Jump to content

google redirect, TDL3 or TDSS rootkit suspected


sfpm
 Share

Recommended Posts

I've been experiencing google redirects using firefox and all symptoms point to a persistent rootkit, possibly TDL3. I've run TDSSkiller and it says atapi.sys is infected but is unable to clean it up. MBAM can't fix it either, although it does a good job removing all the secondary trojans this rootkit keeps trying to install. GMER can't complete a full scan so I'll post what logs I am able to get. I've attached my DDS scans too.

GMER initial quickscan:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit quick scan 2010-04-30 09:36:53

Windows 5.1.2600 Service Pack 3

Running: i0w5xsj8.exe; Driver: C:\DOCUME~1\Daniel\LOCALS~1\Temp\fgeyifow.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A511EE4

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

GMER partial scan with only "sections" and "c:\" ticked:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-30 15:49:10

Windows 5.1.2600 Service Pack 3

Running: i0w5xsj8.exe; Driver: C:\DOCUME~1\Daniel\LOCALS~1\Temp\fgeyifow.sys

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\pciide.sys entry point in ".rsrc" section [0xF7A4F814]

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6D1B000, 0x1BDF16, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007E000A

.text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007F000A

.text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007D000C

.text C:\WINDOWS\System32\svchost.exe[1516] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00F0000A

.text C:\WINDOWS\System32\svchost.exe[1516] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00EF000A

.text C:\WINDOWS\Explorer.EXE[2656] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1000A

.text C:\WINDOWS\Explorer.EXE[2656] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AF000A

.text C:\WINDOWS\Explorer.EXE[2656] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A0000C

.text C:\WINDOWS\system32\wuauclt.exe[3312] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AB000A

.text C:\WINDOWS\system32\wuauclt.exe[3312] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AC000A

.text C:\WINDOWS\system32\wuauclt.exe[3312] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003D000C

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pciide.sys suspicious modification

---- EOF - GMER 1.0.15 ----

DDS

DDS (Ver_10-03-17.01) - NTFSx86

Run by Daniel at 10:16:13.57 on Fri 04/30/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1538 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe

C:\WINDOWS\system32\mmc.exe

C:\Program Files\K-Meleon\k-meleon.exe

C:\Documents and Settings\Daniel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>

uRun: [HydraVisionDesktopManager] "c:\program files\ati technologies\ati hydravision\HydraDM.exe"

mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe

mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup

mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe

mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe

mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

mRun: [bLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [AtiPTA] atiptaxx.exe

mRun: [FRYMXINS] "c:\program files\ati technologies\fire gl 3d studio max\atiimxgl"

mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot

dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)

dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm

IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll

Notify: tpfnf2 - c:\program files\lenovo\hotkey\notifyf2.dll

Notify: tphotkey - c:\program files\lenovo\hotkey\tphklock.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\daniel\applic~1\mozilla\firefox\profiles\di3rsfmi.default\

FF - plugin: c:\documents and settings\daniel\application data\move networks\plugins\npqmp071701000002.dll

FF - plugin: c:\documents and settings\daniel\application data\move networks\plugins\npqmp071705000014.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - plugin: c:\program files\veetle\player\npvlc.dll

FF - plugin: c:\program files\veetle\plugins\npVeetle.dll

FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-4-29 18816]

R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-6-2 53248]

R2 smihlp;SMI Helper Driver (smihlp);c:\program files\common files\thinkvantage fingerprint software\drivers\smihlp.sys [2008-11-21 12560]

R3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [2007-4-10 72576]

R3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [2007-1-12 102144]

S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\e.tmp --> c:\windows\system32\E.tmp [?]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-04-30 17:15:54 0 ----a-w- c:\documents and settings\daniel\defogger_reenable

2010-04-30 07:51:17 0 d-----w- C:\c51d2543fa025044485d6971a55f

2010-04-30 07:03:14 221184 ----a-w- c:\windows\system32\wmpns.dll

2010-04-30 04:44:50 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys

2010-04-29 10:11:35 0 d-sha-r- C:\cmdcons

2010-04-29 10:09:51 98816 ----a-w- c:\windows\sed.exe

2010-04-29 10:09:51 77312 ----a-w- c:\windows\MBR.exe

2010-04-29 10:09:51 256512 ----a-w- c:\windows\PEV.exe

2010-04-29 10:09:51 161792 ----a-w- c:\windows\SWREG.exe

2010-04-29 10:06:49 0 d-----w- C:\VundoFix Backups

2010-04-29 09:20:56 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-04-29 09:20:56 272128 ------w- c:\windows\system32\drivers\bthport.sys

2010-04-29 09:20:11 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

2010-04-29 08:40:11 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2010-04-29 08:40:10 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2010-04-29 08:40:10 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2010-04-29 08:34:47 2888 ----a-w- c:\windows\system32\.crusader

2010-04-29 07:45:36 0 d-----w- c:\program files\Sophos

2010-04-29 07:38:55 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys

2010-04-29 07:38:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro

2010-04-29 07:38:36 0 d-----w- c:\program files\Hitman Pro 3.5

2010-04-29 06:34:14 2560 ------w- c:\windows\system32\xpsp4res.dll

2010-04-29 06:28:01 0 d-----w- c:\windows\system32\PreInstall

2010-04-29 06:27:59 0 d--h--w- c:\windows\$hf_mig$

2010-04-29 03:35:43 0 d-----w- c:\windows\system32\SoftwareDistribution

2010-04-28 07:10:33 0 d-----w- c:\program files\SUPERAntiSpyware

2010-04-28 07:10:33 0 d-----w- c:\docume~1\daniel\applic~1\SUPERAntiSpyware.com

2010-04-28 07:10:15 0 d-----w- c:\program files\common files\Wise Installation Wizard

2010-04-28 06:23:38 0 d-----w- c:\program files\AVG

2010-04-28 06:23:22 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-04-28 06:23:11 0 d-----w- c:\windows\SxsCaPendDel

2010-04-28 06:15:11 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-04-28 06:02:38 0 d-s---w- c:\documents and settings\daniel\UserData

2010-04-26 03:13:26 0 d-----w- C:\SIMANT

2010-04-24 05:27:13 85504 ----a-w- c:\windows\system32\ff_vfw.dll

2010-04-24 05:27:13 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest

2010-04-11 20:42:23 0 d-----w- c:\program files\Veetle

2010-04-11 19:16:16 0 d-----w- c:\docume~1\daniel\applic~1\Foxit Software

2010-04-11 03:21:49 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX

2010-04-06 04:12:51 0 d-----w- c:\windows\system32\LogFiles

==================== Find3M ====================

2010-04-30 17:10:08 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-29 16:34:19 691696 ----a-w- c:\windows\system32\drivers\sptd.sys

2010-03-31 01:58:04 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys

2010-03-31 01:58:04 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys

2010-03-31 01:58:04 44944 ----a-w- c:\windows\system32\drivers\pxhelp20.sys

2010-03-31 01:58:04 133616 ------w- c:\windows\system32\pxafs.dll

2010-03-31 01:58:04 125424 ------w- c:\windows\system32\pxinsi64.exe

2010-03-31 01:58:04 123888 ------w- c:\windows\system32\pxcpyi64.exe

2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll

2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll

2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll

2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-02-19 19:27:36 720384 ----a-w- c:\windows\system32\DivX.dll

2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx0c.dll

2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx07.dll

2010-02-19 19:27:16 847872 ----a-w- c:\windows\system32\divx_xx0a.dll

2010-02-19 19:27:16 843776 ----a-w- c:\windows\system32\divx_xx16.dll

2010-02-19 19:27:16 839680 ----a-w- c:\windows\system32\divx_xx11.dll

2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe

2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe

2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 10:16:50.42 ===============

MBAM says I'm clean but I can post that log if it would be helpful.

