Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HTTPS Tidserv Request pop-ups


  • This topic is locked This topic is locked
58 replies to this topic

#1 Parys

Parys

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:35 AM

Posted 12 April 2010 - 08:53 PM

I'm not sure if this is the right section to post in, but I keep getting Norton warnings that "A recent attempt to attack your computer has been blocked."
Most of the time, the attack is called "HTTPS Tidserv Request" or something similar.
About 4 days ago, while searching google images, IE froze for a second. Something asked for permission to run, and I thought it was a program I recognized so I clicked "Allow". Soon after, Norton spammed me with warnings about things trying to attack my computer.

I did a scan, but it detected nothing. After giving up, and being annoyed, I searched google about the attacking URL. A few times, I was redirected to random advertising sites. But it hasn't happened many times.

I found out that many people were having the exact same problem, but I couldn't find a solution simple enough that I could understand. I system restored my computer in safe mode, to a date where I did not have this problem. But after a few hours, I began to be attacked again by the same URL's.

I've read many threads about this and came to the conclusion to make my own, despite it being a bit confusing to me. I'm hoping this problem can be fixed soon, because I do not know what this infection is doing to my computer, and that scares me.

I'm not very good at computer things at all, but here are the DDS and HijackThis logs..


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:09:35 PM, on 4/12/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\windows\system32\Dwm.exe
C:\windows\system32\taskhost.exe
C:\windows\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TECO\TEco.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\Electronic Arts\EADM\EACoreServer.exe
C:\Program Files\Electronic Arts\EADM\EADownloadManager\EADownloadManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coIEPlg.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [ToshibaServiceStation] "C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
O4 - HKLM\..\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
O4 - HKLM\..\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
O4 - HKLM\..\Run: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
O4 - HKLM\..\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
O4 - HKLM\..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
O4 - HKLM\..\Run: [NortonOnlineBackupReminder] "C:\Program Files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" UNATTENDED
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF5BA~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...etup1.0.1.1.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGam...1/GAME_UNO1.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/rendere...eb.2007.4.4.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: AMD External Events Utility - AMD - C:\windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree WiMAX Service (cfWiMAXService) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
O23 - Service: TOSHIBA Modem region select service (RSELSVC) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA eco Utility Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TECO\TecoService.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: TPCH Service (TPCHSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe

--
End of file - 11495 bytes
=====================

DDS (Ver_10-03-17.01) - NTFSx86
Run by MissParys at 18:23:38.14 on Mon 04/12/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2812.1010 [GMT -7:00]


============== Running Processes ===============

C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\Dwm.exe
C:\windows\system32\taskhost.exe
C:\windows\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TECO\TEco.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\Electronic Arts\EADM\EACoreServer.exe
C:\Program Files\Electronic Arts\EADM\EADownloadManager\EADownloadManager.exe
C:\Nexon\Mabinogi\client.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\system32\SearchProtocolHost.exe
C:\Users\MissParys\Desktop\dds.scr
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.6.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.6.0.32\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.6.0.32\coIEPlg.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [<NO NAME>]
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [ToshibaServiceStation] "c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe" /hide:60
mRun: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
mRun: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
mRun: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe
mRun: [NortonOnlineBackupReminder] "c:\program files\toshiba\toshiba online backup\activation\TobuActivation.exe" UNATTENDED
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/WebfettiInitialSetup1.0.1.1.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
mASetup: {01250B8F-D947-4F8A-9408-FE8E3EE2EC92} - c:\program files\toshiba\my toshiba\MyToshiba.exe /SETUP

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1106000.020\symds.sys [2010-4-12 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1106000.020\symefa.sys [2010-4-12 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20100324.001\BHDrvx86.sys [2010-3-24 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1106000.020\cchpx86.sys [2010-4-12 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20100409.001\IDSvix86.sys [2010-4-12 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1106000.020\ironx86.sys [2010-4-12 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1106000.020\symtdiv.sys [2010-4-12 340016]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-9-19 176128]
R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2009-8-10 185712]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-3-30 1107336]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.6.0.32\ccsvchst.exe [2010-4-12 126392]
R2 RSELSVC;TOSHIBA Modem region select service;c:\program files\toshiba\rselect\RSelSvc.exe [2009-7-7 62832]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\toshiba\teco\TecoService.exe [2009-8-11 185712]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2009-6-19 12920]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2009-9-19 7680]
R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2009-9-19 24064]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-9-19 187392]
R3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2009-9-19 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-9-17 111960]
R3 TPCHSrv;TPCH Service;c:\program files\toshiba\tphm\TPCHSrv.exe [2009-8-6 685424]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

