Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Backdoor.Tidserv!inf" infecting "atapi.sys" and being otherwise malicious and unreasonable


  • This topic is locked This topic is locked
21 replies to this topic

#1 writerdude19

writerdude19

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 13 February 2010 - 02:52 AM

Hello, I'm new here, but I've got a malicious infection that is being thoroughly unreasonable.

My problem stems from an infection by Backdoor.Tidserv!inf

I currently run Windows XP with the following anti-virus/malware programs: Malwarebytes, Spybot, and Symantec AntiVirus Corporate Edition. When last I checked, my computer was up to date on any/all microsoft updates.

Since discovering this infection, I have limited the internet usage on that machine to as short a period as possible. Any substantial length of time where the computer is connected to the internet, regardless of the firewall settings I have in place (and it is enabled), I find that when I next run a scan for malware/viruses, I get hits that I didn't get the last time I was on. Also at times, Symantec will notify me that the infection is present, in the same file, sometimes over 1000 times in as short as 10 minutes. Also, at times, following one of these notifications, my computer will reboot itself.

My trouble is that no matter what I do, my Symantec still alerts me periodically to the fact that C:\windows\system32\drivers\atapi.sys is infected. It also tells me at times that a second file called atapi.sys.tmp found in the same drivers folder is also infected with the same virus. Symantec so far has been unsuccessful in removing the virus from the atapi.sys file.

I've tried deleting the second file, but was unsuccessful from Windows XP normal or Safe modes. I was successful in deleting the 2nd file mentioned using the Windows Recovery Console, manually deleting "atapi.sys.tmp" several times, but the file just isn't getting the hint. I don't dare delete the first file as I have read that it is a necessary file for windows to function normally.

Right now, I have my computer completely disconnected from the internet, as I have found that it cannot be connected for any length of time without further malwares being downloaded, and unexpected reboots occuring. I have further turned off the system restore option.

I have also followed the directions found here: Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help and am posting the necessary logs/files for your consideration.

DDS.txt Log

DDS (Ver_09-12-01.01) - NTFSx86
Run by kevin at 21:42:27.73 on Fri 02/12/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1559 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\PROGRA~1\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\MYINST~1\Symantec\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\MYINST~1\Symantec\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Intel\Intelョ Active Monitor\imonnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\MYINST~1\Symantec\vptray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Intelョ Active Monitor\imontray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\kevin\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\acrobat\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0819.dll
uRun: [ShockmachineReminder] c:\program files\shockwave\shockmachine\SmReminder.exe
uRun: [ATI Launchpad] "c:\program files\ati multimedia\main\launchpd.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [AIM] c:\program files\my installed programs\aol im\aim.exe -cnetwait.odl
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [QuickTime Task] "c:\program files\my installed programs\quicktime\QTTask.exe" -atboottime
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [AdaptecDirectCD] c:\program files\adaptec\easy cd creator 5\directcd\DirectCD.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [vptray] c:\progra~1\myinst~1\symantec\vptray.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [IMONTRAY] c:\program files\intel\intelョ active monitor\imontray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: c:\progra~1\common~1\btlink\btlink.dll//iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\my installed programs\aol im\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {44226DFF-747E-4edc-B30C-78752E50CD0C} - {44226DFF-747E-4edc-B30C-78752E50CD0C} - c:\program files\ati multimedia\tv\EXPLBAR.DLL
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0819.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: tvguide.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37618.6689930556
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R2 NAVAPEL;NAVAPEL;c:\program files\my installed programs\symantec\Navapel.sys [2003-5-2 30208]
R2 Norton AntiVirus Server;Symantec AntiVirus Client;c:\progra~1\myinst~1\symantec\Rtvscan.exe [2003-5-21 610304]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-20 24652]
S3 NAVAP;NAVAP;c:\progra~1\myinst~1\symantec\NAVAP.sys [2003-5-2 224256]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100212.003\NAVENG.sys [2010-2-12 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100212.003\NAVEX15.sys [2010-2-12 1324720]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2010-02-01 17:45:08 36 ----a-w- c:\program files\skynet.dat
2010-01-20 16:11:56 0 ----a-w- c:\windows\system32\3902.exe
2010-01-20 15:51:56 0 ----a-w- c:\windows\system32\14604.exe
2010-01-20 15:31:56 0 ----a-w- c:\windows\system32\32391.exe
2010-01-20 15:11:56 0 ----a-w- c:\windows\system32\5436.exe
2010-01-20 14:51:56 0 ----a-w- c:\windows\system32\4827.exe
2010-01-20 14:31:56 0 ----a-w- c:\windows\system32\11942.exe
2010-01-20 14:11:56 0 ----a-w- c:\windows\system32\2995.exe
2010-01-20 13:51:56 0 ----a-w- c:\windows\system32\491.exe
2010-01-20 13:31:56 0 ----a-w- c:\windows\system32\9961.exe
2010-01-20 13:11:56 0 ----a-w- c:\windows\system32\16827.exe
2010-01-20 12:51:56 0 ----a-w- c:\windows\system32\23281.exe
2010-01-20 12:31:56 0 ----a-w- c:\windows\system32\28145.exe
2010-01-20 12:11:56 0 ----a-w- c:\windows\system32\5705.exe
2010-01-20 11:51:56 0 ----a-w- c:\windows\system32\24464.exe
2010-01-20 11:31:56 0 ----a-w- c:\windows\system32\26962.exe
2010-01-20 11:11:56 0 ----a-w- c:\windows\system32\29358.exe
2010-01-20 10:51:56 0 ----a-w- c:\windows\system32\11478.exe
2010-01-20 10:31:56 0 ----a-w- c:\windows\system32\15724.exe
2010-01-20 10:11:56 0 ----a-w- c:\windows\system32\19169.exe
2010-01-20 09:51:56 0 ----a-w- c:\windows\system32\26500.exe
2010-01-20 09:31:56 0 ----a-w- c:\windows\system32\6334.exe
2010-01-20 09:11:55 0 ----a-w- c:\windows\system32\18467.exe
2010-01-17 05:52:39 284 ----a-w- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini

==================== Find3M ====================

2010-02-13 00:04:35 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-07 22:07:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-30 06:40:03 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-12-30 06:40:02 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-10 04:54:07 261632 ----a-w- c:\windows\PEV.exe
2001-11-23 12:08:20 712704 ----a-w- c:\windows\inf\other\audio3d.dll
2003-02-28 21:53:01 66936 --sha-w- c:\windows\dlinfo_0.drv

============= FINISH: 21:44:27.48 ===============


Also, Ark.txt and Attach.txt should be attached to this post.

Any help that you can offer would be greatly appreciated. I will check back here often over the next few days and hope to respond to any directions suggested to me as quickly as possible.

Thanks in advance,
Kevin

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:00 AM

Posted 18 February 2010 - 09:26 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 writerdude19

writerdude19
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 18 February 2010 - 01:45 PM

Hello, thank you for responding to my cries for help.
The problem has not been resolved, as I am still getting virus messages stating that the following files:
c:\WINDOWS\System32\Drivers\atapi.sys
c:\WINDOWS\System32\Drivers\atapi.sys.tmp
are still infected with "Backdoor.Tidserv!inf"

They are currently the only files that come up as infected.
Followed your instructions, and here are the results.
Thanks in advance,
writerdude19


Contents of OTL.txt File

OTL logfile created on: 2/18/2010 12:24:49 PM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\kevin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): T:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.65 Gb Total Space | 22.57 Gb Free Space | 23.11% Space Free | Partition Type: NTFS
Drive D: | 588.65 Gb Total Space | 487.75 Gb Free Space | 82.86% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive T: | 12.33 Gb Total Space | 10.26 Gb Free Space | 83.20% Space Free | Partition Type: NTFS

Computer Name: SHADES
Current User Name: kevin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/02/18 12:20:44 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kevin\Desktop\OTL.exe
PRC - [2009/07/25 04:23:10 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/03/30 15:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
PRC - [2009/03/30 15:28:36 | 000,183,152 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
PRC - [2008/04/14 05:42:42 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/04 15:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/08/25 11:00:38 | 000,198,336 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
PRC - [2006/03/30 08:15:44 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe
PRC - [2006/02/21 19:39:16 | 000,405,504 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe
PRC - [2005/12/16 12:57:56 | 000,094,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
PRC - [2005/05/02 20:21:46 | 000,032,768 | ---- | M] () -- C:\Program Files\Intel\Intel® Active Monitor\imontray.exe
PRC - [2005/05/02 20:20:06 | 000,106,496 | ---- | M] (Intel Corp.) -- C:\Program Files\Intel\Intel® Active Monitor\imonNT.exe
PRC - [2004/07/27 12:48:04 | 001,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2004/07/21 15:26:36 | 000,176,241 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
PRC - [2003/07/19 21:10:00 | 000,335,872 | ---- | M] (ATI Technologies, Inc.) -- C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PRC - [2003/05/21 00:27:46 | 000,610,304 | ---- | M] (Symantec Corporation) -- C:\Program Files\My Installed Programs\Symantec\Rtvscan.exe
PRC - [2003/05/21 00:22:36 | 000,032,768 | ---- | M] (Symantec Corporation) -- C:\Program Files\My Installed Programs\Symantec\DefWatch.exe
PRC - [2003/05/21 00:21:18 | 000,090,112 | ---- | M] (Symantec Corporation) -- C:\Program Files\My Installed Programs\Symantec\VPTray.exe
PRC - [2003/05/21 00:19:50 | 000,233,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\My Installed Programs\Symantec\VPC32.exe
PRC - [2002/12/28 22:40:59 | 000,684,032 | ---- | M] (Roxio) -- C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe
PRC - [2002/09/24 16:39:48 | 000,151,552 | ---- | M] (Iomega Corporation) -- C:\Program Files\Iomega\AutoDisk\ADService.exe
PRC - [2002/09/24 16:39:24 | 000,147,456 | ---- | M] (Iomega Corporation) -- C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
PRC - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
PRC - [2002/09/04 14:11:04 | 000,073,728 | ---- | M] (Iomega Corporation) -- C:\Program Files\Iomega\System32\AppServices.exe
PRC - [2002/08/13 14:30:57 | 000,086,016 | ---- | M] (Iomega) -- C:\Program Files\Iomega\DriveIcons\Imgicon.exe