Any help is much appreciated!

Attach.txt

Link to post
Share on other sites

Hello and :)

  • My name is xixo_12 and I will guide you.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • You may wish to print them off or copy the instruction into Notepad.
  • If you have any question please don't hesitate to ask.
  • The instructions that I will give to you are specific to your current problem and shouldn't be used on other systems.
  • If you are receiving help or have received help on this problem elsewhere, please let us know.
  • Keep interact with me until your computer is clean.

Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed

First,

SystemLook by jpshortstuff.

Please download from one of the links below and save it to the Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *atapi*
    *pciide*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Next,

Checklist.

Please post.

  • Content of SystemLook.txt

Link to post
Share on other sites

Hello xixo_12, thanks so much for helping me!

Here is the result of the SystemLook scan:

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 21:15 on 30/04/2010 by Daniel (Administrator - Elevation successful)

========== filefind ==========

Searching for "*atapi*"

C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [05:59 04/08/2004] [05:59 04/08/2004] 28541D14647BB58502D09D1CEAEE6684

C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [10:32 29/04/2010] [08:29 30/04/2010] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\I386\ATAPI.SY_ --a--- 50028 bytes [23:19 01/06/2009] [12:00 21/08/2008] C32657CE5311711A42CD6ECBC728FB0B

C:\WINDOWS\I386\COMPDATA\DECATAPI.HTM --a--- 881 bytes [23:19 01/06/2009] [12:00 21/08/2008] FDA00ABB8831E4903E9442E9B01843ED

C:\WINDOWS\I386\COMPDATA\DECATAPI.TXT --a--- 449 bytes [23:19 01/06/2009] [12:00 21/08/2008] F5A5EAC5B4790D90031B913DD5D559A5

C:\WINDOWS\system32\dllcache\atapi.sys --a--c 96512 bytes [00:10 14/04/2008] [07:10 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [00:10 14/04/2008] [18:58 30/04/2010] 9F3A2F5AA6875C72BF062C712CFA2674

C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys --a--- 96512 bytes [15:54 02/06/2009] [12:00 21/08/2008] 9F3A2F5AA6875C72BF062C712CFA2674

Searching for "*pciide*"

C:\cmdcons\PCIIDE.SY_ --a--- 1695 bytes [20:51 17/08/2001] [20:51 17/08/2001] DD70748EDC4DB912A6603D87760EE322

C:\cmdcons\PCIIDEX.SY_ --a--- 13610 bytes [05:59 04/08/2004] [05:59 04/08/2004] 074806F8AC6493BFD75FE120D0D895C2

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\pciide.sys.vir --a--- 3328 bytes [13:51 17/08/2001] [20:51 17/08/2001] C97FD7033297CB380E2EE551F00F233C

C:\WINDOWS\I386\PCIIDE.SY_ --a--- 1695 bytes [23:20 01/06/2009] [12:00 21/08/2008] DD70748EDC4DB912A6603D87760EE322

C:\WINDOWS\I386\PCIIDEX.SY_ --a--- 13602 bytes [23:20 01/06/2009] [12:00 21/08/2008] 4F4D10789BB6989B2B2DCC5195913B1B

C:\WINDOWS\system32\dllcache\pciide.sys --a--c 3328 bytes [13:51 17/08/2001] [20:51 17/08/2001] CCF5F451BB1A5A2A522A76E670000FF0

C:\WINDOWS\system32\dllcache\pciidex.sys --a--c 24960 bytes [00:10 14/04/2008] [07:10 14/04/2008] 52E60F29221D0D1AC16737E8DBF7C3E9

C:\WINDOWS\system32\drivers\pciide.sys --a--- 3328 bytes [13:51 17/08/2001] [20:51 17/08/2001] CCF5F451BB1A5A2A522A76E670000FF0

C:\WINDOWS\system32\drivers\pciidex.sys --a--- 24960 bytes [00:10 14/04/2008] [07:10 14/04/2008] 52E60F29221D0D1AC16737E8DBF7C3E9

C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\pciide.sys --a--- 3328 bytes [15:54 02/06/2009] [12:00 21/08/2008] CCF5F451BB1A5A2A522A76E670000FF0

C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\pciidex.sys --a--- 24960 bytes [15:54 02/06/2009] [12:00 21/08/2008] 52E60F29221D0D1AC16737E8DBF7C3E9

-=End Of File=-

Hello and :)

  • My name is xixo_12 and I will guide you.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • You may wish to print them off or copy the instruction into Notepad.
  • If you have any question please don't hesitate to ask.
  • The instructions that I will give to you are specific to your current problem and shouldn't be used on other systems.
  • If you are receiving help or have received help on this problem elsewhere, please let us know.
  • Keep interact with me until your computer is clean.

Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed

First,

SystemLook by jpshortstuff.

Please download from one of the links below and save it to the Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *atapi*
    *pciide*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Next,

Checklist.

Please post.

  • Content of SystemLook.txt

Link to post
Share on other sites

Hi,

Let's proceed.

Please do not quote my instructions :) Just use add reply button.

First,

Copy file

  • Open Notepad.exe
  • Copy and paste below code into the notepad.
    COPY /Y C:\WINDOWS\system32\dllcache\atapi.sys c:\atapi.sys
    COPY /Y C:\WINDOWS\system32\dllcache\pciide.sys c:\pciide.sys
    DEL %0


  • Click on File > Save As
    Save in : Desktop
    File name : xixo.bat
    Save as type : All Files
  • It will look like this :
    batqb.jpg
  • Double click on xixo.bat and the batch file will perform the task and auto delete itself.

Next,

Avenger2 by Swandog46

Please download fromHERE, save to the desktop and unzip it.

Note: This programme must be run from an account with Administrator priviledges.

  • Open the Avenger folder and double click Avenger.exe to launch the programme.
  • Copy the text in the code box below and Paste it into the Input script here: box.

Files to move:
c:\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
c:\pciide.sys | C:\WINDOWS\system32\DRIVERS\pciide.sys

Note: the above code was created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system.

  • Ensure the following:
    • Scan for Rootkits is checked.
    • Automatically disable any rootkits found is Unchecked.

    [*]Press the Execute key.

    [*]Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.

    [*]Post the log back here please. (it can also be found at C:\avenger.txt)

Next,

GMER.

Please download from HERE and save to the desktop.

  • Unzip/extract the file to its own folder.
  • Disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
  • Click on >>> symbol and choose on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

Next,

Checklist.

Please post.

  • Content of avenger.txt
  • Content of GMER.txt

Link to post
Share on other sites

Oops sorry about quoting the post!

GMER took forever to run but it actually finished this time.

