 44.41% Space Free | Partition Type: NTFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: PHILV-T64

Current User Name: Phil

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/13 15:08:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTL.exe

PRC - [2010/04/11 01:52:33 | 000,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2010/03/20 18:33:08 | 002,046,816 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe

PRC - [2009/12/28 19:13:16 | 000,761,600 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgscanx.exe

PRC - [2009/09/14 13:01:01 | 000,595,736 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgnsx.exe

PRC - [2009/09/14 13:01:01 | 000,486,680 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe

PRC - [2009/09/14 13:01:00 | 000,693,016 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgcsrvx.exe

PRC - [2009/09/14 13:00:49 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe

PRC - [2009/04/10 11:29:08 | 000,037,888 | ---- | M] () -- E:\Program Files\Winamp\winampa.exe

PRC - [2008/10/15 17:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\winvnc4.exe

PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2007/06/11 19:27:24 | 000,291,760 | ---- | M] () -- C:\Program Files\Lexmark 2500 Series\lxddmon.exe

PRC - [2007/05/25 09:41:38 | 000,537,520 | ---- | M] ( ) -- C:\WINDOWS\system32\lxddcoms.exe

PRC - [2007/04/30 08:19:54 | 000,020,480 | ---- | M] () -- C:\Program Files\Lexmark 2500 Series\lxddamon.exe

PRC - [2006/04/12 21:22:42 | 000,114,688 | ---- | M] (InterVideo Inc.) -- C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

PRC - [2004/08/11 13:22:52 | 000,065,588 | ---- | M] (SafeNet) -- C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe

PRC - [2004/08/11 13:22:46 | 000,057,398 | ---- | M] (SafeNet) -- C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe

PRC - [2004/08/11 13:22:44 | 000,319,538 | ---- | M] (SafeNet) -- C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe

PRC - [2004/07/14 15:36:54 | 000,057,344 | ---- | M] (Primax Electronics Ltd.) -- C:\WINDOWS\system32\ICO.EXE

========== Modules (SafeList) ==========

MOD - [2010/04/13 15:08:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/09/14 13:00:49 | 000,297,752 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG8\avgwdsvc.exe -- (avg8wd)

SRV - [2008/10/15 17:13:58 | 000,439,632 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)

SRV - [2007/05/25 09:41:54 | 000,099,248 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe -- (lxddCATSCustConnectService)

SRV - [2007/05/25 09:41:38 | 000,537,520 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxddcoms.exe -- (lxdd_device)

SRV - [2004/08/11 13:22:46 | 000,057,398 | ---- | M] (SafeNet) [Auto | Running] -- C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe -- (IPSECMON)

SRV - [2004/08/11 13:22:44 | 000,319,538 | ---- | M] (SafeNet) [Auto | Running] -- C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe -- (IREIKE)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/home.php

IE - HKCU\..\URLSearchHook: *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Reg Error: Key error. File not found

IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.facebook.com/home.php"

FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.5.0.429

FF - prefs.js..extensions.enabledItems: avg@igeared:3.011.025.005

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..keyword.URL: "http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p="

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009/12/21 10:44:49 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared [2009/12/28 19:49:18 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/11 01:52:48 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/11 01:52:47 | 000,000,000 | ---D | M]

[2009/07/27 20:02:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Mozilla\Extensions

[2010/04/15 10:15:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\k8l8zeaw.default\extensions

[2009/09/27 16:33:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\k8l8zeaw.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/04/15 10:15:21 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)

O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()

O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()

O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll ()

O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)

O4 - HKLM..\Run: [lxddamon] C:\Program Files\Lexmark 2500 Series\lxddamon.exe ()

O4 - HKLM..\Run: [lxddmon.exe] C:\Program Files\Lexmark 2500 Series\lxddmon.exe ()

O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ICO.EXE (Primax Electronics Ltd.)

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)

O4 - HKLM..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe (Synaptics, Inc.)

O4 - HKLM..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe (InterVideo Inc.)