========== Modules (SafeList) ==========

MOD - [2010/02/18 12:20:44 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kevin\Desktop\OTL.exe
MOD - [2002/08/06 13:01:54 | 000,286,720 | ---- | M] (Iomega Corporation) -- C:\Program Files\Iomega\DriveIcons\Imghook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (Iomega Activity Disk2)
SRV - [2009/07/25 04:23:10 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/03/30 15:28:36 | 001,533,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2007/01/04 15:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2006/08/25 11:00:38 | 002,528,960 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_1.EXE -- (LiveUpdate)
SRV - [2006/08/25 11:00:38 | 000,198,336 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2006/03/30 08:15:44 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2006/02/21 19:39:16 | 000,405,504 | ---- | M] (ATI Technologies Inc.) [Auto | Running] -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2005/05/02 20:20:06 | 000,106,496 | ---- | M] (Intel Corp.) [Auto | Running] -- C:\Program Files\Intel\Intel® Active Monitor\imonNT.exe -- (imonNT) Intel®
SRV - [2004/07/21 15:26:36 | 000,176,241 | ---- | M] (American Power Conversion Corporation) [Auto | Running] -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe -- (APC UPS Service)
SRV - [2003/07/19 21:10:00 | 000,114,688 | ---- | M] () [Auto | Stopped] -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart)
SRV - [2003/05/21 00:27:46 | 000,610,304 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\My Installed Programs\Symantec\Rtvscan.exe -- (Norton AntiVirus Server)
SRV - [2003/05/21 00:22:36 | 000,032,768 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\My Installed Programs\Symantec\DefWatch.exe -- (DefWatch)
SRV - [2002/09/24 16:39:48 | 000,151,552 | ---- | M] (Iomega Corporation) [Auto | Running] -- C:\Program Files\Iomega\AutoDisk\ADService.exe -- (_IOMEGA_ACTIVE_DISK_SERVICE_)
SRV - [2002/09/20 14:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))
SRV - [2002/09/04 14:11:04 | 000,073,728 | ---- | M] (Iomega Corporation) [Auto | Running] -- C:\Program Files\Iomega\System32\AppServices.exe -- (Iomega App Services)


========== Driver Services (SafeList) ==========

DRV - [2010/02/15 03:00:00 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100215.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/02/15 03:00:00 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100215.002\NAVENG.SYS -- (NAVENG)
DRV - [2009/12/30 00:40:03 | 000,271,360 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\atksgt.sys -- (atksgt)
DRV - [2009/12/30 00:40:02 | 000,018,048 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2008/04/14 05:51:44 | 000,010,624 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gameenum.sys -- (gameenum)
DRV - [2008/04/13 22:09:16 | 000,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 12:36:38 | 000,020,352 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hidbatt.sys -- (HidBatt)
DRV - [2008/04/02 08:14:06 | 000,015,472 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\My Installed Programs\Nexon\MapleStory\npkcusb.sys -- (npkcusb)
DRV - [2006/10/24 09:28:48 | 000,170,392 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1000325.sys -- (E1000) Intel®
DRV - [2006/09/18 16:55:28 | 000,109,744 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/02/21 19:46:26 | 001,505,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/05/02 20:16:18 | 000,007,424 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\SIODRV.SYS -- (SIODRV)
DRV - [2005/05/02 20:15:50 | 000,036,484 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SMBios.sys -- (SMBios) Intel ®
DRV - [2004/10/07 19:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/09/01 11:18:40 | 000,259,648 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2004/08/28 12:54:38 | 000,033,995 | ---- | M] (Sonic Focus, Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\sf.sys -- (sf)
DRV - [2004/05/17 10:23:48 | 000,133,200 | ---- | M] (Andrea Electronics Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2004/04/26 09:49:56 | 000,381,056 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2003/10/28 04:02:00 | 000,020,016 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys -- (PxHelp20)
DRV - [2003/07/18 09:58:20 | 000,036,992 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\SISAGPX.sys -- (sisagp)
DRV - [2003/05/02 20:08:22 | 000,030,208 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\Program Files\My Installed Programs\Symantec\Navapel.sys -- (NAVAPEL)
DRV - [2003/05/02 20:08:18 | 000,224,256 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\My Installed Programs\Symantec\Navap.sys -- (NAVAP)
DRV - [2002/12/28 22:41:01 | 000,240,640 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cdudf_xp.sys -- (cdudf_XP)
DRV - [2002/12/28 22:41:01 | 000,206,464 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\udfreadr_xp.sys -- (UdfReadr_xp)
DRV - [2002/12/28 22:41:01 | 000,134,426 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\pwd_2K.sys -- (Pwd_2k)
DRV - [2002/12/28 22:41:01 | 000,030,406 | ---- | M] (Roxio) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Mmc_2k.sys -- (mmc_2K)
DRV - [2002/12/28 22:41:01 | 000,025,674 | ---- | M] (Roxio) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Dvd_2k.sys -- (dvd_2K)
DRV - [2002/12/28 22:40:58 | 000,061,424 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2002/12/28 22:40:58 | 000,023,420 | ---- | M] (Roxio) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2002/11/18 15:51:40 | 000,377,358 | ---- | M] (C-Media Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cmaudio.sys -- (cmpci) C-Media PCI Audio Driver (WDM)
DRV - [2002/10/23 08:05:06 | 000,021,963 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smb.sys -- (smbusp) Intel®
DRV - [2002/09/20 10:53:34 | 000,235,100 | ---- | M] (Analog Devices Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)
DRV - [2002/09/04 14:11:08 | 000,030,258 | ---- | M] (Iomega Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\iomdisk.sys -- (iomdisk)
DRV - [2001/08/23 06:00:00 | 000,017,792 | ---- | M] (Parallel Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2001/08/17 06:12:10 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B) Intel®
DRV - [1997/04/22 10:16:00 | 000,006,272 | ---- | M] () [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ASLM75.SYS -- (aslm75)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-299502267-746137067-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-299502267-746137067-839522115-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKU\S-1-5-21-299502267-746137067-839522115-1003\S-1-5-21-299502267-746137067-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-299502267-746137067-839522115-1003\S-1-5-21-299502267-746137067-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Yahoo Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..keyword.URL: "http://search.freecause.com/search?fr=freecause&ourmark=3&type=58819&ei=utf-8&yahoo_domain=search.yahoo.com&p="

FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.12\extensions\\Components: C:\Program Files\My Installed Programs\components
FF - HKLM\software\mozilla\Mozilla Firefox 2.0.0.12\extensions\\Plugins: C:\Program Files\My Installed Programs\plugins [2009/11/19 14:04:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Components: C:\Program Files\My Installed Programs\Mozilla Firefox\components [2010/01/12 22:46:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.7\extensions\\Plugins: C:\Program Files\My Installed Programs\Mozilla Firefox\plugins [2010/01/12 22:46:54 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 7.01\Extensions\\Components: C:\Program Files\Netscape\Netscape\Components [2009/03/09 15:14:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 7.01\Extensions\\Plugins: C:\Program Files\Netscape\Netscape\Plugins [2009/11/19 14:04:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 7.1\Extensions\\Components: C:\Program Files\Netscape\Netscape\Components [2009/03/09 15:14:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape 7.1\Extensions\\Plugins: C:\Program Files\Netscape\Netscape\Plugins [2009/11/19 14:04:25 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.4.0\Extensions\\Components: C:\Program Files\Netscape\Components [2008/06/21 03:37:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.0.4.0\Extensions\\Plugins: C:\Program Files\Netscape\Plugins [2009/11/19 14:04:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.1.0.0\Extensions\\Components: C:\Program Files\Netscape\Components [2008/06/21 03:37:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.1.0.0\Extensions\\Plugins: C:\Program Files\Netscape\Plugins [2009/11/19 14:04:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.1.2.0\Extensions\\Components: C:\Program Files\Netscape\Netscape Browser\Components [2008/06/21 03:37:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.1.2.0\Extensions\\Plugins: C:\Program Files\Netscape\Netscape Browser\Plugins [2009/11/19 14:04:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.1.3.0\Extensions\\Components: C:\Program Files\Netscape\Netscape Browser\Components [2008/06/21 03:37:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Netscape Browser 8.1.3.0\Extensions\\Plugins: C:\Program Files\Netscape\Netscape Browser\Plugins [2009/11/19 14:04:26 | 000,000,000 | ---D | M]

[2008/08/26 19:55:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\kevin\Application Data\Mozilla\Extensions
[2010/02/05 11:16:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\kevin\Application Data\Mozilla\Firefox\Profiles\y4o4m8ei.default\extensions
[2009/03/16 00:55:27 | 000,000,000 | ---D | M] (MouseHunt Toolbar) -- C:\Documents and Settings\kevin\Application Data\Mozilla\Firefox\Profiles\y4o4m8ei.default\extensions\{916ab64c-bc3e-471b-8e60-29551922a7ba}
[2009/03/16 00:55:33 | 000,000,655 | ---- | M] () -- C:\Documents and Settings\kevin\Application Data\Mozilla\Firefox\Profiles\y4o4m8ei.default\searchplugins\yahoo-search.xml
[2009/11/02 01:48:22 | 000,000,872 | ---- | M] () -- C:\Documents and Settings\kevin\Application Data\Mozilla\Firefox\Profiles\y4o4m8ei.default\searchplugins\yahoo.gif
[2009/11/02 01:48:22 | 000,000,466 | ---- | M] () -- C:\Documents and Settings\kevin\Application Data\Mozilla\Firefox\Profiles\y4o4m8ei.default\searchplugins\yahoo.src
[2009/11/02 01:48:20 | 000,001,775 | ---- | M] () -- C:\Documents and Settings\kevin\Application Data\Mozilla\Firefox\Profiles\y4o4m8ei.default\searchplugins\yahoo.xml