Here is my avenger.txt

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "c:\atapi.sys|C:\WINDOWS\system32\drivers\atapi.sys" completed successfully.

File move operation "c:\pciide.sys|C:\WINDOWS\system32\DRIVERS\pciide.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

And here is GMER.txt

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-30 23:34:28

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\Daniel\LOCALS~1\Temp\fgeyifow.sys

---- Kernel code sections - GMER 1.0.15 ----

? kvni.sys The system cannot find the file specified. !

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6D1B000, 0x1BDF16, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1504] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007E000A

.text C:\WINDOWS\System32\svchost.exe[1504] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007F000A

.text C:\WINDOWS\System32\svchost.exe[1504] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007D000C

.text C:\WINDOWS\system32\wuauclt.exe[1664] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0083000A

.text C:\WINDOWS\system32\wuauclt.exe[1664] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0084000A

.text C:\WINDOWS\system32\wuauclt.exe[1664] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003D000C

.text C:\WINDOWS\Explorer.EXE[2080] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1000A

.text C:\WINDOWS\Explorer.EXE[2080] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AF000A

.text C:\WINDOWS\Explorer.EXE[2080] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A0000C

.text C:\WINDOWS\system32\wuauclt.exe[2544] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AB000A

.text C:\WINDOWS\system32\wuauclt.exe[2544] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00AC000A

.text C:\WINDOWS\system32\wuauclt.exe[2544] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003D000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A4F6EE4

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB0 0x7C 0x5C 0x52 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA5 0xFE 0x71 0xDE ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0D 0xDB 0x92 0xA9 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x41 0xE0 0xAC 0xDB ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x41 0xE0 0xAC 0xDB ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Hope this helps!

Link to post
Share on other sites

Hi,

Do this.

First,

DeFogger - Disable

Please download from HERE and save to the desktop.

  • Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next,

GMER

Please run it again.

Next,

Checklist.

Please post.

  • Content of GMER.txt
  • Please let me know how is your system now?

Link to post
Share on other sites

So when I run Defogger and disable emulation, it doesn't ask me to reboot. Should I still reboot, and will the drivers remain disabled after a reboot?

Also, I noticed that after I connect to the internet, my machine becomes unresponsive and the CPU cycles go to 100%. I'm guessing that the rootkit is updating or receiving some activation signal because I don't get this problem if I'm offline. Should I keep this machine offline so that the rootkit can't update?

Thanks again for your help.

Link to post
Share on other sites

Something odd happened when I connected to the internet to post this reply.

CPU was at 100% and the primary culprit was wuauclt.exe. The computer was unresponsive so I killed wuauclt.exe. Then svchost ate up the CPU cycles so I killed that one too. After that, I could connect to websites but I would notice a flickering effect every once in a while, like when you hit refresh and things on the screen flash on and off for a second. As I'm typing this, another svchost process is using all my CPU power so I think I'm still infected.

Also, I can't shut down or hibernate my computer. I have to do a hard shutdown by holding down the power button for 5 seconds.

Here is the new GMER log

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-05-01 02:48:08

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\Daniel\LOCALS~1\Temp\fgeyifow.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6D1B000, 0x1BDF16, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB0 0x7C 0x5C 0x52 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA5 0xFE 0x71 0xDE ...

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0D 0xDB 0x92 0xA9 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x41 0xE0 0xAC 0xDB ...

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x41 0xE0 0xAC 0xDB ...

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi,

Good! Rootkit is gone. We will focus on normal infection. No worries :)

First,

RSIT by random/random.

Please download from HERE and save to the desktop.

  • Double-click on RSIT.exe to run the tool.
  • Click Continue at the disclaimer screen.
  • Once it finishes, two logs will open.
    • log.txt will be opened maximized
    • info.txt will be opened minimized

    [*]Please post the contents of both logs in your next post.

***You can find manually the log at C:\rsit

Next,

Checklist.

Please post.

  • Content of log.txt and info.txt (Find both in c:\rsit)

Link to post
Share on other sites

Sounds promising!

Here is log.txt:

Logfile of random's system information tool 1.06 (written by random/random)

Run by Daniel at 2010-05-01 10:22:23

Microsoft Windows XP Professional Service Pack 3

System drive C: has 4 GB (4%) free of 92 GB

Total RAM: 2046 MB (75% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:22:24 AM, on 5/1/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\Program Files\Intel\WiFi\bin\EvtEng.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Lenovo\Zoom\TpScrex.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe

C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\WINDOWS\system32\taskmgr.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\K-Meleon\k-meleon.exe

C:\Documents and Settings\Daniel\Desktop\RSIT.exe

C:\Program Files\trend micro\Daniel.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe

O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe" /startup

O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

O4 - HKLM\..\Run: [bLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"

O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot

O4 - HKCU\..\Run: [HydraVisionDesktopManager] "C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Power Manager DBC Service - Unknown owner - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless WiFi Service (S24EventMonitor) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe

--

End of file - 5969 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\PMTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"TPHOTKEY"=C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe [2008-09-30 68976]

"PSQLLauncher"=C:\Program Files\ThinkVantage Fingerprint Software\launcher.exe [2008-11-20 49928]

"ACTray"=C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe [2009-02-27 425984]

"ACWLIcon"=C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe [2009-02-27 159744]

"PWRMGRTR"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor []

"BLOG"=rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog []

"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2005-05-20 925696]

"EZEJMNAP"=C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe [2008-10-08 256576]

"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-10-06 1323008]

"AtiPTA"=C:\WINDOWS\system32\atiptaxx.exe [2006-02-21 344064]

"FRYMXINS"=C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl []

"HitmanPro35"=C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe [2010-04-29 5937984]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"HydraVisionDesktopManager"=C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe [2007-07-25 368640]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]

C:\Program Files\DivX\DivX Update\DivXUpdate.exe [2010-03-05 1135912]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-07-27 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2009-02-11 61440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

C:\Program Files\Winamp\Winampa.exe [2003-04-01 12288]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^scandisk.dll]

C:\Documents and Settings\Daniel\Start Menu\Programs\Startup\scandisk.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Daniel^Start Menu^Programs^Startup^scandisk.lnk]

C:\DOCUME~1\Daniel\STARTM~1\Programs\Startup\scandisk.dll,_IWMPEvents@0 []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

C:\WINDOWS\system32\Ati2evxx.dll [2009-02-11 155648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\psfus]

C:\Program Files\ThinkVantage Fingerprint Software\psqlpwd.dll [2008-11-21 95496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tpfnf2]

C:\Program Files\Lenovo\HOTKEY\notifyf2.dll [2006-09-06 34344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tphotkey]

C:\Program Files\Lenovo\HOTKEY\tphklock.dll [2008-08-08 28672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\HitmanPro35Crusader]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=323

"NoDriveAutoRun"=67108863

"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveAutoRun"=

"NoDriveTypeAutoRun"=

"NoDrives"=

"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\SopCast\SopCast.exe"="C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application"

"C:\Program Files\SopCast\adv\SopAdver.exe"="C:\Program Files\SopCast\adv\SopAdver.exe:*:Disabled:SopCast Adver"