=============== Created Last 30 ================

2010-04-13 01:08:51 0 d-----w- c:\program files\Trend Micro
2010-04-12 10:22:18 0 d-----w- c:\windows\system32\drivers\NIS
2010-04-12 10:22:16 0 d-----w- c:\program files\Norton Internet Security
2010-04-12 09:49:57 65536 --sha-w- c:\users\missparys\ntuser.dat{dec6ad17-4615-11df-a92f-9fc2e9f184ab}.TM.blf
2010-04-12 09:49:57 524288 --sha-w- c:\users\missparys\ntuser.dat{dec6ad17-4615-11df-a92f-9fc2e9f184ab}.TMContainer00000000000000000002.regtrans-ms
2010-04-12 09:49:57 524288 --sha-w- c:\users\missparys\ntuser.dat{dec6ad17-4615-11df-a92f-9fc2e9f184ab}.TMContainer00000000000000000001.regtrans-ms
2010-04-12 09:46:59 977920 ----a-w- c:\windows\system32\wininet.dll
2010-04-11 07:40:07 0 d-----w- c:\windows\system32\Wat
2010-04-09 07:23:25 0 d-----w- c:\programdata\NCH Software
2010-04-09 07:23:18 0 d-----w- c:\program files\NCH Software
2010-04-08 04:45:21 5775 ----a-w- c:\programdata\vacache.dat
2010-04-08 04:45:04 0 d-----w- c:\programdata\system
2010-04-08 04:45:04 0 d-----w- c:\programdata\package
2010-04-08 04:45:04 0 d-----w- c:\programdata\mp3
2010-04-08 04:45:04 0 d-----w- c:\programdata\movie
2010-04-08 04:45:04 0 d-----w- c:\programdata\HShield
2010-04-08 04:44:20 4 ----a-w- c:\programdata\version.dat
2010-04-08 04:43:27 5775 ----a-w- c:\programdata\va.dat
2010-04-08 04:43:27 2348334 ----a-w- c:\programdata\Skill.dll
2010-04-08 04:43:27 111104 ----a-w- c:\programdata\Uploader.dat
2010-04-08 04:43:26 621268 ----a-w- c:\programdata\Oasis.dll
2010-04-08 04:43:26 568832 ----a-w- c:\programdata\msvcp90.dll
2010-04-08 04:43:26 3550768 ----a-w- c:\programdata\Renderer2.dll
2010-04-08 04:43:26 3191820 ----a-w- c:\programdata\EXL.dll
2010-04-05 20:35:07 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-01 02:10:18 5775 ----a-w- c:\program files\vacache.dat
2010-04-01 02:09:16 0 d-----w- c:\program files\system
2010-04-01 02:09:16 0 d-----w- c:\program files\package
2010-04-01 02:09:16 0 d-----w- c:\program files\mp3
2010-04-01 02:09:16 0 d-----w- c:\program files\movie
2010-04-01 02:09:16 0 d-----w- c:\program files\HShield
2010-04-01 02:08:26 4 ----a-w- c:\program files\version.dat
2010-04-01 02:07:19 716 ----a-w- c:\program files\default.reg
2010-04-01 02:07:19 5775 ----a-w- c:\program files\va.dat
2010-04-01 02:07:19 352256 ----a-w- c:\program files\ijl15.dll
2010-04-01 02:07:19 111104 ----a-w- c:\program files\Uploader.dat
2010-03-31 19:15:37 0 d-----w- C:\Downloads
2010-03-31 18:59:37 0 d-----w- c:\users\misspa~1\appdata\roaming\Free Download Manager
2010-03-31 18:59:32 0 d-----w- c:\programdata\FreeDownloadManager.ORG
2010-03-31 18:59:32 0 d-----w- c:\program files\Free Download Manager
2010-03-30 22:24:57 0 d-----w- c:\program files\LogMeIn Hamachi
2010-03-25 07:37:26 0 d-----w- c:\program files\common files\Software Update Utility
2010-03-18 04:53:42 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-03-18 04:53:42 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-03-15 04:38:40 0 d-----w- c:\program files\THQICE