O1 HOSTS File: ([2010/02/12 18:16:46 | 000,377,740 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 13042 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKU\S-1-5-21-299502267-746137067-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-299502267-746137067-839522115-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-299502267-746137067-839522115-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe (Roxio)
O4 - HKLM..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe (Iomega Corporation)
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe (Iomega)
O4 - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\imekrmig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [IMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe ()
O4 - HKLM..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\Imgicon.exe (Iomega)
O4 - HKLM..\Run: [MsgCenterExe] C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\My Installed Programs\Quicktime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe (Silicon Integrated Systems Corp.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [vptray] C:\Program Files\My Installed Programs\Symantec\VPTray.exe (Symantec Corporation)
O4 - HKU\S-1-5-21-299502267-746137067-839522115-1003..\Run: [AIM] C:\Program Files\My Installed Programs\AOL IM\aim.exe -cnetwait.odl File not found
O4 - HKU\S-1-5-21-299502267-746137067-839522115-1003..\Run: [ATI Launchpad] C:\Program Files\ATI Multimedia\main\launchpd.exe (ATI Technologies Inc.)
O4 - HKU\S-1-5-21-299502267-746137067-839522115-1003..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe (Nero AG)
O4 - HKU\S-1-5-21-299502267-746137067-839522115-1003..\Run: [ShockmachineReminder] C:\Program Files\Shockwave\Shockmachine\SmReminder.exe (shockwave.com, Inc.)
O4 - HKU\S-1-5-21-299502267-746137067-839522115-1003..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-299502267-746137067-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-299502267-746137067-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-299502267-746137067-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-299502267-746137067-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-299502267-746137067-839522115-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL (ATI Technologies Inc.)
O9 - Extra Button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll File not found
O9 - Extra 'Tools' menuitem : Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll File not found
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\My Installed Programs\AOL IM\aim.exe (America Online, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O12 - Plugin for: .swf - C:\Program Files\Netscape\COMMUNICATOR\Program\Plugins\NPSWF32.dll ()
O15 - HKLM\..Trusted Domains: 66 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 66 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 66 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 33 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 33 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-299502267-746137067-839522115-1003\..Trusted Domains: tvguide.com ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-299502267-746137067-839522115-1003\..Trusted Domains: 67 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {00000075-0000-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/voxmsdec.CAB (Reg Error: Key error.)
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/voxacm.CAB (Reg Error: Key error.)
O16 - DPF: {00000161-0000-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/msaudio.cab (Reg Error: Key error.)
O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/i263_32.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/...7618.6689930556 (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\kevin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\kevin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/12/28 12:53:25 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/10/30 17:10:57 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

MsConfig - State: "system.ini" - 0
MsConfig - State: "win.ini" - 0
MsConfig - State: "bootini" - 0
MsConfig - State: "services" - 0
MsConfig - State: "startup" - 0

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: rootrepeal.sys - File not found
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {0291E591-EA41-4c82-8106-3DC6CE7F7664} - Reg Error: Value error.
ActiveX: {032A6019-9DAA-40f9-A3B3-34ABB0AA0947} - Q813951
ActiveX: {03F998B2-0E00-11D3-A498-00104B6EB52E} - Viewpoint Media Player
ActiveX: {057997dd-71e4-43cc-b161-3f8180691a9e} - Q824145
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Microsoft VM
ActiveX: {0E9A3196-39EA-409D-8EB4-20D7FABC191A} - Microsoft .NET Framework 1.0 Hotfix (KB928367)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Vector Graphics Rendering (VML)
ActiveX: {14303301-758B-402B-9A0D-2C6A591680DB} - Microsoft .NET Framework 1.0 Service Pack 3 (KB867461)
ActiveX: {166B1BCA-3F9C-11CF-8075-444553540000} - Macromedia Shockwave Director 10.1
ActiveX: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - Viewpoint Media Player
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {2757B1D6-0367-4663-877C-93ECC5C01BF6} - Q324929
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2A202491-F00D-11cf-87CC-0020AFEECF20} - Macromedia Shockwave Director 10.1
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {2cc9d512-6db6-4f1c-8979-9a41fae88de0} - Q837009
ActiveX: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - Reg Error: Value error.
ActiveX: {347B0667-C7ED-429B-BDE3-CC8D3BACAA31} - Reg Error: Value error.
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Dynamic HTML Data Binding for Java
ActiveX: {377483c2-e4b4-4ee8-b577-9aed264c8735} - Q822925
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {411EDCF7-755D-414E-A74B-3DCD6583F589} - Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Advanced Authoring
ActiveX: {429D8DD3-05E0-4F56-B6D6-AC0730567C02} - Euro Update Tool
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015C} - Microsoft DirectX
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - DirectAnimation Java Classes
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {78705f0d-e8db-4b2d-8193-982bdda15ecd} - .NET Framework
ActiveX: {795d0712-722c-43ec-906a-fc5e678eada9} - Q831167
ActiveX: {81B52903-4C11-11D6-B6E1-00B0D049139F} - Microsoft .NET Framework 1.0 Service Pack 2 (KB867461)
ActiveX: {871F8A30-15A2-11D6-8711-0002B3281F8B} - Microsoft .NET Framework 1.0 Service Pack 1 (KB867461)
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {96543d59-497a-4801-a1f3-5936aacaf7b1} - Q828750
ActiveX: {abcdf74f-9a64-4e6e-b8eb-6e5a41de6550} -
ActiveX: {ACC563BC-4266-43f0-B6ED-9D38C4202C7E} -
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C34F4917-ED43-439f-9023-97B0024A2B3B} - Q810847
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} - .NET Framework
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Task Scheduler
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {DAA94A2A-2A8D-4D3B-9DB8-56FBECED082D} - Microsoft .NET Framework 1.1 Security Update (KB953297)
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {eddbec60-89cb-44ef-8291-0850fd28ff6a} - Q832894
ActiveX: {EF289A85-8E57-408d-BE47-73B55609861A} - RootsUpdate
ActiveX: {F5776D81-AE53-4935-8E84-B0B283D8BCEF} - Q330994
ActiveX: {f5de1b93-9d38-416b-b09e-aa85a8e84309} - Q818529
ActiveX: {F9C174E3-3E87-40bc-AA94-B8974F2B9222} - Q813489
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
ActiveX: Microsoft Base Smart Card Crypto Provider Package -

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.voxacm160 - C:\WINDOWS\System32\vct3216.acm (Voxware, Inc.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.DIVX - C:\WINDOWS\System32\DivX.dll (DivXNetworks)
Drivers32: VIDC.DRAW - DVIDEO.DLL File not found
Drivers32: VIDC.I263 - C:\WINDOWS\System32\i263_32.drv (Intel Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.VCR1 - ATIVCR1.DLL File not found
Drivers32: VIDC.VCR2 - ATIVCR2.DLL File not found
Drivers32: vidc.yuy2 - ATIVYUY.DLL File not found
Drivers32: VIDC.YV12 - C:\WINDOWS\System32\DivX.dll (DivXNetworks)
Drivers32: vidc.yvu9 - C:\WINDOWS\System32\Iyvu9_32.dll ()