"C:\Program Files\Sports Interactive\Football Manager 2010\fm.exe"="C:\Program Files\Sports Interactive\Football Manager 2010\fm.exe:*:Enabled:Football Manager 2010"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af555b40-96c0-11de-9312-00a0d5fffe85}]

shell\AutoRun\command - I:\autorun.exe

======List of files/folders created in the last 1 months======

2010-05-01 10:07:02 ----D---- C:\rsit

2010-05-01 10:07:02 ----D---- C:\Program Files\trend micro

2010-04-30 21:30:29 ----D---- C:\Avenger

2010-04-30 21:30:29 ----A---- C:\avenger.txt

2010-04-30 11:57:49 ----A---- C:\TDSSKiller.2.2.8.1_30.04.2010_11.57.49_log.txt

2010-04-30 02:32:31 ----A---- C:\TDSSKiller.2.2.8.1_30.04.2010_02.32.31_log.txt

2010-04-30 01:50:42 ----A---- C:\TDSSKiller.2.2.8.1_30.04.2010_01.50.42_log.txt

2010-04-30 01:46:31 ----D---- C:\WINDOWS\temp

2010-04-30 01:46:29 ----A---- C:\ComboFix.txt

2010-04-30 01:06:26 ----A---- C:\TDSSKiller.2.2.8.1_30.04.2010_01.06.26_log.txt

2010-04-30 01:00:40 ----A---- C:\TDSSKiller.2.2.8.1_30.04.2010_01.00.40_log.txt

2010-04-30 00:51:17 ----D---- C:\c51d2543fa025044485d6971a55f

2010-04-30 00:49:14 ----D---- C:\Config.Msi

2010-04-30 00:43:52 ----HDC---- C:\WINDOWS\$NtUninstallKB978262$

2010-04-30 00:43:48 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$

2010-04-30 00:43:44 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$

2010-04-30 00:43:40 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$

2010-04-30 00:43:36 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$

2010-04-30 00:43:32 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$

2010-04-30 00:43:28 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$

2010-04-30 00:43:25 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$

2010-04-30 00:43:17 ----HDC---- C:\WINDOWS\$NtUninstallKB979683$

2010-04-30 00:43:13 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$

2010-04-30 00:42:55 ----HDC---- C:\WINDOWS\$NtUninstallKB980232$

2010-04-30 00:42:48 ----HDC---- C:\WINDOWS\$NtUninstallKB979402_WM9$

2010-04-30 00:42:43 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$

2010-04-30 00:42:38 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$

2010-04-30 00:42:34 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$

2010-04-30 00:42:29 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$

2010-04-30 00:42:25 ----HDC---- C:\WINDOWS\$NtUninstallKB981349$

2010-04-30 00:42:20 ----HDC---- C:\WINDOWS\$NtUninstallKB968816_WM9$

2010-04-30 00:42:16 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$

2010-04-30 00:42:11 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$

2010-04-30 00:42:06 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$

2010-04-30 00:42:02 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$

2010-04-30 00:41:58 ----HDC---- C:\WINDOWS\$NtUninstallKB978338$

2010-04-30 00:41:54 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$

2010-04-30 00:41:51 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$

2010-04-30 00:41:47 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$

2010-04-30 00:41:42 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$

2010-04-30 00:41:38 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$

2010-04-30 00:41:27 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$

2010-04-30 00:41:21 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$

2010-04-30 00:41:17 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$

2010-04-30 00:41:11 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$

2010-04-30 00:41:07 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$

2010-04-30 00:41:02 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$

2010-04-30 00:40:57 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$

2010-04-30 00:40:53 ----HDC---- C:\WINDOWS\$NtUninstallKB977816$

2010-04-30 00:40:49 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$

2010-04-30 00:40:30 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$

2010-04-30 00:40:26 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$

2010-04-30 00:40:18 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$

2010-04-30 00:40:14 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$

2010-04-30 00:40:10 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$

2010-04-30 00:40:02 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$

2010-04-30 00:22:42 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$

2010-04-30 00:21:03 ----HDC---- C:\WINDOWS\$NtUninstallKB975561$

2010-04-30 00:18:49 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$

2010-04-30 00:18:42 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$

2010-04-30 00:16:30 ----HDC---- C:\WINDOWS\$NtUninstallKB980182$

2010-04-30 00:15:06 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$

2010-04-30 00:13:27 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$

2010-04-30 00:11:10 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$

2010-04-30 00:08:46 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$

2010-04-30 00:03:14 ----A---- C:\WINDOWS\system32\wmpns.dll

2010-04-29 22:19:45 ----A---- C:\WINDOWS\ntbtlog.txt

2010-04-29 21:45:15 ----HDC---- C:\WINDOWS\$NtUninstallKB969947$

2010-04-29 09:22:17 ----A---- C:\WINDOWS\system32\MRT.exe

2010-04-29 03:47:18 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$

2010-04-29 03:47:15 ----HDC---- C:\WINDOWS\$NtUninstallKB950760$

2010-04-29 03:47:11 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$

2010-04-29 03:47:06 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$

2010-04-29 03:47:03 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$

2010-04-29 03:46:59 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$

2010-04-29 03:46:55 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$

2010-04-29 03:46:49 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$

2010-04-29 03:11:41 ----A---- C:\Boot.bak

2010-04-29 03:11:35 ----RASHD---- C:\cmdcons

2010-04-29 03:09:51 ----A---- C:\WINDOWS\zip.exe

2010-04-29 03:09:51 ----A---- C:\WINDOWS\SWXCACLS.exe

2010-04-29 03:09:51 ----A---- C:\WINDOWS\SWSC.exe

2010-04-29 03:09:51 ----A---- C:\WINDOWS\SWREG.exe

2010-04-29 03:09:51 ----A---- C:\WINDOWS\sed.exe

2010-04-29 03:09:51 ----A---- C:\WINDOWS\PEV.exe

2010-04-29 03:09:51 ----A---- C:\WINDOWS\NIRCMD.exe

2010-04-29 03:09:51 ----A---- C:\WINDOWS\MBR.exe

2010-04-29 03:09:51 ----A---- C:\WINDOWS\grep.exe

2010-04-29 03:09:27 ----D---- C:\WINDOWS\ERDNT

2010-04-29 03:07:09 ----D---- C:\Qoobox

2010-04-29 03:06:49 ----D---- C:\VundoFix Backups

2010-04-29 03:06:49 ----A---- C:\VundoFix.txt

2010-04-29 00:45:36 ----D---- C:\Program Files\Sophos

2010-04-29 00:38:37 ----D---- C:\Documents and Settings\All Users\Application Data\Hitman Pro