O4 - Startup: C:\Documents and Settings\Phil\Start Menu\Programs\Startup\Mobile User VPN.lnk = C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe (SafeNet)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.16.1.20 205.171.3.65 205.171.2.65

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 205.171.3.65 205.171.2.65

O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)

O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp

O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/04/23 11:38:57 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/04/14 16:06:02 | 000,000,000 | --SD | C] -- C:\ComboFix

[2010/04/14 08:47:16 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/04/13 15:08:43 | 000,561,664 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTL.exe

[2010/04/13 10:50:16 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Phil\Desktop\TDSSKiller.exe

[2010/04/11 00:23:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Local Settings\Application Data\Ahead

[2010/04/11 00:11:11 | 000,000,000 | ---D | C] -- C:\Program Files\Free Convert WMV MOV MPEG to AVI DIVX Converter

[2010/04/10 23:53:43 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/04/10 23:53:43 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/04/10 23:53:43 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/04/10 23:53:43 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/04/10 23:37:01 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Phil\Recent

[2010/04/10 21:17:59 | 000,038,912 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\picn20.dll

[2010/04/10 20:53:38 | 000,364,544 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\TwnLib4.dll

[2010/04/10 20:53:38 | 000,106,496 | ---- | C] (Pegasus Software) -- C:\WINDOWS\System32\TwnLib20.dll

[2010/04/10 20:53:37 | 001,568,768 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagX7.dll

[2010/04/10 20:53:37 | 000,476,320 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXpr7.dll

[2010/04/10 20:53:37 | 000,471,040 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXRA7.dll

[2010/04/10 20:53:37 | 000,262,144 | ---- | C] (Pegasus Imaging Corp.) -- C:\WINDOWS\System32\ImagXR7.dll

[2010/04/10 20:53:37 | 000,155,648 | ---- | C] (Ahead Software Gmbh) -- C:\WINDOWS\System32\NeroCheck.exe

[2010/04/10 20:53:35 | 000,000,000 | ---D | C] -- C:\Program Files\Ahead

[2010/04/10 20:09:54 | 000,000,000 | ---D | C] -- C:\Reg Backups

[2010/04/10 20:06:38 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner

[2010/04/10 18:49:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\My Documents\NeroVision

[2010/04/10 18:37:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia

[2010/04/10 18:37:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe

[2010/04/10 18:20:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\Ahead

[2010/04/10 18:18:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Ahead

[2010/04/10 18:12:59 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Ahead

[2010/04/06 09:27:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\Facebook

[2010/04/05 09:21:53 | 000,000,000 | ---D | C] -- C:\Temp folder for DVD

[2010/04/05 09:00:06 | 000,000,000 | ---D | C] -- C:\VOLUME_IDENTIFIER

[2010/04/04 23:35:22 | 000,000,000 | ---D | C] -- C:\Program Files\DVD Shrink

[2010/04/04 23:35:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink

[2010/04/03 13:13:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\AVS4YOU

[2010/04/03 13:13:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVS4YOU

[2010/04/03 13:12:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\AVSMedia

[2010/04/03 13:12:13 | 000,000,000 | ---D | C] -- C:\Program Files\AVS4YOU

[2010/04/02 22:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Local Settings\Application Data\Help

[2010/04/02 22:43:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Phil\Application Data\Help

[2010/04/02 22:29:15 | 000,000,000 | ---D | C] -- C:\Program Files\UP

[2009/09/18 21:48:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe

[2009/09/14 12:59:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

[2009/09/14 12:59:31 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft

[2009/09/14 12:59:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft

[2009/09/14 12:59:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft

[2009/05/08 13:57:55 | 001,232,896 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddserv.dll

[2009/05/08 13:57:55 | 000,999,424 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddusb1.dll

[2009/05/08 13:57:55 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddpmui.dll

[2009/05/08 13:57:55 | 000,585,728 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddlmpm.dll

[2009/05/08 13:57:55 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddinpa.dll

[2009/05/08 13:57:55 | 000,397,312 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddiesc.dll

[2009/05/08 13:57:55 | 000,323,584 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDDhcp.dll

[2009/05/08 13:57:55 | 000,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddprox.dll

[2009/05/08 13:57:55 | 000,094,208 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddpplc.dll

[2009/05/08 13:57:54 | 000,700,416 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddhbn3.dll

[2009/05/08 13:57:54 | 000,684,032 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddcomc.dll

[2009/05/08 13:57:54 | 000,425,984 | ---- | C] ( ) -- C:\WINDOWS\System32\lxddcomm.dll

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/04/15 12:25:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003UA.job

[2010/04/15 09:13:12 | 000,465,640 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2010/04/15 09:13:12 | 000,079,360 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2010/04/15 09:13:11 | 000,555,168 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2010/04/15 09:09:20 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/04/15 09:09:03 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/04/15 09:08:57 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/04/15 09:05:42 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\Phil\NTUSER.DAT