========== Files/Folders - Created Within 30 Days ==========

[2010/02/18 12:23:16 | 000,549,376 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\kevin\Desktop\OTL.exe
[2009/12/09 11:20:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/10/31 17:42:57 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/10/31 17:42:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2005/08/07 13:36:54 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2002/12/28 13:03:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[23 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/02/18 12:20:44 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\kevin\Desktop\OTL.exe
[2010/02/17 20:55:32 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/02/17 20:55:19 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/02/17 20:55:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/02/17 20:55:13 | 2146,222,080 | -HS- | M] () -- C:\hiberfil.sys
[2010/02/17 16:48:41 | 014,680,064 | -H-- | M] () -- C:\Documents and Settings\kevin\NTUSER.DAT
[2010/02/17 16:48:41 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\kevin\ntuser.ini
[2010/02/17 14:35:50 | 001,709,408 | ---- | M] () -- C:\Documents and Settings\kevin\Desktop\taskmanager17.exe
[2010/02/15 16:53:00 | 000,158,208 | ---- | M] () -- C:\Documents and Settings\kevin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/14 02:42:04 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/02/12 21:32:44 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\kevin\Desktop\gmer.zip
[2010/02/12 21:31:58 | 000,524,288 | ---- | M] () -- C:\Documents and Settings\kevin\Desktop\dds.scr
[2010/02/12 21:31:02 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\kevin\Desktop\Defogger.exe
[2010/02/12 18:16:46 | 000,377,740 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/02/04 08:30:41 | 000,377,780 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100212-181646.backup
[2010/02/03 11:20:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/02/03 03:34:22 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/02/01 11:45:08 | 000,000,036 | ---- | M] () -- C:\Program Files\skynet.dat
[2010/01/28 19:37:56 | 000,377,048 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100204-083041.backup
[2010/01/28 15:55:29 | 000,121,856 | ---- | M] () -- C:\Documents and Settings\kevin\Desktop\RPG SS Round 2 Entries.doc
[2010/01/26 16:15:18 | 000,115,200 | ---- | M] () -- C:\Documents and Settings\kevin\Desktop\RPG SS Round 1 Entries.doc
[2010/01/25 23:58:50 | 000,372,880 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100128-193756.backup
[2010/01/20 18:02:49 | 000,372,880 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100125-235849.backup
[2010/01/20 10:11:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\3902.exe
[2010/01/20 09:51:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\14604.exe
[2010/01/20 09:31:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\32391.exe
[2010/01/20 09:11:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\5436.exe
[2010/01/20 08:51:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\4827.exe
[2010/01/20 08:31:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\11942.exe
[2010/01/20 08:11:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\2995.exe
[2010/01/20 07:51:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\491.exe
[2010/01/20 07:31:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\9961.exe
[2010/01/20 07:11:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\16827.exe
[2010/01/20 06:51:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\23281.exe
[2010/01/20 06:31:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\28145.exe
[2010/01/20 06:11:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\5705.exe
[2010/01/20 05:51:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\24464.exe
[2010/01/20 05:31:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\26962.exe
[2010/01/20 05:11:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\29358.exe
[2010/01/20 04:51:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\11478.exe
[2010/01/20 04:31:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\15724.exe
[2010/01/20 04:11:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\19169.exe
[2010/01/20 03:51:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\26500.exe
[2010/01/20 03:31:56 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\6334.exe
[2010/01/20 03:11:55 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\18467.exe
[23 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/02/17 14:38:59 | 001,709,408 | ---- | C] () -- C:\Documents and Settings\kevin\Desktop\taskmanager17.exe
[2010/02/12 21:45:28 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\kevin\Desktop\gmer.exe
[2010/02/12 21:40:46 | 000,524,288 | ---- | C] () -- C:\Documents and Settings\kevin\Desktop\dds.scr
[2010/02/12 21:40:46 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\kevin\Desktop\gmer.zip
[2010/02/12 21:40:46 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\kevin\Desktop\Defogger.exe
[2010/02/04 08:24:31 | 2146,222,080 | -HS- | C] () -- C:\hiberfil.sys
[2010/02/01 11:45:08 | 000,000,036 | ---- | C] () -- C:\Program Files\skynet.dat
[2010/01/26 16:16:21 | 000,121,856 | ---- | C] () -- C:\Documents and Settings\kevin\Desktop\RPG SS Round 2 Entries.doc
[2010/01/26 16:16:02 | 000,115,200 | ---- | C] () -- C:\Documents and Settings\kevin\Desktop\RPG SS Round 1 Entries.doc
[2010/01/20 10:11:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\3902.exe
[2010/01/20 09:51:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\14604.exe
[2010/01/20 09:31:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\32391.exe
[2010/01/20 09:11:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\5436.exe
[2010/01/20 08:51:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\4827.exe
[2010/01/20 08:31:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\11942.exe
[2010/01/20 08:11:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\2995.exe
[2010/01/20 07:51:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\491.exe
[2010/01/20 07:31:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\9961.exe
[2010/01/20 07:11:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\16827.exe
[2010/01/20 06:51:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\23281.exe
[2010/01/20 06:31:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\28145.exe
[2010/01/20 06:11:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\5705.exe
[2010/01/20 05:51:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\24464.exe
[2010/01/20 05:31:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\26962.exe
[2010/01/20 05:11:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\29358.exe
[2010/01/20 04:51:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\11478.exe
[2010/01/20 04:31:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\15724.exe
[2010/01/20 04:11:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\19169.exe
[2010/01/20 03:51:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\26500.exe
[2010/01/20 03:31:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\6334.exe
[2010/01/20 03:11:55 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\18467.exe
[2010/01/16 23:52:39 | 000,000,284 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/12/30 00:40:03 | 000,271,360 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2009/12/30 00:40:02 | 000,018,048 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/03/15 07:26:11 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2008/04/13 23:42:04 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2008/04/02 19:41:55 | 000,000,029 | ---- | C] () -- C:\WINDOWS\atid.ini
[2007/09/27 09:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 09:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 09:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/02/11 10:45:20 | 000,000,005 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DirectCDUserNameG.txt
[2006/09/28 14:55:34 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\PhysXLoader.dll
[2006/09/26 14:01:40 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2006/09/08 09:01:50 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2006/09/08 09:01:50 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2006/09/08 09:01:50 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2006/09/08 09:01:50 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2006/09/08 09:01:50 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2006/09/08 09:01:50 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2006/09/08 09:01:50 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2006/09/08 09:01:50 | 000,045,056 | R--- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2006/01/22 00:25:17 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2005/07/24 12:09:37 | 000,000,128 | ---- | C] () -- C:\WINDOWS\civ.ini
[2005/05/22 17:56:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2005/04/30 00:24:23 | 000,000,067 | ---- | C] () -- C:\WINDOWS\#1 Video Converter.INI
[2005/04/27 22:22:38 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/04/27 22:22:34 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/04/27 22:22:34 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2003/12/19 17:36:20 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2003/12/19 17:36:12 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\adistres.dll
[2003/11/26 20:55:14 | 000,000,086 | ---- | C] () -- C:\WINDOWS\System32\dlh0st.dll
[2003/11/24 23:30:15 | 000,032,768 | ---- | C] () -- C:\WINDOWS\SIS_LIB.DLL
[2003/10/05 18:47:35 | 000,012,288 | ---- | C] () -- C:\WINDOWS\impborl.dll
[2003/07/20 11:11:07 | 000,000,275 | ---- | C] () -- C:\WINDOWS\hpqcopy.INI
[2003/06/08 15:12:19 | 000,000,035 | ---- | C] () -- C:\WINDOWS\A4W.INI
[2003/06/08 13:30:51 | 000,071,168 | ---- | C] () -- C:\WINDOWS\System32\Agent.dll
[2003/05/26 00:50:50 | 000,123,410 | ---- | C] () -- C:\WINDOWS\msview.ini
[2003/03/28 14:31:52 | 000,013,601 | ---- | C] () -- C:\WINDOWS\System32\vctest.ini
[2003/03/20 14:10:18 | 000,000,420 | ---- | C] () -- C:\WINDOWS\Sentry.ini
[2003/03/15 09:34:50 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\kevin\Application Data\dm.ini
[2003/02/28 15:53:01 | 000,066,936 | -HS- | C] () -- C:\WINDOWS\dlinfo_0.drv
[2003/02/27 16:23:08 | 000,051,942 | ---- | C] () -- C:\WINDOWS\name_gender.ini
[2003/02/27 16:23:08 | 000,000,212 | ---- | C] () -- C:\WINDOWS\states.ini
[2003/02/27 16:23:08 | 000,000,069 | ---- | C] () -- C:\WINDOWS\zip_var.ini
[2003/02/27 16:23:08 | 000,000,034 | ---- | C] () -- C:\WINDOWS\phone_var.ini
[2003/02/27 16:23:07 | 000,000,058 | ---- | C] () -- C:\WINDOWS\birth_var.ini
[2003/02/27 16:23:07 | 000,000,037 | ---- | C] () -- C:\WINDOWS\name_var.ini
[2003/02/27 16:23:07 | 000,000,016 | ---- | C] () -- C:\WINDOWS\addr_var.ini
[2003/02/27 16:23:07 | 000,000,011 | ---- | C] () -- C:\WINDOWS\city_var.ini
[2003/01/08 13:21:18 | 000,007,990 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2003/01/06 14:11:56 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2003/01/06 14:11:56 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2003/01/06 14:11:56 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2003/01/02 03:49:44 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2002/12/30 22:36:06 | 000,158,208 | ---- | C] () -- C:\Documents and Settings\kevin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2002/12/30 16:34:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\netscape.INI
[2002/12/30 16:12:38 | 000,001,125 | ---- | C] () -- C:\WINDOWS\Winamp.ini
[2002/12/30 16:12:15 | 000,000,041 | ---- | C] () -- C:\WINDOWS\winampa.ini
[2002/12/30 01:21:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ATIMMC.INI
[2002/12/28 22:36:48 | 000,000,422 | ---- | C] () -- C:\WINDOWS\videoimp.ini
[2002/12/28 22:09:39 | 000,000,010 | ---- | C] () -- C:\WINDOWS\WinInit.ini.backup
[2002/12/28 21:14:02 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2002/12/28 20:29:11 | 000,000,303 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2002/12/28 20:07:48 | 000,066,560 | ---- | C] () -- C:\WINDOWS\System32\atiyuv12.dll
[2002/12/28 20:07:48 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[2002/12/28 20:07:16 | 000,009,136 | ---- | C] () -- C:\WINDOWS\System32\INETWH16.DLL
[2002/12/28 19:23:09 | 000,006,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASLM75.SYS
[2002/12/28 19:21:31 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2002/12/28 19:21:26 | 000,004,333 | ---- | C] () -- C:\WINDOWS\mixerdef.ini
[2002/12/28 19:20:46 | 000,015,620 | ---- | C] () -- C:\WINDOWS\cmaudio.ini
[2002/12/28 19:20:41 | 000,000,411 | ---- | C] () -- C:\WINDOWS\CMISETUP.INI
[2002/12/28 19:20:41 | 000,000,026 | ---- | C] () -- C:\WINDOWS\CMCDPLAY.INI
[2002/12/28 19:16:18 | 000,002,798 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[1998/10/10 23:07:38 | 000,088,576 | ---- | C] () -- C:\WINDOWS\System32\Iticheck.dll

========== Custom Scans ==========


< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >


< MD5 for: AGP440.SYS >
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 12:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/14 05:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2010/01/03 05:10:19 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2010/02/15 20:06:38 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2008/04/14 00:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[2008/04/13 23:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/14 05:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/14 05:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/14 05:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 16 bytes -> C:\Documents and Settings\kevin\My Documents\Downloads:Shareaza.GUID
< End of report >


Contents of Extras.txt File

OTL Extras logfile created on: 2/18/2010 12:24:49 PM - Run 1
OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\kevin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 70.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): T:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 97.65 Gb Total Space | 22.57 Gb Free Space | 23.11% Space Free | Partition Type: NTFS
Drive D: | 588.65 Gb Total Space | 487.75 Gb Free Space | 82.86% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive T: | 12.33 Gb Total Space | 10.26 Gb Free Space | 83.20% Space Free | Partition Type: NTFS