2010-04-29 00:38:36 ----D---- C:\Program Files\Hitman Pro 3.5

2010-04-29 00:16:22 ----HDC---- C:\WINDOWS\$NtUninstallKB978601$

2010-04-29 00:14:22 ----HDC---- C:\WINDOWS\$NtUninstallKB979309$

2010-04-29 00:12:09 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$

2010-04-29 00:10:23 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$

2010-04-29 00:05:55 ----HDC---- C:\WINDOWS\$NtUninstallKB979306$

2010-04-29 00:03:57 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$

2010-04-29 00:00:12 ----HDC---- C:\WINDOWS\$NtUninstallKB971961$

2010-04-28 23:34:14 ----N---- C:\WINDOWS\system32\xpsp4res.dll

2010-04-28 23:28:01 ----D---- C:\WINDOWS\system32\PreInstall

2010-04-28 23:28:00 ----N---- C:\WINDOWS\system32\spmsg.dll

2010-04-28 23:27:59 ----HDC---- C:\WINDOWS\$NtUninstallKB898461$

2010-04-28 23:27:59 ----HD---- C:\WINDOWS\$hf_mig$

2010-04-28 20:35:43 ----D---- C:\WINDOWS\system32\SoftwareDistribution

2010-04-28 00:10:33 ----D---- C:\Program Files\SUPERAntiSpyware

2010-04-28 00:10:33 ----D---- C:\Documents and Settings\Daniel\Application Data\SUPERAntiSpyware.com

2010-04-28 00:10:15 ----D---- C:\Program Files\Common Files\Wise Installation Wizard

2010-04-27 23:23:38 ----D---- C:\Program Files\AVG

2010-04-27 23:23:22 ----D---- C:\Documents and Settings\All Users\Application Data\avg9

2010-04-27 23:23:11 ----D---- C:\WINDOWS\SxsCaPendDel

2010-04-27 23:15:11 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2010-04-25 20:13:26 ----D---- C:\SIMANT

2010-04-23 22:27:13 ----A---- C:\WINDOWS\system32\ff_vfw.dll.manifest

2010-04-23 22:27:13 ----A---- C:\WINDOWS\system32\ff_vfw.dll

2010-04-16 08:39:12 ----D---- C:\Documents and Settings\Daniel\Application Data\dvdcss

2010-04-11 13:42:23 ----D---- C:\Program Files\Veetle

2010-04-11 12:16:16 ----D---- C:\Documents and Settings\Daniel\Application Data\Foxit Software

2010-04-10 20:21:49 ----D---- C:\Documents and Settings\All Users\Application Data\DivX

2010-04-05 21:12:51 ----D---- C:\WINDOWS\system32\LogFiles

======List of files/folders modified in the last 1 months======

2010-05-01 10:21:12 ----A---- C:\Log.txt

2010-05-01 10:17:54 ----D---- C:\WINDOWS\Prefetch

2010-05-01 10:07:02 ----RD---- C:\Program Files

2010-05-01 10:05:42 ----D---- C:\WINDOWS\system32\CatRoot2

2010-05-01 02:53:31 ----A---- C:\WINDOWS\SchedLgU.Txt

2010-04-30 21:30:30 ----D---- C:\WINDOWS\system32\drivers

2010-04-30 19:45:11 ----D---- C:\Program Files\DOSBox-0.73

2010-04-30 12:01:04 ----D---- C:\WINDOWS\system32

2010-04-30 09:01:07 ----D---- C:\Program Files\Mozilla Firefox

2010-04-30 02:58:36 ----D---- C:\WINDOWS\Microsoft.NET

2010-04-30 02:58:14 ----RSD---- C:\WINDOWS\assembly

2010-04-30 02:06:26 ----D---- C:\Program Files\K-Meleon

2010-04-30 01:56:08 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2010-04-30 01:46:31 ----D---- C:\WINDOWS

2010-04-30 01:44:53 ----A---- C:\WINDOWS\system.ini

2010-04-30 01:42:54 ----D---- C:\WINDOWS\AppPatch

2010-04-30 01:42:51 ----D---- C:\Program Files\Common Files

2010-04-30 01:30:27 ----SHD---- C:\System Volume Information

2010-04-30 01:30:27 ----D---- C:\WINDOWS\system32\Restore

2010-04-30 01:04:03 ----HD---- C:\WINDOWS\inf

2010-04-30 01:03:25 ----RSHDC---- C:\WINDOWS\system32\dllcache

2010-04-30 00:56:57 ----SHD---- C:\WINDOWS\Installer

2010-04-30 00:56:00 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

2010-04-30 00:55:38 ----D---- C:\WINDOWS\WinSxS

2010-04-30 00:51:57 ----D---- C:\WINDOWS\system32\XPSViewer

2010-04-30 00:51:50 ----RSD---- C:\WINDOWS\Fonts

2010-04-30 00:49:25 ----D---- C:\Program Files\Internet Explorer

2010-04-30 00:45:14 ----D---- C:\WINDOWS\system32\wbem

2010-04-30 00:43:51 ----A---- C:\WINDOWS\imsins.BAK

2010-04-30 00:43:38 ----D---- C:\Program Files\Messenger

2010-04-30 00:21:05 ----D---- C:\Program Files\Movie Maker

2010-04-30 00:13:28 ----D---- C:\Program Files\Outlook Express

2010-04-29 21:57:45 ----D---- C:\Program Files\DAEMON Tools Lite

2010-04-29 09:33:57 ----D---- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite

2010-04-29 03:46:28 ----A---- C:\WINDOWS\winamp.ini

2010-04-29 03:26:24 ----D---- C:\WINDOWS\system32\config

2010-04-29 03:11:41 ----RASH---- C:\boot.ini

2010-04-29 01:10:10 ----SD---- C:\Documents and Settings\Daniel\Application Data\Microsoft

2010-04-28 20:35:48 ----D---- C:\WINDOWS\SoftwareDistribution

2010-04-28 20:35:45 ----D---- C:\WINDOWS\Help

2010-04-28 00:23:39 ----A---- C:\WINDOWS\win.ini

2010-04-27 23:23:20 ----D---- C:\Program Files\Common Files\Microsoft Shared

2010-04-27 23:01:30 ----D---- C:\WINDOWS\Network Diagnostic

2010-04-27 20:51:32 ----HD---- C:\WINDOWS\PIF

2010-04-27 20:42:16 ----D---- C:\WINDOWS\ehome

2010-04-26 09:23:00 ----D---- C:\Documents and Settings\Daniel\Application Data\U3

2010-04-24 11:59:21 ----D---- C:\Documents and Settings\Daniel\Application Data\vlc

2010-04-23 22:36:34 ----D---- C:\Program Files\ffdshow

2010-04-10 22:25:24 ----D---- C:\Documents and Settings\Daniel\Application Data\DivX

2010-04-10 20:24:48 ----D---- C:\Program Files\DivX

2010-04-10 20:24:48 ----D---- C:\Program Files\Common Files\DivX Shared

2010-04-04 21:00:53 ----D---- C:\WINDOWS\pchealth

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ANC;ANC; C:\WINDOWS\System32\drivers\ANC.SYS [2009-02-27 11520]

R1 IBMTPCHK;IBMTPCHK; \??\C:\WINDOWS\system32\Drivers\IBMBLDID.sys []

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-08-21 36352]

R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []

R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []

R1 SAVRKBootTasks;Boot Tasks Driver; \??\C:\WINDOWS\system32\SAVRKBootTasks.sys []

R1 TPHKDRV;TPHKDRV; C:\WINDOWS\system32\DRIVERS\TPHKDRV.sys [2008-05-12 17844]

R1 TPPWRIF;TPPWRIF; C:\WINDOWS\System32\drivers\Tppwrif.sys [2004-11-30 4442]

R1 TSMAPIP;TSMAPIP; C:\WINDOWS\System32\drivers\TSMAPIP.SYS [2007-03-08 7168]