==================== Find3M ====================

2010-04-12 10:23:18 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-12 10:23:18 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-12 10:23:18 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-12 09:40:43 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-02-21 10:18:36 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-02-19 07:34:16 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-02-18 15:16:05 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-12 18:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-03 22:56:56 26176 ---ha-w- c:\windows\system32\hamachi.sys
2010-02-02 07:45:54 2048 ----a-w- c:\windows\system32\tzres.dll
2010-01-14 19:12:06 181120 ------w- c:\windows\system32\MpSigStub.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-12-25 08:43:12 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 18:25:28.01 ===============


Attached File  Attach.txt   28.38KB   12 downloads



BC AdBot (Login to Remove)

 


#2 Parys

Parys
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:35 AM

Posted 16 April 2010 - 08:13 PM

I'm not sure if I forgot to post another log..? Or did I do that right.

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:35 AM

Posted 17 April 2010 - 04:39 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 Parys

Parys
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:35 AM

Posted 17 April 2010 - 04:12 PM

Thank you for your help.

Last night I downloaded malwarebytes and it found 21 infected items in my registry, so it quarantined them and I removed them.
After a restart, I soon started getting the warnings again from Norton, so I did another scan with Malwarebytes but it found nothing.

Every couple minutes, there;s a new warning. Some are shown as High risk, Medium, and Info.

I mostly get this one in my Norton history: "Unauthorized access logged (Access Thread Data)"
And also ones like these, with different names and IP addresses: "An intrusion attempt by 34jh7alm94.asia has been blocked.' Risk name is HTTPS Tidserv Request 2.

I also get something about: "Protecting your connection to a newly detected network on adapter "Teredo Tunneling Pseudo-Interface" (IP address: a random sequence of letters and symbols)"




DDS (Ver_10-03-17.01) - NTFSx86
Run by MissParys at 13:30:20.99 on Sat 04/17/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2812.1748 [GMT -7:00]


============== Running Processes ===============

C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\TOSHIBA\TECO\TEco.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\windows\system32\taskeng.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\windows\system32\sppsvc.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\windows\servicing\TrustedInstaller.exe
C:\Users\MissParys\Desktop\dds.scr
C:\windows\system32\conhost.exe
C:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.6.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.6.0.32\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.6.0.32\coIEPlg.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
mRun: [<NO NAME>]
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [ToshibaServiceStation] "c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe" /hide:60
mRun: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
mRun: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
mRun: [TWebCamera] "%ProgramFiles%\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
mRun: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe
mRun: [NortonOnlineBackupReminder] "c:\program files\toshiba\toshiba online backup\activation\TobuActivation.exe" UNATTENDED
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
mASetup: {01250B8F-D947-4F8A-9408-FE8E3EE2EC92} - c:\program files\toshiba\my toshiba\MyToshiba.exe /SETUP

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1106000.020\symds.sys [2010-4-12 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1106000.020\symefa.sys [2010-4-12 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20100324.001\BHDrvx86.sys [2010-3-24 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1106000.020\cchpx86.sys [2010-4-12 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20100415.001\IDSvix86.sys [2010-4-16 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1106000.020\ironx86.sys [2010-4-12 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1106000.020\symtdiv.sys [2010-4-12 340016]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-9-19 176128]
R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2009-8-10 185712]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2010-3-30 1107336]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\17.6.0.32\ccsvchst.exe [2010-4-12 126392]
R2 RSELSVC;TOSHIBA Modem region select service;c:\program files\toshiba\rselect\RSelSvc.exe [2009-7-7 62832]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\toshiba\teco\TecoService.exe [2009-8-11 185712]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2009-6-19 12920]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-4-12 102448]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2009-9-19 7680]
R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [2009-9-19 24064]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-9-19 187392]
R3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2009-9-19 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-9-17 111960]
R3 TPCHSrv;TPCH Service;c:\program files\toshiba\tphm\TPCHSrv.exe [2009-8-6 685424]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-5 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