Computer Name: SHADES
Current User Name: kevin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-299502267-746137067-839522115-1003\SOFTWARE\Classes\<extension>]
.bat [@ = batfile] -- Reg Error: Key error. File not found
.com [@ = ComFile] -- Reg Error: Key error. File not found
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\program files\microsoft office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\program files\microsoft office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\My Installed Programs\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\My Installed Programs\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\instant messenger\aim.exe" = C:\Program Files\instant messenger\aim.exe:*:Enabled:AOL Instant Messenger -- File not found
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Yahoo!\Messenger\YServer.exe" = C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server -- (Yahoo! Inc.)
"C:\Program Files\Canon\CSCLIB\CDPROCMN.exe" = C:\Program Files\Canon\CSCLIB\CDPROCMN.exe:*:Enabled:Canon Digital Camera SDK main server EXE -- (Canon Inc.)
"C:\Program Files\Canon\CSCLIB\CDPROC.exe" = C:\Program Files\Canon\CSCLIB\CDPROC.exe:*:Enabled:Canon Digital Camera SDK CDPROC EXE -- (Canon Inc.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- (AOL LLC)
"C:\Program Files\My Installed Programs\MSN Messenger\msnmsgr.exe" = C:\Program Files\My Installed Programs\MSN Messenger\msnmsgr.exe:*:Enabled:Messenger -- (Microsoft Corporation)
"C:\Program Files\My Installed Programs\AOL IM\aim.exe" = C:\Program Files\My Installed Programs\AOL IM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)
"C:\Program Files\Flagship Studios\Hellgate London\Launcher.exe" = C:\Program Files\Flagship Studios\Hellgate London\Launcher.exe:*:Enabled:Hellgate: London -- (Flagship Studios)
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- (AOL LLC)
"C:\Program Files\My Installed Programs\Shareaza\Shareaza.exe" = C:\Program Files\My Installed Programs\Shareaza\Shareaza.exe:*:Enabled:Shareaza Ultimate File Sharing -- (Shareaza Development Team)
"C:\Program Files\My Installed Programs\World of Warcraft\Launcher.exe" = C:\Program Files\My Installed Programs\World of Warcraft\Launcher.exe:*:Enabled:Blizzard Launcher -- (Blizzard Entertainment)
"C:\Program Files\My Installed Programs\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe" = C:\Program Files\My Installed Programs\World of Warcraft\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- File not found
"C:\Program Files\My Installed Programs\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe" = C:\Program Files\My Installed Programs\World of Warcraft\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- File not found
"C:\Program Files\My Installed Programs\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe" = C:\Program Files\My Installed Programs\World of Warcraft\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- File not found
"C:\Program Files\My Installed Programs\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe" = C:\Program Files\My Installed Programs\World of Warcraft\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\My Installed Programs\Ventrilo\Ventrilo.exe" = C:\Program Files\My Installed Programs\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"C:\Program Files\My Installed Programs\World of Warcraft\WoW-3.2.0-enUS-downloader.exe" = C:\Program Files\My Installed Programs\World of Warcraft\WoW-3.2.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader -- (Blizzard Entertainment)
"C:\Program Files\Netscape\Netscape\Netscp.exe" = C:\Program Files\Netscape\Netscape\Netscp.exe:*:Enabled:Netscape -- (Mozilla, Netscape)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{083F79E4-6FE9-46FB-A6C6-4F8862742947}" = ATI HYDRAVISION
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}" = OpenOffice.org Installer 1.0
"{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}" = Symantec AntiVirus Client
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 15
"{2E861EC9-FCB8-11D3-939A-00A0C9BA5A55}" = Intel® Active Monitor
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = HydraVision
"{438D221C-5B5B-4E4B-B7BD-A86512E5B6C1}" = DAO
"{43DCF766-6838-4F9A-8C91-D92DA586DFA7}" = Microsoft Windows Journal Viewer
"{45D228AA-4284-467A-9DB6-942B92BFF656}" = DVDDec
"{5A0C892E-FD1C-4203-941E-0956AED20A6A}" = APC PowerChute Personal Edition
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7104189A-C592-4A56-AC9E-7C0CA135DA3C}" = AGEIA PhysX v6.10.25
"{7585478E9D9B42108671C12F8714CEFE}" = DivX Converter
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{7CF31609-270B-11D6-9445-000102308676}" = Java 2 Runtime Environment, SE v1.4.0_01
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{8851E12C-0EF9-11D4-A788-009027ABA5D0}" = Easy CD Creator 5 Platinum
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8ECBE643-8230-11D5-9D6B-00A024112F81}" = VDMSound 2.0.4
"{90170409-6000-11D3-8CFE-0050048383C9}" = Microsoft FrontPage 2002
"{90300409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Media Content
"{91110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9B40FEE5-85E8-4851-89AD-66E2A1B4DC04}" = MapleStory
"{9E478F3F-7A7B-42C5-BE9C-40FC0E07665F}" = The Awakened
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A2B4455D-1046-4732-BFBC-0821BEFC07BC}" = Hellgate: London
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English)
"{B7DC0CAF-0D27-4ACE-8E34-8594C8D7C1DB}" = MMC86
"{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}" = Canon PhotoRecord
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}" = DAO
"{C93369CB-B4E9-E095-9289-E6B5AE941033}" = Nero 7 Demo
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E957696E-6D13-4B92-AF02-2073D7D522B4}" = ATI Multimedia Center 7.8.0.0
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{EF729AE1-4AE9-402A-AF64-5C5A8150F549}" = HP Photo and Imaging 1.2 - Scanjet 4570c Series
"{EFCE5837-FC21-11D6-9D24-00010240CE95}" = Java 2 Runtime Environment, SE v1.4.1_02
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Abandon Loader" = Abandon Loader 0.8c
"Active Disk" = Active Disk
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AdobeESD" = Adobe Download Manager (Remove Only)
"Age of Empires 2.0" = Microsoft Age of Empires II
"Age of Empires II: The Conquerors Expansion 1.0" = Microsoft Age of Empires II: The Conquerors Expansion
"AIM_6" = AIM 6
"AOL Instant Messenger" = AOL Instant Messenger
"ATI Display Driver" = ATI Display Driver
"Battle.net" = Battle.net
"Cablenut" = Cablenut 4.08
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"CameraWindowMC" = Canon Camera Window MC 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"CobBackup8" = Cobian Backup 8
"Corel Applications" = Corel Applications
"CSCLIB" = Canon Camera Support Core Library
"Diablo" = Diablo
"Diablo II" = Diablo II
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"DXTXTRA" = Microsoft DirectX Transform optional components
"EOS Utility" = Canon Utilities EOS Utility
"HaaliMkx" = Haali Media Splitter
"hp instant support" = hp instant support
"http://www.tinklebell.jp/applictions/ppexe/appid/1_is1" = 月明りのラズベリィ `つん★デれU`1.00
"ie8" = Windows Internet Explorer 8
"InstallShield_{438D221C-5B5B-4E4B-B7BD-A86512E5B6C1}" = DAO
"InstallShield_{45D228AA-4284-467A-9DB6-942B92BFF656}" = ATI DVD Decoder 2.2.0.0
"InstallShield_{B7DC0CAF-0D27-4ACE-8E34-8594C8D7C1DB}" = ATI Multimedia Center 8.6.0.0
"InstallShield_{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}" = DAO
"InterActual Player" = InterActual Player
"IomegaWare" = IomegaWare 4.0.2
"Java Web Start" = Java Web Start
"JRE 1.3.1_02" = Java 2 Runtime Environment Standard Edition v1.3.1_02
"KainUninstallKey" = Legacy of Kain
"LiveReg" = LiveReg (Symantec Corporation)
"LiveUpdate" = LiveUpdate 3.1 (Symantec Corporation)
"LucasArts' Curse of Monkey Island" = LucasArts' Curse of Monkey Island
"LucasArts' Monkey 4" = LucasArts' Monkey 4
"Macromedia Shockwave Player" = Macromedia Shockwave Player
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Matroska Pack" = Matroska Pack
"MatroskaProp" = MatroskaProp (remove only)
"MediaMonkey_is1" = MediaMonkey 3.0
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.5.7)" = Mozilla Firefox (3.5.7)
"Mp3 Codec" = Mpeg Layer3 Codec FHG-Radium v1.263
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MSPUB5" = Microsoft Publisher 98
"NetBench 7.0.3 Client" = NetBench 7.0.3 Client
"Netscape (7.1)" = Netscape (7.1)
"Netscape Browser" = Netscape Browser (remove only)
"Netscape Communicator 4.79" = Netscape Communicator 4.79
"PCFriendly" = PCFriendly
"PCI Audio Driver" = PCI Audio Driver
"PhotoStitch" = Canon Utilities PhotoStitch
"PROSet" = Intel® PRO Network Connections Drivers
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RealPlayer 6.0" = RealPlayer
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"Security Task Manager" = Security Task Manager 1.7h
"Shareaza_is1" = Shareaza 2.4.0.0
"Shockmachine" = Shockmachine
"TuneXP_1.5" = TuneXP 1.5
"ViewpointMediaPlayer" = Viewpoint Media Player
"VivoActive PowerPlayer" = VivoActive PowerPlayer
"VLC media player" = VLC media player 1.0.3
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"World of Warcraft" = World of Warcraft
"XNote Stopwatch" = XNote Stopwatch 1.40
"Yahoo! Messenger" = Yahoo! Messenger
"Yahoo! Messenger Explorer Bar" = Yahoo! Messenger Explorer Bar
"YInstHelper" = Yahoo! Install Manager
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/14/2010 05:34:35 AM | Computer Name = SHADES | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

Error - 2/14/2010 05:34:35 AM | Computer Name = SHADES | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

Error - 2/14/2010 07:17:35 AM | Computer Name = SHADES | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

Error - 2/14/2010 07:27:35 AM | Computer Name = SHADES | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

Error - 2/14/2010 08:52:35 AM | Computer Name = SHADES | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

Error - 2/14/2010 09:07:35 AM | Computer Name = SHADES | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

Error - 2/14/2010 10:44:35 AM | Computer Name = SHADES | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

Error - 2/14/2010 10:48:35 AM | Computer Name = SHADES | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

Error - 2/14/2010 12:31:35 PM | Computer Name = SHADES | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

Error - 2/14/2010 12:37:35 PM | Computer Name = SHADES | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

[ System Events ]
Error - 2/17/2010 04:37:46 PM | Computer Name = SHADES | Source = Service Control Manager | ID = 7000
Description = The Iomega Activity Disk2 service failed to start due to the following
error: %%2

Error - 2/17/2010 04:37:46 PM | Computer Name = SHADES | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 2/17/2010 04:38:27 PM | Computer Name = SHADES | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SYMTDI

Error - 2/17/2010 04:39:54 PM | Computer Name = SHADES | Source = Service Control Manager | ID = 7031
Description = The Windows Search service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 30000 milliseconds:
Restart the service.

Error - 2/17/2010 05:07:34 PM | Computer Name = SHADES | Source = Service Control Manager | ID = 7031
Description = The Windows Search service terminated unexpectedly. It has done this
2 time(s). The following corrective action will be taken in 30000 milliseconds:
Restart the service.

Error - 2/17/2010 10:55:27 PM | Computer Name = SHADES | Source = Service Control Manager | ID = 7000
Description = The Software Cinemaster NT4.0 Driver service failed to start due to
the following error: %%2

Error - 2/17/2010 10:55:27 PM | Computer Name = SHADES | Source = Service Control Manager | ID = 7000
Description = The Iomega Activity Disk2 service failed to start due to the following
error: %%2

Error - 2/17/2010 10:55:27 PM | Computer Name = SHADES | Source = Service Control Manager | ID = 7000
Description = The npkcrypt service failed to start due to the following error: %%3

Error - 2/17/2010 10:55:52 PM | Computer Name = SHADES | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
SYMTDI

Error - 2/18/2010 02:17:24 AM | Computer Name = SHADES | Source = Service Control Manager | ID = 7031
Description = The Windows Search service terminated unexpectedly. It has done this
1 time(s). The following corrective action will be taken in 30000 milliseconds:
Restart the service.


< End of report >


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:00 AM

Posted 18 February 2010 - 02:07 PM

Hi,

can you please also run a scan with mbr.exe:
Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe -t >"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.


The infection you probably have is a backdoor infection.
This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to clean, please also run a scan with ComboFix:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 writerdude19

writerdude19
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 18 February 2010 - 04:54 PM

Hello again, ok, I posted the contents of the mbr.log and combofix.txt files
I've given it some thought, and although my computer may have become compromised, I'm not in a position to reformat and reinstall the OS at this time, because there are already too many files on it and because I'm being talked, ever so politely, into converting to linux.