R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2008-08-21 12032]

R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-13 88192]

R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]

R2 s24trans;WLAN Transport; C:\WINDOWS\system32\DRIVERS\s24trans.sys [2009-08-10 13952]

R2 smihlp;SMI Helper Driver (smihlp); \??\C:\Program Files\Common Files\ThinkVantage Fingerprint Software\Drivers\smihlp.sys []

R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2006-06-20 178688]

R3 AEAudioService;AEAudio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2006-08-07 93952]

R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2009-02-12 3489280]

R3 atmeltpm;atmeltpm; C:\WINDOWS\system32\DRIVERS\atmeltpm.sys [2005-05-17 15872]

R3 btaudio;Bluetooth Audio Device; C:\WINDOWS\system32\drivers\btaudio.sys [2009-02-16 534568]

R3 BTDriver;Bluetooth Virtual Communications Driver; C:\WINDOWS\system32\DRIVERS\btport.sys [2009-02-16 37160]

R3 BTKRNL;Bluetooth Bus Enumerator; C:\WINDOWS\system32\DRIVERS\btkrnl.sys [2009-02-16 991784]

R3 BTWDNDIS;Bluetooth LAN Access Server; C:\WINDOWS\system32\DRIVERS\btwdndis.sys [2009-02-16 156816]

R3 btwmodem;Bluetooth Modem; C:\WINDOWS\system32\DRIVERS\btwmodem.sys [2009-02-16 37032]

R3 BTWUSB;WIDCOMM USB Bluetooth Driver; C:\WINDOWS\System32\Drivers\btwusb.sys [2009-02-16 47272]

R3 CmBatt;Microsoft AC Adapter Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]

R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2007-10-12 252048]

R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-08-21 144384]

R3 hitmanpro35;Hitman Pro 3.5 Support Driver; \??\C:\WINDOWS\system32\drivers\hitmanpro35.sys []

R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [2007-11-01 989696]

R3 HSFHWAZL;HSFHWAZL; C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys [2007-11-01 211456]

R3 IBMPMDRV;IBMPMDRV; C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys [2007-05-31 21424]

R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2009-02-24 116736]

R3 NETw5x32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows XP 32 Bit; C:\WINDOWS\system32\DRIVERS\NETw5x32.sys [2009-09-15 5977216]

R3 NSCIRDA;NSC Infrared Device Driver; C:\WINDOWS\system32\DRIVERS\nscirda.sys [2008-04-13 28672]

R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584]

R3 swmx01;Sierra Wireless USB MUX Driver (#01); C:\WINDOWS\system32\DRIVERS\swmx01.sys [2007-04-10 72576]

R3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01); C:\WINDOWS\system32\DRIVERS\SWNC5E01.sys [2007-01-12 102144]

R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2008-10-06 225696]

R3 TcUsb;TC USB Kernel Driver; C:\WINDOWS\System32\Drivers\tcusb.sys [2008-08-08 50704]

R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]

R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]

R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]

R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2007-11-01 731520]

S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]

S3 AEAudio;AE Audio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2006-08-07 93952]

S3 catchme;catchme; \??\C:\DOCUME~1\Daniel\LOCALS~1\Temp\catchme.sys []

S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]

S3 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\E.tmp []

S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]

S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []

S3 TwoTrack;IBM PS/2 TrackPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\TwoTrack.sys [2001-08-17 11520]

S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\DRIVERS\UIUSYS.SYS []

S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]

S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]

S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

S4 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2010-04-29 691696]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcPrfMgrSvc;Ac Profile Manager Service; C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe [2009-02-27 98304]

R2 AcSvc;Access Connections Main Service; C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe [2009-02-27 217088]

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2009-02-11 602112]

R2 btwdins;Bluetooth Service; C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe [2009-02-10 346720]

R2 EvtEng;Intel® PROSet/Wireless Event Log; C:\Program Files\Intel\WiFi\bin\EvtEng.exe [2009-09-21 858384]

R2 IBMPMSVC;ThinkPad PM Service; C:\WINDOWS\system32\ibmpmsvc.exe [2007-05-31 36400]

R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2008-08-21 14336]

R2 IviRegMgr;IviRegMgr; C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe [2007-01-04 112152]

R2 Power Manager DBC Service;Power Manager DBC Service; C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-11-21 53248]

R2 RegSrvc;Intel® PROSet/Wireless Registry Service; C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe [2009-09-21 473360]

R2 S24EventMonitor;Intel® PROSet/Wireless WiFi Service; C:\Program Files\Intel\WiFi\bin\S24EvMon.exe [2009-09-21 954368]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]

S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]

S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]

S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]

S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

And here is info.txt:

info.txt logfile of random's system information tool 1.06 2010-05-01 10:22:25

======Uninstall list======

-->C:\Program Files\InstallShield Installation Information\{69333A04-5134-40A5-A055-9166A7AA1EC8}\setup.exe -runfromtemp -l0x0009 -removeonly

-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

7-Zip 4.65-->"C:\Program Files\7-Zip\Uninstall.exe"

Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe

ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe

ATI Catalyst Control Center-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0

ATI Display Driver-->rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean

ATI Hydravision APS-->MsiExec.exe /X{CBBCD044-B406-4C41-A3DD-99DE6F0004D2}

BitPim 1.0.6-->"C:\Program Files\BitPim\unins000.exe"

Canon RAW Codec-->"C:\Program Files\Common Files\Canon\UIW\1.7.0.0\Uninst.exe" "C:\Program Files\Canon\RAWCodec160\CRCUnInstall.ini"

Canon Utilities Digital Photo Professional 1.0-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{F011B8F1-BCCD-4E73-84F8-CB2F2D258755}

Canon Utilities Digital Photo Professional 3.7-->"C:\Program Files\Common Files\Canon\UIW\1.6.0.0\Uninst.exe" "C:\Program Files\Canon\Digital Photo Professional\Uninst.ini"

Canon Utilities EOS Utility-->"C:\Program Files\Common Files\Canon\UIW\1.6.0.0\Uninst.exe" "C:\Program Files\Canon\EOS Utility\Uninst.ini"

Deus Ex-->C:\DeusEx\System\Setup.exe uninstall "Deus Ex"

DH Mobility Modder.NET-->C:\Program Files\MobilityDotNET\Uninstall.exe

DivX Plus DirectShow Filters-->C:\Documents and Settings\All Users\Application Data\DivX\DivX7\DivX Plus DirectShow Filters\DivXDSFiltersUninstall.exe /DSFILTERS

DivX Setup-->C:\Documents and Settings\All Users\Application Data\DivX\Setup\DivXSetup.exe /uninstall /bundleGroupId divx.com

EVEREST Home Edition v2.20-->"C:\Program Files\EVEREST Home Edition\unins000.exe"

ffdshow [rev 3154] [2009-12-09]-->"C:\Program Files\ffdshow\unins000.exe"

FIFA 06-->C:\Program Files\EA SPORTS\FIFA 06\EAUninstall.exe

FileZilla Client 3.2.8.1-->C:\Program Files\FileZilla FTP Client\uninstall.exe

FireGL driver for 3D Studio MAX/VIZ-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5AEBFD6-3AF9-4784-81C2-F442C86AA096}\setup.exe"