=============== Created Last 30 ================

2010-04-17 09:24:09 0 d-----w- c:\users\misspa~1\appdata\roaming\Malwarebytes
2010-04-17 09:23:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-17 09:23:57 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 09:23:57 0 d-----w- c:\programdata\Malwarebytes
2010-04-17 09:23:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-17 08:28:09 0 d-----w- c:\users\misspa~1\appdata\roaming\DanceMixer
2010-04-17 08:28:09 0 d-----w- c:\program files\DanceMixer
2010-04-14 01:59:02 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 01:59:02 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 01:58:25 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 01:58:17 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 01:58:13 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 01:58:12 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 01:58:12 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 01:56:54 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 01:08:51 0 d-----w- c:\program files\Trend Micro
2010-04-12 10:22:18 0 d-----w- c:\windows\system32\drivers\NIS
2010-04-12 10:22:16 0 d-----w- c:\program files\Norton Internet Security
2010-04-12 09:49:57 65536 --sha-w- c:\users\missparys\ntuser.dat{dec6ad17-4615-11df-a92f-9fc2e9f184ab}.TM.blf
2010-04-12 09:49:57 524288 --sha-w- c:\users\missparys\ntuser.dat{dec6ad17-4615-11df-a92f-9fc2e9f184ab}.TMContainer00000000000000000002.regtrans-ms
2010-04-12 09:49:57 524288 --sha-w- c:\users\missparys\ntuser.dat{dec6ad17-4615-11df-a92f-9fc2e9f184ab}.TMContainer00000000000000000001.regtrans-ms
2010-04-12 09:46:59 977920 ----a-w- c:\windows\system32\wininet.dll
2010-04-11 07:40:07 0 d-----w- c:\windows\system32\Wat
2010-04-09 07:23:25 0 d-----w- c:\programdata\NCH Software
2010-04-09 07:23:18 0 d-----w- c:\program files\NCH Software
2010-04-08 04:45:21 5775 ----a-w- c:\programdata\vacache.dat
2010-04-08 04:45:04 0 d-----w- c:\programdata\system
2010-04-08 04:45:04 0 d-----w- c:\programdata\package
2010-04-08 04:45:04 0 d-----w- c:\programdata\mp3
2010-04-08 04:45:04 0 d-----w- c:\programdata\movie
2010-04-08 04:45:04 0 d-----w- c:\programdata\HShield
2010-04-08 04:44:20 4 ----a-w- c:\programdata\version.dat
2010-04-08 04:43:27 5775 ----a-w- c:\programdata\va.dat
2010-04-08 04:43:27 2348334 ----a-w- c:\programdata\Skill.dll
2010-04-08 04:43:27 111104 ----a-w- c:\programdata\Uploader.dat
2010-04-08 04:43:26 621268 ----a-w- c:\programdata\Oasis.dll
2010-04-08 04:43:26 568832 ----a-w- c:\programdata\msvcp90.dll
2010-04-08 04:43:26 3550768 ----a-w- c:\programdata\Renderer2.dll
2010-04-08 04:43:26 3191820 ----a-w- c:\programdata\EXL.dll
2010-04-05 20:35:07 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-01 02:10:18 5775 ----a-w- c:\program files\vacache.dat
2010-04-01 02:09:16 0 d-----w- c:\program files\system
2010-04-01 02:09:16 0 d-----w- c:\program files\package
2010-04-01 02:09:16 0 d-----w- c:\program files\mp3
2010-04-01 02:09:16 0 d-----w- c:\program files\movie
2010-04-01 02:09:16 0 d-----w- c:\program files\HShield
2010-04-01 02:08:26 4 ----a-w- c:\program files\version.dat
2010-04-01 02:07:19 716 ----a-w- c:\program files\default.reg
2010-04-01 02:07:19 5775 ----a-w- c:\program files\va.dat
2010-04-01 02:07:19 352256 ----a-w- c:\program files\ijl15.dll
2010-04-01 02:07:19 111104 ----a-w- c:\program files\Uploader.dat
2010-03-31 19:15:37 0 d-----w- C:\Downloads
2010-03-31 18:59:37 0 d-----w- c:\users\misspa~1\appdata\roaming\Free Download Manager
2010-03-31 18:59:32 0 d-----w- c:\programdata\FreeDownloadManager.ORG
2010-03-31 18:59:32 0 d-----w- c:\program files\Free Download Manager
2010-03-30 22:24:57 0 d-----w- c:\program files\LogMeIn Hamachi
2010-03-25 07:37:26 0 d-----w- c:\program files\common files\Software Update Utility