In the mean time, I await further instructions.
Thanks in advance,
writerdude19


MBR.Log contents:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys hal.dll
kernel: MBR read successfully
BIOS signateure not found

COMBOFIX.txt contents:

ComboFix 10-02-18.03 - kevin 02/18/2010 14:54:23.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1504 [GMT -6:00]
Running from: c:\documents and settings\kevin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\11478.exe
c:\windows\system32\11942.exe
c:\windows\system32\14604.exe
c:\windows\system32\15724.exe
c:\windows\system32\16827.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\2995.exe
c:\windows\system32\32391.exe
c:\windows\system32\3902.exe
c:\windows\system32\4827.exe
c:\windows\system32\491.exe
c:\windows\system32\5436.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\9961.exe

.
((((((((((((((((((((((((( Files Created from 2010-01-18 to 2010-02-18 )))))))))))))))))))))))))))))))
.

2010-02-17 20:40 . 2010-02-17 20:40 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AC982987A37F61A43A13454D89EC60F9.dll
2010-02-17 20:40 . 2010-02-17 20:40 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A9C1670A3F861244B7A7BFAFB422AA4.dll
2010-02-01 17:45 . 2010-02-01 17:45 36 ----a-w- c:\program files\skynet.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 21:06 . 2009-12-29 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-02-17 01:24 . 2009-11-22 16:37 -------- d-----w- c:\documents and settings\kevin\Application Data\vlc
2010-02-16 02:06 . 2008-04-14 06:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-16 01:28 . 2008-04-14 06:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys.tmp
2010-02-04 04:57 . 2007-07-01 14:56 -------- d-----w- c:\program files\My Installed Programs
2010-01-28 22:12 . 2002-12-29 02:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-20 05:46 . 2009-10-31 23:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-17 06:23 . 2010-01-17 05:53 -------- d-----w- c:\documents and settings\kevin\Application Data\Ventrilo
2010-01-17 05:52 . 2009-12-30 06:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-09 04:25 . 2009-03-27 08:06 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 22:07 . 2009-03-15 18:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-03-15 18:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 20:52 . 2010-01-04 20:52 -------- d-----w- c:\documents and settings\kevin\Application Data\Windows Search
2010-01-03 07:37 . 2010-01-03 07:37 388096 ----a-r- c:\documents and settings\kevin\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-31 16:50 . 2008-04-14 06:45 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 11:56 . 2009-12-30 11:56 647 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C31BA4B7C5A15CB4BA6A67F2188944C4.dll
2009-12-30 11:56 . 2009-12-30 11:56 647 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A9814017295C65A4CAE9C7C01A53ADC3.dll
2009-12-30 06:40 . 2009-12-30 06:40 -------- d--h--r- c:\documents and settings\kevin\Application Data\SecuROM
2009-12-30 06:40 . 2009-12-30 06:40 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-30 06:40 . 2009-12-30 06:40 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-12-30 06:40 . 2009-12-30 06:40 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-12-29 02:15 . 2009-12-29 02:15 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-21 19:14 . 2008-04-14 11:42 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2002-12-29 00:18 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-04-14 11:41 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2008-04-14 06:47 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2008-04-14 11:42 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2008-04-14 05:42 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2001-08-23 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2008-04-14 11:42 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2008-04-14 11:41 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2008-04-14 05:41 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2008-04-14 11:41 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2003-02-28 21:53 . 2003-02-28 21:53 66936 --sha-w- c:\windows\dlinfo_0.drv
.

------- Sigcheck -------

[-] 2009-10-31 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShockmachineReminder"="c:\program files\Shockwave\Shockmachine\SmReminder.exe" [2001-05-04 98304]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\launchpd.exe" [2003-09-02 106574]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-12-16 94208]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 4662776]
"AIM"="c:\program files\My Installed Programs\AOL IM\aim.exe" [2005-08-05 67160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-13 106496]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"QuickTime Task"="c:\program files\My Installed Programs\Quicktime\QTTask.exe" [2009-05-26 413696]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-20 335872]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-29 684032]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2008-04-01 69632]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-01 185896]
"vptray"="c:\progra~1\MYINST~1\Symantec\vptray.exe" [2003-05-21 90112]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"IMONTRAY"="c:\program files\Intel\Intel® Active Monitor\imontray.exe" [2005-05-03 32768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2003-12-19 82026]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-7-13 221295]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Canon\\CSCLIB\\CDPROCMN.exe"=
"c:\\Program Files\\Canon\\CSCLIB\\CDPROC.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\My Installed Programs\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\My Installed Programs\\AOL IM\\aim.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\My Installed Programs\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\My Installed Programs\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\My Installed Programs\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\My Installed Programs\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/20/2009 10:58 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2010-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: c:\progra~1\COMMON~1\BTLINK\btlink.dll//iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: tvguide.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-18 15:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,28,e7,45,a3,0c,df,46,89,f3,7d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,28,e7,45,a3,0c,df,46,89,f3,7d,\

[HKEY_USERS\S-1-5-21-299502267-746137067-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\e*B* N*9 x*9 ]
"Order"=hex:08,00,00,00,02,00,00,00,b0,00,00,00,01,00,00,00,01,00,00,00,a4,00,
00,00,00,00,00,00,96,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,84,00,31,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(932)
c:\windows\system32\WININET.dll
.
Completion time: 2010-02-18 15:05:49
ComboFix-quarantined-files.txt 2010-02-18 21:05

Pre-Run: 24,181,755,904 bytes free
Post-Run: 24,182,915,072 bytes free

- - End Of File - - 24652FDF2EBBE854E79CF40E648BF7AD


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:00 AM

Posted 18 February 2010 - 05:02 PM

Hi,

please run a file search as followed:

Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    CODE
    :filefind
    atapi.sys
    sfcfiles.dll
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply

Do you still get hits that atapi.sys is infected?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 writerdude19

writerdude19
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 18 February 2010 - 06:19 PM

Hello again, system is running a scan and should be done any minute now . . .
and I am still receiving notification that atapi.sys.tmp is infected with "Backdoor.Tidserv!inf", however upon looking inside C:\windows\system32\drivers, I found the file name "atapi.sys" to simply named "atapi".

Thanks in advance,
writerdude19

contents of SystemLook.txt file:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:28 on 18/02/2010 by kevin (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.sys"
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [07:24 03/01/2010] [02:06 16/02/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\dllcache\atapi.sys --a--c 96512 bytes [06:10 14/04/2008] [06:10 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [06:10 14/04/2008] [02:06 16/02/2010] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys --a--- 96512 bytes [14:59 31/10/2009] [06:10 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys --a--- 96512 bytes [14:59 31/10/2009] [05:10 14/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

Searching for "sfcfiles.dll"
C:\WINDOWS\system32\sfcfiles.dll --a--- 1614848 bytes [04:53 31/10/2009] [04:53 31/10/2009] 362BC5AF8EAF712832C58CC13AE05750

-=End Of File=-


#8 writerdude19

writerdude19
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 18 February 2010 - 09:12 PM

Just noticed, my PC has given me 294 virus warning messages, all from Symantec, and all warning that atapi.sys or atapi.sys.tmp is infected, and the number of warning messages keeps rising, now up to over 300. Looks like the errors are coming in at every 5 seconds.
And this is from just leaving my computer running idly without being connected to the internet at all.

looks like the backdoor just won't take 'die' for an answer.
writerdude19

Edited by writerdude19, 18 February 2010 - 09:13 PM.


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:00 AM

Posted 20 February 2010 - 05:16 AM

Hi,

please run the following script:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
FCopy::
C:\WINDOWS\ERDNT\cache\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys
SRPeek::
c:\windows\system32\sfcfiles.dll


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 writerdude19

writerdude19
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 21 February 2010 - 08:53 PM

Hello, nothing new to report. Executed your instructions and below are the results.

Once again, thanks in advance,
Writerdude19

Contents of new ComboFix.txt log:

ComboFix 10-02-18.03 - kevin 02/21/2010 19:21:08.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1523 [GMT -6:00]
Running from: c:\documents and settings\kevin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kevin\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ERDNT\cache\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2010-01-22 to 2010-02-22 )))))))))))))))))))))))))))))))
.

2010-02-17 20:40 . 2010-02-17 20:40 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AC982987A37F61A43A13454D89EC60F9.dll
2010-02-17 20:40 . 2010-02-17 20:40 10 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A9C1670A3F861244B7A7BFAFB422AA4.dll
2010-02-01 17:45 . 2010-02-01 17:45 36 ----a-w- c:\program files\skynet.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-22 01:21 . 2008-04-14 06:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-17 21:06 . 2009-12-29 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2010-02-17 01:24 . 2009-11-22 16:37 -------- d-----w- c:\documents and settings\kevin\Application Data\vlc
2010-02-16 01:28 . 2008-04-14 06:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys.tmp
2010-02-04 04:57 . 2007-07-01 14:56 -------- d-----w- c:\program files\My Installed Programs
2010-01-28 22:12 . 2002-12-29 02:03 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-20 05:46 . 2009-10-31 23:42 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-17 06:23 . 2010-01-17 05:53 -------- d-----w- c:\documents and settings\kevin\Application Data\Ventrilo
2010-01-17 05:52 . 2009-12-30 06:40 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-09 04:25 . 2009-03-27 08:06 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-07 22:07 . 2009-03-15 18:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2009-03-15 18:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 20:52 . 2010-01-04 20:52 -------- d-----w- c:\documents and settings\kevin\Application Data\Windows Search
2010-01-03 07:37 . 2010-01-03 07:37 388096 ----a-r- c:\documents and settings\kevin\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-31 16:50 . 2008-04-14 06:45 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-30 11:56 . 2009-12-30 11:56 647 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C31BA4B7C5A15CB4BA6A67F2188944C4.dll
2009-12-30 11:56 . 2009-12-30 11:56 647 ----a-w- c:\documents and settings\All Users\Application Data\SecTaskMan\icn_A9814017295C65A4CAE9C7C01A53ADC3.dll
2009-12-30 06:40 . 2009-12-30 06:40 -------- d--h--r- c:\documents and settings\kevin\Application Data\SecuROM
2009-12-30 06:40 . 2009-12-30 06:40 -------- d-----w- c:\program files\AGEIA Technologies
2009-12-30 06:40 . 2009-12-30 06:40 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-12-30 06:40 . 2009-12-30 06:40 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-12-29 02:15 . 2009-12-29 02:15 -------- d-----w- c:\program files\Symantec AntiVirus
2009-12-21 19:14 . 2008-04-14 11:42 916480 ------w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2002-12-29 00:18 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2008-04-14 11:41 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-04 18:22 . 2008-04-14 06:47 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2008-04-14 11:42 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2008-04-14 05:42 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2001-08-23 12:00 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2008-04-14 11:42 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2008-04-14 11:41 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2008-04-14 05:41 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2003-02-28 21:53 . 2003-02-28 21:53 66936 --sha-w- c:\windows\dlinfo_0.drv
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------