Football Manager 2010-->"C:\Program Files\Sports Interactive\Football Manager 2010\Uninstall_Football Manager 2010\Uninstall Football Manager 2010.exe"

Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe

HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall

Hitman Pro 3.5-->"C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /uninstall

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""

Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"

HydraVision-->MsiExec.exe /X{FCCDE84B-0154-459E-A8F2-C6B3FA5C1881}

IBM Lotus Symphony-->MsiExec.exe /X{6dde8b21-0510-4cfd-92db-cac94e4e4d0a}

ImgBurn-->"C:\Program Files\ImgBurn\uninstall.exe"

Intel PROSet Wireless-->Intel PROSet Wireless

Intel® PRO Network Connections Drivers-->Prounstl.exe

InterVideo WinDVD-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL

Java 6 Update 14-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF}

K-Meleon 1.5.4 en-US (remove only)-->C:\Program Files\K-Meleon\uninstall.exe

MagicDisc 2.7.106-->C:\PROGRA~1\MAGICD~1\UNWISE.EXE C:\PROGRA~1\MAGICD~1\INSTALL.LOG

Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}

Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}

Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe

Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}

Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}

Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}

Mozilla Firefox (3.5.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe

On Screen Display-->rundll32.exe "C:\Program Files\Lenovo\HOTKEY\cleanup.dll",InfUninstall DefaultUninstall.XP 132 C:\Program Files\Lenovo\HOTKEY\tphk_tp.inf

PC-Doctor 5 for Windows-->C:\Program Files\PCDR5\uninst.exe

Qtpfsgui 1.9.3-->"C:\Program Files\Qtpfsgui\unins000.exe"

Royale Remixed Theme-->MsiExec.exe /I{993A94A9-DCE3-4774-B35D-D8C74FC1E0BE}

Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB979402)-->"C:\WINDOWS\$NtUninstallKB979402_WM9$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf

Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"

Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"

Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"

Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"

Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"

Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"

Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"

Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"

Security Update for Windows XP (KB977816)-->"C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"

Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"

Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"

Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"

Security Update for Windows XP (KB978338)-->"C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"

Security Update for Windows XP (KB978601)-->"C:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe"

Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"

Security Update for Windows XP (KB979309)-->"C:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe"

Security Update for Windows XP (KB979683)-->"C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe"

Security Update for Windows XP (KB980232)-->"C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"

Security Update for Windows XP (KB981349)-->"C:\WINDOWS\$NtUninstallKB981349$\spuninst\spuninst.exe"

Sierra Wireless MC57xx Package for Access Connections-->MsiExec.exe /X{7DA0C101-5C7C-40C9-A485-68E12780232C}

Sonic Express Labeler-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}

Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}

Sonic Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}

SopCast 3.2.4-->C:\Program Files\SopCast\uninst.exe

Sophos Anti-Rootkit 1.5.0-->C:\Program Files\Sophos\Sophos Anti-Rootkit\helper.exe remove

SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\SETUP.exe" -l0x9 -removeonly

SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}

ThinkPad Bluetooth with Enhanced Data Rate Software-->MsiExec.exe /X{84814E6B-2581-46EC-926A-823BD1C670F6}

ThinkPad EasyEject Utility -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1297C681-92D7-40EF-93BF-03F66EC5105C}\SETUP.EXE" -l0x9 -AddRemove

ThinkPad FullScreen Magnifier-->rundll32.exe "C:\Program Files\Lenovo\ZOOM\cleanup.dll",InfUninstall DefaultUninstall 132 C:\Program Files\Lenovo\Zoom\TpScrex.inf

ThinkPad Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588\UIU32m.exe -U -ITkp0588k.INF

ThinkPad Power Management Driver-->RunDll32.exe tpinspm.dll,Uninstall

ThinkPad Power Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0E64EBA-8BF0-49FB-90C0-BB3D781A2016}\SETUP.EXE" -l0x9 -AddRemove

ThinkPad Presentation Director-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ThinkPad\Utilities\UNNPDR.isu" -c"C:\Program Files\ThinkPad\Utilities\Tpinsnpd.dll"

ThinkPad UltraNav Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall

ThinkPad UltraNav Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17CBC505-D1AE-459D-B445-3D2000A85842}\Setup.exe" -l0x9 UNINSTALL

ThinkVantage Access Connections-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7EB114D8-207F-45AE-BABD-1669715F2630}\SETUP.EXE" -l0x9 anything

ThinkVantage Fingerprint Software 5.8-->MsiExec.exe /I{9F98C9F8-9B49-411C-AFB9-AF633249FA7C}

Tribes 2-->C:\PROGRA~1\Tribes2\UNWISE.EXE C:\PROGRA~1\Tribes2\INSTALL.LOG

Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"

Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"

Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"

Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"

Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"

Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"

Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"

Update for Windows XP (KB980182)-->"C:\WINDOWS\$NtUninstallKB980182$\spuninst\spuninst.exe"

VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421}

VDMSound-->C:\Program Files\VDMSound\uninst.exe

Veetle TV 0.9.17-->C:\Program Files\Veetle\UninstallVeetleTV.exe

VLC media player 1.0.3-->C:\Program Files\VideoLAN\VLC\uninstall.exe

Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"

Zune Desktop Theme-->MsiExec.exe /X{7E20EFE6-E604-48C6-8B39-BA4742F2CDB4}

======Hosts File======

127.0.0.1 localhost

======System event log======

Computer Name: YOUR-7DD4095BD2

Event Code: 1003

Message: Your computer was not able to renew its address from the network (from the

DHCP Server) for the Network Card with network address 001302C7C38F. The following

error occurred:

The operation was canceled by the user.

.

Your computer will continue to try and obtain an address on its own from

the network address (DHCP) server.

Record Number: 8730

Source Name: Dhcp

Time Written: 20100223235809.000000-480

Event Type: warning

User:

Computer Name: YOUR-7DD4095BD2

Event Code: 1003

Message: Your computer was not able to renew its address from the network (from the

DHCP Server) for the Network Card with network address 001302C7C38F. The following

error occurred:

The operation was canceled by the user.

.

Your computer will continue to try and obtain an address on its own from

the network address (DHCP) server.

Record Number: 8728

Source Name: Dhcp

Time Written: 20100223235759.000000-480

Event Type: warning

User:

Computer Name: YOUR-7DD4095BD2

Event Code: 4226

Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 8712

Source Name: Tcpip

Time Written: 20100702201147.000000-420

Event Type: warning

User:

Computer Name: YOUR-7DD4095BD2

Event Code: 4226

Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 8711

Source Name: Tcpip

Time Written: 20100702195744.000000-420

Event Type: warning

User:

Computer Name: YOUR-7DD4095BD2

Event Code: 34

Message: The time service has detected that the system time needs to be

changed by -11142002 seconds. The time service will not change the system

time by more than -54000 seconds. Verify that your time and time zone

are correct, and that the time source time.nist.gov (ntp.m|0x1|192.168.1.6:123->192.43.244.18:123) is working properly.