[2010/04/15 09:05:42 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Phil\ntuser.ini

[2010/04/15 08:45:27 | 058,926,845 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm

[2010/04/13 15:08:53 | 000,561,664 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Phil\Desktop\OTL.exe

[2010/04/13 13:51:44 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/04/13 13:41:12 | 003,914,375 | R--- | M] () -- C:\Documents and Settings\Phil\Desktop\ComboFix.exe

[2010/04/13 10:49:03 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\tdsskiller.zip

[2010/04/12 23:34:36 | 000,004,208 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\Attach.zip

[2010/04/12 22:59:51 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\9yhey3sg.exe

[2010/04/12 22:56:13 | 000,525,824 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\dds.scr

[2010/04/12 22:50:24 | 000,000,156 | ---- | M] () -- C:\Documents and Settings\Phil\defogger_reenable

[2010/04/12 22:49:03 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\Defogger.exe

[2010/04/12 22:25:01 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003Core.job

[2010/04/12 22:22:32 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\Google Chrome.lnk

[2010/04/11 21:22:40 | 000,000,094 | ---- | M] () -- C:\Documents and Settings\Phil\default.pls

[2010/04/11 21:21:54 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2010/04/11 09:03:38 | 000,115,200 | ---- | M] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/04/11 00:11:15 | 000,000,034 | -H-- | M] () -- C:\WINDOWS\System32\Converter_sysquict.dat

[2010/04/10 19:01:27 | 000,193,776 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/04/09 23:28:51 | 000,001,722 | -H-- | M] () -- C:\Documents and Settings\Phil\My Documents\Default.rdp

[2010/04/05 09:09:30 | 506,986,496 | ---- | M] () -- C:\VOLUME_IDENTIFIER.ISO

[2010/04/04 23:35:22 | 000,000,670 | ---- | M] () -- C:\Documents and Settings\Phil\Desktop\DVD Shrink 3.2.lnk

[2010/04/03 13:13:36 | 000,046,080 | ---- | M] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/04/02 00:03:24 | 006,397,780 | -H-- | M] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\IconCache.db

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/13 10:48:55 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\tdsskiller.zip

[2010/04/12 23:34:36 | 000,004,208 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\Attach.zip

[2010/04/12 22:59:49 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\9yhey3sg.exe

[2010/04/12 22:56:11 | 000,525,824 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\dds.scr

[2010/04/12 22:50:21 | 000,000,156 | ---- | C] () -- C:\Documents and Settings\Phil\defogger_reenable

[2010/04/12 22:49:02 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\Defogger.exe

[2010/04/12 22:22:32 | 000,002,277 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\Google Chrome.lnk

[2010/04/12 22:20:53 | 000,000,974 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003UA.job

[2010/04/12 22:20:52 | 000,000,922 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-308236825-839522115-1003Core.job

[2010/04/11 00:11:15 | 000,000,034 | -H-- | C] () -- C:\WINDOWS\System32\Converter_sysquict.dat

[2010/04/10 23:53:43 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/04/10 23:53:43 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/04/10 23:53:43 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/04/10 23:53:43 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/04/10 23:53:43 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/04/10 23:51:44 | 003,914,375 | R--- | C] () -- C:\Documents and Settings\Phil\Desktop\ComboFix.exe

[2010/04/10 22:37:25 | 000,000,094 | ---- | C] () -- C:\Documents and Settings\Phil\default.pls

[2010/04/10 21:40:16 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2010/04/10 21:18:12 | 000,135,532 | ---- | C] () -- C:\WINDOWS\UNNeroVision.cfg

[2010/04/05 09:08:21 | 506,986,496 | ---- | C] () -- C:\VOLUME_IDENTIFIER.ISO

[2010/04/04 23:35:22 | 000,000,670 | ---- | C] () -- C:\Documents and Settings\Phil\Desktop\DVD Shrink 3.2.lnk

[2009/10/18 20:51:23 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL

[2009/10/09 17:31:42 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll

[2009/10/09 17:31:30 | 000,000,032 | ---- | C] () -- C:\WINDOWS\sierra.ini

[2009/09/18 18:37:00 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll

[2009/09/13 01:06:16 | 000,000,745 | ---- | C] () -- C:\WINDOWS\CoD.INI

[2009/09/07 22:56:11 | 000,000,765 | ---- | C] () -- C:\Documents and Settings\All Users\lxdd