[-] 2009-10-31 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-02-18_21.02.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 06:10 . 2010-02-22 01:21 96512 c:\windows\system32\dllcache\atapi.sys
- 2008-04-14 06:10 . 2008-04-14 06:10 96512 c:\windows\system32\dllcache\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShockmachineReminder"="c:\program files\Shockwave\Shockmachine\SmReminder.exe" [2001-05-04 98304]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\launchpd.exe" [2003-09-02 106574]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-12-16 94208]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 4662776]
"AIM"="c:\program files\My Installed Programs\AOL IM\aim.exe" [2005-08-05 67160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-13 106496]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"QuickTime Task"="c:\program files\My Installed Programs\Quicktime\QTTask.exe" [2009-05-26 413696]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-07-20 335872]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-29 684032]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2008-04-01 69632]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-01 185896]
"vptray"="c:\progra~1\MYINST~1\Symantec\vptray.exe" [2003-05-21 90112]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-23 44032]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"IMONTRAY"="c:\program files\Intel\Intel® Active Monitor\imontray.exe" [2005-05-03 32768]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2003-12-19 82026]
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-7-13 221295]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Canon\\CSCLIB\\CDPROCMN.exe"=
"c:\\Program Files\\Canon\\CSCLIB\\CDPROC.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\My Installed Programs\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\My Installed Programs\\AOL IM\\aim.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\My Installed Programs\\Shareaza\\Shareaza.exe"=
"c:\\Program Files\\My Installed Programs\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\My Installed Programs\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\My Installed Programs\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/20/2009 10:58 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2010-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.1
IE: c:\progra~1\COMMON~1\BTLINK\btlink.dll//iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: tvguide.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 19:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,28,e7,45,a3,0c,df,46,89,f3,7d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,28,e7,45,a3,0c,df,46,89,f3,7d,\

[HKEY_USERS\S-1-5-21-299502267-746137067-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\e*B* N*9 x*9 ]
"Order"=hex:08,00,00,00,02,00,00,00,b0,00,00,00,01,00,00,00,01,00,00,00,a4,00,
00,00,00,00,00,00,96,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,84,00,31,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2768)
c:\windows\system32\WININET.dll
c:\program files\Iomega\DriveIcons\IMGHOOK.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-21 19:32:49
ComboFix-quarantined-files.txt 2010-02-22 01:32

Pre-Run: 24,138,067,968 bytes free
Post-Run: 24,090,816,512 bytes free

- - End Of File - - 0FAE5A731BFFA033A97222841C3F411F


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:00 AM

Posted 22 February 2010 - 02:38 PM

Hi,

please run TDSSKiller instead:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 writerdude19

writerdude19
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 22 February 2010 - 05:53 PM

Hello, followed the instructions you gave me. TDSS never said anything about hidden services detected.
Here's what you asked me to provide.
Thanks in advance, writerdude19


Contents of TDSSKiller.txt Log:

16:49:42:625 2824 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
16:49:42:625 2824 ================================================================================
16:49:42:625 2824 SystemInfo:

16:49:42:625 2824 OS Version: 5.1.2600 ServicePack: 3.0
16:49:42:625 2824 Product type: Workstation
16:49:42:625 2824 ComputerName: SHADES
16:49:42:625 2824 UserName: kevin
16:49:42:625 2824 Windows directory: C:\WINDOWS
16:49:42:625 2824 Processor architecture: Intel x86
16:49:42:625 2824 Number of processors: 2
16:49:42:625 2824 Page size: 0x1000
16:49:42:625 2824 Boot type: Normal boot
16:49:42:625 2824 ================================================================================
16:49:42:640 2824 UnloadDriverW: NtUnloadDriver error 2
16:49:42:640 2824 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:49:42:656 2824 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:49:42:687 2824 UtilityInit: KLMD drop and load success
16:49:42:687 2824 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
16:49:42:687 2824 UtilityInit: KLMD open success
16:49:42:687 2824 UtilityInit: Initialize success
16:49:42:687 2824
16:49:42:687 2824 Scanning Services ...
16:49:42:687 2824 CreateRegParser: Registry parser init started
16:49:42:687 2824 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
16:49:42:687 2824 CreateRegParser: DisableWow64Redirection error
16:49:42:687 2824 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:49:42:687 2824 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
16:49:42:687 2824 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:49:42:687 2824 wfopen_ex: Trying to KLMD file open
16:49:42:687 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
16:49:42:687 2824 wfopen_ex: File opened ok (Flags 2)
16:49:42:687 2824 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 274C60
16:49:42:687 2824 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:49:42:687 2824 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
16:49:42:687 2824 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:49:42:687 2824 wfopen_ex: Trying to KLMD file open
16:49:42:687 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
16:49:42:687 2824 wfopen_ex: File opened ok (Flags 2)
16:49:42:687 2824 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 274B50
16:49:42:687 2824 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
16:49:42:687 2824 CreateRegParser: EnableWow64Redirection error
16:49:42:687 2824 CreateRegParser: RegParser init completed
16:49:43:031 2824 GetAdvancedServicesInfo: Raw services enum returned 370 services
16:49:43:031 2824 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:49:43:031 2824 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:49:43:031 2824
16:49:43:031 2824 Scanning Kernel memory ...
16:49:43:031 2824 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:49:43:031 2824 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A6A1A08
16:49:43:031 2824 DetectCureTDL3: KLMD_GetDeviceObjectList returned 8 DevObjects
16:49:43:031 2824
16:49:43:031 2824 DetectCureTDL3: DEVICE_OBJECT: 8922B340
16:49:43:031 2824 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8922B340
16:49:43:031 2824 KLMD_ReadMem: Trying to ReadMemory 0x8922B340[0x38]
16:49:43:031 2824 DetectCureTDL3: DRIVER_OBJECT: 8A6A1A08
16:49:43:031 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A6A1A08[0xA8]
16:49:43:031 2824 KLMD_ReadMem: Trying to ReadMemory 0xE1025138[0x18]
16:49:43:031 2824 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_CREATE : F763DBB0
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F9739
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_CLOSE : F763DBB0
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_READ : F7637D1F
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_WRITE : F7637D1F
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F9739
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F9739
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F9739
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_SET_EA : 804F9739
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76382E2
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9739
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F9739
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F9739
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F9739
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76383BB
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76382E2
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F9739
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_CLEANUP : 804F9739
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F9739
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F9739
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F9739
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_POWER : F7639C82
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F763E99E
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F9739
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F9739
16:49:43:031 2824 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F9739
16:49:43:031 2824 TDL3_FileDetect: Processing driver: Disk
16:49:43:046 2824 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:046 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:046 2824 TDL3_FileDetect: Processing driver: Disk
16:49:43:046 2824 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:046 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:046 2824 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:49:43:046 2824
16:49:43:046 2824 DetectCureTDL3: DEVICE_OBJECT: 8A666AB8
16:49:43:046 2824 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A666AB8
16:49:43:046 2824 DetectCureTDL3: DEVICE_OBJECT: 89244EA0
16:49:43:046 2824 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89244EA0
16:49:43:046 2824 KLMD_ReadMem: Trying to ReadMemory 0x89244EA0[0x38]
16:49:43:046 2824 DetectCureTDL3: DRIVER_OBJECT: 8927B690
16:49:43:046 2824 KLMD_ReadMem: Trying to ReadMemory 0x8927B690[0xA8]
16:49:43:046 2824 KLMD_ReadMem: Trying to ReadMemory 0xE3166478[0x1E]
16:49:43:046 2824 DetectCureTDL3: DRIVER_OBJECT name: \Driver\USBSTOR, Driver Name: USBSTOR
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_CREATE : F77F4218
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_CLOSE : F77F4218
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_READ : F77F423C
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_WRITE : F77F423C
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_SET_EA : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F77F4180
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F77EF9E6
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_CLEANUP : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_POWER : F77F35F0
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F77F1A6E
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F9739
16:49:43:046 2824 TDL3_FileDetect: Processing driver: USBSTOR
16:49:43:046 2824 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:49:43:046 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:49:43:046 2824 KLMD_ReadMem: Trying to ReadMemory 0xF77F0F26[0x400]
16:49:43:046 2824 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
16:49:43:046 2824 TDL3_FileDetect: Processing driver: USBSTOR
16:49:43:046 2824 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:49:43:046 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:49:43:046 2824 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
16:49:43:046 2824
16:49:43:046 2824 DetectCureTDL3: DEVICE_OBJECT: 8A69D8A0
16:49:43:046 2824 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A69D8A0
16:49:43:046 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A69D8A0[0x38]
16:49:43:046 2824 DetectCureTDL3: DRIVER_OBJECT: 8A6A1A08
16:49:43:046 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A6A1A08[0xA8]
16:49:43:046 2824 KLMD_ReadMem: Trying to ReadMemory 0xE1025138[0x18]
16:49:43:046 2824 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_CREATE : F763DBB0
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_CLOSE : F763DBB0
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_READ : F7637D1F
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_WRITE : F7637D1F
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_SET_EA : 804F9739
16:49:43:046 2824 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76382E2
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76383BB
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76382E2
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_CLEANUP : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_POWER : F7639C82
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F763E99E
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F9739
16:49:43:062 2824 TDL3_FileDetect: Processing driver: Disk
16:49:43:062 2824 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:062 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:062 2824 TDL3_FileDetect: Processing driver: Disk
16:49:43:062 2824 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:062 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:062 2824 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:49:43:062 2824
16:49:43:062 2824 DetectCureTDL3: DEVICE_OBJECT: 8A69DC68
16:49:43:062 2824 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A69DC68
16:49:43:062 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A69DC68[0x38]
16:49:43:062 2824 DetectCureTDL3: DRIVER_OBJECT: 8A6A1A08
16:49:43:062 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A6A1A08[0xA8]
16:49:43:062 2824 KLMD_ReadMem: Trying to ReadMemory 0xE1025138[0x18]
16:49:43:062 2824 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_CREATE : F763DBB0
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_CLOSE : F763DBB0
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_READ : F7637D1F
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_WRITE : F7637D1F
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SET_EA : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76382E2
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76383BB
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76382E2
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_CLEANUP : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_POWER : F7639C82
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F763E99E
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F9739
16:49:43:062 2824 TDL3_FileDetect: Processing driver: Disk
16:49:43:062 2824 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:062 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:062 2824 TDL3_FileDetect: Processing driver: Disk
16:49:43:062 2824 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:062 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:062 2824 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:49:43:062 2824
16:49:43:062 2824 DetectCureTDL3: DEVICE_OBJECT: 8A69EC68
16:49:43:062 2824 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A69EC68
16:49:43:062 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A69EC68[0x38]
16:49:43:062 2824 DetectCureTDL3: DRIVER_OBJECT: 8A6A1A08
16:49:43:062 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A6A1A08[0xA8]
16:49:43:062 2824 KLMD_ReadMem: Trying to ReadMemory 0xE1025138[0x18]
16:49:43:062 2824 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_CREATE : F763DBB0
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_CLOSE : F763DBB0
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_READ : F7637D1F
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_WRITE : F7637D1F
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SET_EA : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76382E2
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76383BB
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76382E2
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_CLEANUP : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_POWER : F7639C82
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F763E99E
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F9739
16:49:43:062 2824 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F9739
16:49:43:062 2824 TDL3_FileDetect: Processing driver: Disk
16:49:43:062 2824 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:062 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:062 2824 TDL3_FileDetect: Processing driver: Disk
16:49:43:062 2824 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:062 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:078 2824 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:49:43:078 2824
16:49:43:078 2824 DetectCureTDL3: DEVICE_OBJECT: 8A77F9D0
16:49:43:078 2824 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A77F9D0
16:49:43:078 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A77F9D0[0x38]
16:49:43:078 2824 DetectCureTDL3: DRIVER_OBJECT: 8A6A1A08
16:49:43:078 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A6A1A08[0xA8]
16:49:43:078 2824 KLMD_ReadMem: Trying to ReadMemory 0xE1025138[0x18]
16:49:43:078 2824 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_CREATE : F763DBB0
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F9739
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_CLOSE : F763DBB0
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_READ : F7637D1F
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_WRITE : F7637D1F
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F9739
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F9739
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F9739
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_SET_EA : 804F9739
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F76382E2
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9739
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F9739
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F9739
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F9739
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F76383BB
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_SHUTDOWN : F76382E2
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F9739
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_CLEANUP : 804F9739
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F9739
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F9739
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F9739
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_POWER : F7639C82
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F763E99E
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F9739
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F9739
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F9739
16:49:43:078 2824 TDL3_FileDetect: Processing driver: Disk
16:49:43:078 2824 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:078 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:078 2824 TDL3_FileDetect: Processing driver: Disk
16:49:43:078 2824 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:078 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:49:43:078 2824 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:49:43:078 2824
16:49:43:078 2824 DetectCureTDL3: DEVICE_OBJECT: 8A77CAB8
16:49:43:078 2824 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A77CAB8
16:49:43:078 2824 DetectCureTDL3: DEVICE_OBJECT: 8A6A29E8
16:49:43:078 2824 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6A29E8
16:49:43:078 2824 DetectCureTDL3: DEVICE_OBJECT: 8A780D98
16:49:43:078 2824 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A780D98
16:49:43:078 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A780D98[0x38]
16:49:43:078 2824 DetectCureTDL3: DRIVER_OBJECT: 8A77F130
16:49:43:078 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A77F130[0xA8]
16:49:43:078 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A6A3940[0x38]
16:49:43:078 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A7168A8[0xA8]
16:49:43:078 2824 KLMD_ReadMem: Trying to ReadMemory 0xE10143B8[0x1A]
16:49:43:078 2824 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_CREATE : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_CLOSE : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_READ : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_WRITE : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_QUERY_EA : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_SET_EA : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_SHUTDOWN : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_CLEANUP : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_SET_SECURITY : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_POWER : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 8A6A8841
16:49:43:078 2824 DetectCureTDL3: IRP_MJ_SET_QUOTA : 8A6A8841
16:49:43:078 2824 TDL3_FileDetect: Processing driver: atapi
16:49:43:078 2824 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
16:49:43:078 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
16:49:43:078 2824 DetectCureTDL3: All IRP handlers pointed to one addr: 8A6A8841
16:49:43:078 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A6A8841[0x400]
16:49:43:078 2824 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
16:49:43:078 2824 Driver "atapi" Irp handler infected by TDSS rootkit ... 16:49:43:078 2824 KLMD_WriteMem: Trying to WriteMemory 0x8A6A88BA[0xD]
16:49:43:078 2824 cured
16:49:43:078 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A6A86EC[0x400]
16:49:43:078 2824 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
16:49:43:078 2824 Driver "atapi" StartIo handler infected by TDSS rootkit ... 16:49:43:078 2824 TDL3_StartIoHookCure: Number of patches 1
16:49:43:078 2824 KLMD_WriteMem: Trying to WriteMemory 0x8A6A87F5[0x6]
16:49:43:078 2824 cured
16:49:43:078 2824 TDL3_FileDetect: Processing driver: atapi
16:49:43:078 2824 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
16:49:43:078 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
16:49:43:093 2824 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
16:49:43:093 2824 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 16:49:43:093 2824 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
16:49:43:093 2824 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
16:49:43:093 2824 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
16:49:43:187 2824 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
16:49:43:203 2824 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
16:49:43:390 2824 CabinetCallback: File extracted successfully: C:\DOCUME~1\kevin\LOCALS~1\Temp\bck2.tmp
16:49:43:390 2824 ValidateDriverFile: Stage 1 passed
16:49:43:390 2824 ValidateDriverFile: Stage 2 passed
16:49:43:500 2824 DigitalSignVerifyByHandle: Embedded DS result: 800B0100
16:49:45:250 2824 DigitalSignVerifyByHandle: Cat DS result: 00000000
16:49:45:250 2824 ValidateDriverFile: Stage 3 passed
16:49:45:250 2824 CabinetCallback: File validated successfully, restore information prepared
16:49:45:250 2824 FindDriverFileBackup: Backup copy found in cab-file
16:49:45:250 2824 TDL3_FileCure: Backup copy found, using it..
16:49:45:265 2824 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk3.tmp
16:49:45:296 2824 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk3.tmp, system32\drivers\atapi.sys)
16:49:45:296 2824 TDL3_FileCure: KLMD jobs schedule success
16:49:45:296 2824 will be cured on next reboot
16:49:45:296 2824
16:49:45:296 2824 DetectCureTDL3: DEVICE_OBJECT: 8A77DAB8
16:49:45:296 2824 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A77DAB8
16:49:45:296 2824 DetectCureTDL3: DEVICE_OBJECT: 8A6A4F18
16:49:45:296 2824 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6A4F18
16:49:45:296 2824 DetectCureTDL3: DEVICE_OBJECT: 8A6A3940
16:49:45:296 2824 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6A3940
16:49:45:296 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A6A3940[0x38]
16:49:45:296 2824 DetectCureTDL3: DRIVER_OBJECT: 8A7168A8
16:49:45:296 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A7168A8[0xA8]
16:49:45:296 2824 KLMD_ReadMem: Trying to ReadMemory 0xE10143B8[0x1A]
16:49:45:296 2824 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_CREATE : F74A46F2
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_CLOSE : F74A46F2
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_READ : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_WRITE : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_SET_EA : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F74A4712
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F74A0852
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_CLEANUP : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_POWER : F74A473C
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F74AB336
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F9739
16:49:45:296 2824 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F9739
16:49:45:296 2824 TDL3_FileDetect: Processing driver: atapi
16:49:45:296 2824 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tsk3.tmp
16:49:45:296 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tsk3.tmp
16:49:45:296 2824 KLMD_ReadMem: Trying to ReadMemory 0x8A6A86EC[0x400]
16:49:45:296 2824 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 0
16:49:45:296 2824 TDL3_FileDetect: Processing driver: atapi
16:49:45:296 2824 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tsk3.tmp
16:49:45:296 2824 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tsk3.tmp
16:49:45:296 2824 TDL3_FileDetect: C:\WINDOWS\system32\drivers\tsk3.tmp - Verdict: Clean
16:49:45:296 2824 UtilityBootReinit: Reboot required for cure complete..
16:49:45:296 2824 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
16:49:45:312 2824 UtilityBootReinit: KLMD drop success
16:49:45:343 2824 KLMD_ApplyPendList: Pending buffer(3230_508B, 600) dropped successfully
16:49:45:343 2824 UtilityBootReinit: Cure on reboot scheduled successfully
16:49:45:343 2824
16:49:45:343 2824 Completed
16:49:45:343 2824
16:49:45:343 2824 Results:
16:49:45:343 2824 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
16:49:45:343 2824 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:49:45:343 2824 File objects infected / cured / cured on reboot: 1 / 0 / 1
16:49:45:343 2824
16:49:45:343 2824 UnloadDriverW: NtUnloadDriver error 1
16:49:45:343 2824 KLMD_Unload: UnloadDriverW(klmd21) error 1
16:49:45:343 2824 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:49:45:343 2824 UtilityDeinit: KLMD(ARK) unloaded successfully


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:00 AM

Posted 22 February 2010 - 06:39 PM

Hi,

tdsskiller removed the infection. Can you let me know if you are still getting the detections? Where you at any point getting redirected on google? Is this still the case?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 writerdude19

writerdude19
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:00 AM

Posted 23 February 2010 - 03:04 AM

Hello Myrti, good news and bad news.

Good news, Symantec no longer finds "Backdoor.Tidserv!inf" in the atapi.sys file.

Bad news, Symantec does find the virus in both "atapi.sys.tmp" located in C:\WINDOWS\system32\drivers and "atapi.sys.vir" located in C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers

Haven't connected it to the internet yet, because of the aforementioned virus notifications.

Any thoughts?

Thanks in advance, writerdude19


#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:00 AM

Posted 26 February 2010 - 04:23 AM

Hi,

C:\qoobox is the quarantine of ComboFix, it is normal that the file is present there.
We did not delete/modify the tmp file, but it should not be recreated once you delete it.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users