Record Number: 8704

Source Name: W32Time

Time Written: 20100702174531.000000-420

Event Type: error

User:

=====Application event log=====

Computer Name: YOUR-7DD4095BD2

Event Code: 1002

Message: Hanging application firefox.exe, version 1.9.1.3523, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 272

Source Name: Application Hang

Time Written: 20090924081659.000000-420

Event Type: error

User:

Computer Name: YOUR-7DD4095BD2

Event Code: 1000

Message: Faulting application AcSvc.exe, version 5.2.0.0, faulting module unknown, version 0.0.0.0, fault address 0x01092cf5.

Record Number: 267

Source Name: Application Error

Time Written: 20090923091223.000000-420

Event Type: error

User:

Computer Name: YOUR-7DD4095BD2

Event Code: 1000

Message: Faulting application rometw.exe, version 1.0.0.0, faulting module rometw.exe, version 1.0.0.0, fault address 0x006e182f.

Record Number: 224

Source Name: Application Error

Time Written: 20090914012526.000000-420

Event Type: error

User:

Computer Name: YOUR-7DD4095BD2

Event Code: 1000

Message: Faulting application tribes2.exe, version 0.25034.0.0, faulting module tribes2.exe, version 0.25034.0.0, fault address 0x00224c0a.

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe

"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\ThinkPad\ConnectUtilities;C:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\ATI Technologies\Fire GL 3D Studio Max;C:\Program Files\VDMSound;C:\Program Files\Intel\WiFi\bin;C:\Program Files\Common Files\DivX Shared

"windir"=%SystemRoot%

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"PROCESSOR_ARCHITECTURE"=x86

"PROCESSOR_LEVEL"=6

"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 14 Stepping 8, GenuineIntel

"PROCESSOR_REVISION"=0e08

"NUMBER_OF_PROCESSORS"=2

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

"VDMSPath"=C:\Program Files\VDMSound

-----------------EOF-----------------

Link to post
Share on other sites

Hi,

Try this

First,

Analyze file(s).

Please visit Jotti.

Click on browse > copy below link (one by one) and paste on the File name box > Click Open:

c:\windows\system32\drivers\klmdb.sys

  • Press Submit file - this will submit the file for testing.
  • Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.

Example of web address :

58701951.jpg

Next,

Checklist.

Please post.

  • Web link

Link to post
Share on other sites

Hi,

No worries. I just want to make sure about it.

First,

ERUNT by Lars Hederer

Download ERUNT and save to the desktop.

  • Double click on erunt-setup.exe to install the program.
  • Follow the prompts > uncheck Create NTREGOPT desktop icon at the Additional Tasks screen.
  • Click No when you are prompted about creating an ERUNT entry in the startup folder.
  • Next screen, uncheck Show documentation and check Launch ERUNT.
  • If ERUNT doesnt start by itself, launch it from the desktop shortcut.
  • At the configuration screen, make sure all 3 checkboxes are checked
  • Click Ok to run the backup process

Note:

The backups can be restored from here:

C:\windows\ERDNT\<todays date>\ERDNT.exe

Next,

Registry Fix.

  • Open Notepad.exe.
  • Copy and paste below code into the notepad.
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys]


  • Click on File > Save As
    Save in : Desktop
    File name : xixo.reg
    Save as type : All Files
  • It will look like this :
    regov.jpg
  • Double click on xixo.reg and merge the information with the registry.

Next,

Checklist.

Please post.

  • How is your system now?

Link to post
Share on other sites

The system seems to be running OK and no google redirects so far using firefox. I can hibernate and shut down my computer like normal and my laptop is automatically connecting to the internet, which is wasn't able to do before. Should I run another scan to make sure it's all clean?

I'm just curious - before, when I had that infection that caused with my CPU being maxed out, I just ran RSIT.exe and then my system was better. I thought RSIT.exe was just a scanner? Or did it remove the malware that was causing me problems? I'm just paranoid that there's something left behind.

I'm really glad to see the progress we're making!

Link to post
Share on other sites

Hi,

RSIT suppose act as scanner, nothing more or less about it.

Perhaps, it's just your lucky day :)

Let's proceed with the last one.

First,

Java is out of date.

It can be updated by the Java control panel

  • Click on Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
  • An update should begin.
  • Follow the prompts.

Next,

ATF by Atribune

Please download HERE and save to the desktop. Double-click ATF Cleaner.exe to open it.

Under Main choose:

  • choose: Select All
    Click the Empty Selected button.

if you use Firefox:

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program

Next,

Kaspersky Online AV Scan

Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases

    [*]Click on My Computer under Scan and then put the kettle on!

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Copy and paste the report into your next.

Next,

Checklist.

Please post.

  • Content of kasperksy scan log

Link to post
Share on other sites

Kaspersky found a few infections. Guess I'm not completely lucky :)

PS: One thing I noticed is that when I open an application, the window is off-screen. Maximize and tile windows won't bring it back. I think this is some error with the registry and not malware related but I was wondering if you knew how to fix this? Right now I have to right-click>move and use the arrow keys to bring the window back.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Saturday, May 1, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Saturday, May 01, 2010 22:24:58

Records in database: 4027239

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

F:\

I:\

Scan statistics:

Objects scanned: 97277

Threats found: 2

Infected objects found: 4

Suspicious objects found: 0

Scan duration: 02:11:36

File name / Threat / Threats count

C:\Documents and Settings\Daniel\Application Data\Sun\Java\Deployment\cache\6.0\60\7e221b3c-33b79680 Infected: Trojan-Downloader.Java.Agent.as 3

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\pciide.sys.vir Infected: Rootkit.Win32.TDSS.ap 1

Selected area has been scanned.

Link to post
Share on other sites

Good! :)

Your system now is clean.

Let's do some cleaning and management.

I saw you ran ComboFix tools.

Please don't use it without supervise by expert as it's not a toy. It could render your system unbootable.

Uninstall Combofix

  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
    CF-Uninstall.png

First,

OTC by Old Timer.

  • Please download HERE and save it to the desktop.
  • Double click on OTC.exe. Click on CleanUp!.
  • You will receive a prompt that it needs to restart the computer to remove the files. Click Yes.
  • It will restart your computer automatically. If it doesn't, please restart your computer manually.

Next,

You can delete the tools that involved in this process.

Next,

Discussion

Current issue that you face probably related with multi monitor configuration.

As I'm specialist on malware issue, I can give a link for your reference : http://support.microsoft.com/kb/307873

Should you need any further information, I would send you to one of these :

Good System/Hardware Help Forums

You may need to do free registration in order to post at their forum :)

Good luck!

Additional Information :

SpywareBlaster.

  • SpywareBlaster help your Internet Explorer more strong as it will help to block known malicious ActiveX
  • A tutorial on installing & using this product can be found HERE

Antivirus.

  • Antivirus help you to give the maximum protection for the system.
  • You are advice to have only ONE antivirus running on the system.
  • Please keep it update regurlarly.

WinPatrol.

  • Unwanted things always occur behind your knowledge. Let's this software take the snapshot of it.
  • For more information and installation can be found HERE

Windows/Program Update.

Please make sure to have your Windows Automatic Update turn ON or you can do it manually.

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.

To update Windows

  • Go to Start > All Programs > Windows Update

To update Office

  • Open up any Office program.
  • Go to Help > Check for Updates

You always can refer at both website to check either any updates are needed for your system.

Information.

Safe surfing! :)

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.