[2009/07/27 20:49:42 | 000,000,165 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI

[2009/05/20 08:39:57 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll

[2009/05/20 08:39:57 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll

[2009/05/20 08:39:57 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll

[2009/05/20 08:39:57 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll

[2009/05/20 08:39:57 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll

[2009/05/20 08:39:57 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll

[2009/05/15 10:25:36 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI

[2009/05/08 13:58:58 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxddvs.dll

[2009/05/08 13:58:56 | 000,344,064 | ---- | C] () -- C:\WINDOWS\System32\lxddcoin.dll

[2009/05/08 13:58:30 | 000,692,224 | ---- | C] () -- C:\WINDOWS\System32\lxdddrs.dll

[2009/05/08 13:58:30 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxddcnv4.dll

[2009/05/08 13:58:30 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\lxddcaps.dll

[2009/05/08 13:58:13 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxddrwrd.ini

[2009/05/08 13:57:55 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\LXDDinst.dll

[2009/05/08 13:57:54 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxddgrd.dll

[2009/05/05 22:19:14 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\nsldap32v50.dll

[2009/05/03 14:37:12 | 000,115,200 | ---- | C] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/05/02 22:22:38 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll

[2009/04/26 07:51:04 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

[2009/04/23 14:54:05 | 000,008,181 | ---- | C] () -- C:\WINDOWS\System32\Setup2k.ini

[2009/04/23 14:54:05 | 000,000,184 | ---- | C] () -- C:\WINDOWS\System32\presetup.ini

[2009/04/23 14:48:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\QSwitch.txt

[2009/04/23 14:48:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\DSwitch.txt

[2009/04/23 14:48:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Phil\Local Settings\Application Data\AtStart.txt

[2009/04/23 12:16:47 | 000,000,484 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2009/04/23 11:46:38 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Phil\ntuser.ini

[2009/04/23 11:46:37 | 004,194,304 | -H-- | C] () -- C:\Documents and Settings\Phil\NTUSER.DAT

[2009/04/23 11:46:37 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Phil\NTUSER.DAT.LOG

[2009/03/03 12:18:04 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\RtNicProp32.dll

[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini

[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini

[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini

[2003/06/20 06:00:00 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/05/02 22:25:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Age of Empires 3

[2009/09/27 16:39:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar

[2010/01/02 20:17:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite

[2009/05/04 14:40:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound

[2009/05/08 12:13:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TaxCut

[2009/09/16 11:05:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\DAEMON Tools Lite

[2010/04/06 09:27:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Facebook

[2009/06/30 00:22:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\InterVideo

[2009/05/20 08:40:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Leadertech

[2009/05/08 13:59:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Lexmark Productivity Studio

[2009/05/04 14:40:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\NCH Swift Sound

[2009/05/04 14:39:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Recordpad

[2009/05/08 12:15:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\TaxCut

[2009/04/27 22:45:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Windows Desktop Search

[2009/04/28 15:30:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Phil\Application Data\Windows Search

========== Purity Check ==========

========== Custom Scans ==========

< MD5 for: REDBOOK.SYS >

[2004/08/04 06:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:redbook.sys

[2009/04/25 16:20:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:redbook.sys

[2009/04/25 16:20:19 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:redbook.sys

[2008/04/13 12:40:27 | 000,057,600 | ---- | M] (Microsoft Corporation) MD5=F828DD7E1419B6653894A8F97A0094C5 -- C:\WINDOWS\maxdriver\redbook.sys

[2008/04/13 12:40:27 | 000,057,600 | ---- | M] (Microsoft Corporation) MD5=F828DD7E1419B6653894A8F97A0094C5 -- C:\WINDOWS\ServicePackFiles\i386\redbook.sys

[2010/04/11 20:50:59 | 000,057,600 | ---- | M] (Microsoft Corporation) MD5=F828DD7E1419B6653894A8F97A0094C5 -- C:\WINDOWS\system32\dllcache\redbook.sys

[2010/04/11 20:50:59 | 000,057,600 | ---- | M] (Microsoft Corporation) MD5=F828DD7E1419B6653894A8F97A0094C5 -- C:\WINDOWS\system32\drivers\redbook.sys

< End of report >

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.