==================== Find3M ====================

2010-04-12 10:23:18 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-12 10:23:18 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-12 10:23:18 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-12 09:40:43 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-02-21 10:18:36 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-02-19 07:34:16 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-02-18 15:16:05 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-12 18:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-03 22:56:56 26176 ---ha-w- c:\windows\system32\hamachi.sys
2010-02-02 07:45:54 2048 ----a-w- c:\windows\system32\tzres.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-12-25 08:43:12 13 --sh--r- c:\windows\system32\drivers\fbd.sys
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 13:32:16.66 ===============












GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-17 13:46:50
Windows 6.1.7600
Running: 2v7dgihj.exe; Driver: C:\Users\MISSPA~1\AppData\Local\Temp\kwtdyuow.sys


---- System - GMER 1.0.15 ----

SSDT 86C65048 ZwAlertResumeThread
SSDT 86C5BD00 ZwAlertThread
SSDT 86CBA470 ZwAllocateVirtualMemory
SSDT 86AF2230 ZwAlpcConnectPort
SSDT 86CB7078 ZwAssignProcessToJobObject
SSDT 86CC2EC0 ZwCreateMutant
SSDT 86CC6D78 ZwCreateSymbolicLinkObject
SSDT 86CB75B0 ZwCreateThread
SSDT 86CC51D0 ZwCreateThreadEx
SSDT 86C90730 ZwDebugActiveProcess
SSDT 86CBA688 ZwDuplicateObject
SSDT 86CB8E78 ZwFreeVirtualMemory
SSDT 86C72F50 ZwImpersonateAnonymousToken
SSDT 86C63960 ZwImpersonateThread
SSDT 86ADF458 ZwLoadDriver
SSDT 86CB8D58 ZwMapViewOfSection
SSDT 86C7A048 ZwOpenEvent
SSDT 86CBA928 ZwOpenProcess
SSDT 86C3F1C0 ZwOpenProcessToken
SSDT 86C7C048 ZwOpenSection
SSDT 86CBA7D8 ZwOpenThread
SSDT 86CC5930 ZwProtectVirtualMemory
SSDT 86C59048 ZwResumeThread
SSDT 86C48CF0 ZwSetContextThread
SSDT 86CB8B00 ZwSetInformationProcess
SSDT 86C90048 ZwSetSystemInformation
SSDT 86C5D048 ZwSuspendProcess
SSDT 86C4B048 ZwSuspendThread
SSDT 86C32D38 ZwTerminateProcess
SSDT 86C483F8 ZwTerminateThread
SSDT 86C41430 ZwUnmapViewOfSection
SSDT 86CBA1A0 ZwWriteVirtualMemory

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83030AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83030104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830303F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830192D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83018898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830301DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83030958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830306F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83030F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830311A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83090599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830B4F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 224 830BC734 8 Bytes [48, 50, C6, 86, 00, BD, C5, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 830BC74C 4 Bytes [70, A4, CB, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 248 830BC758 4 Bytes [30, 22, AF, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 830BC7AC 4 Bytes [78, 70, CB, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 830BC828 4 Bytes [C0, 2E, CC, 86]
.text ...
? System32\Drivers\spav.sys The system cannot find the path specified. !
.text C:\windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8B353000, 0x3C849, 0xE8000020]
.dsrt C:\windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8B398000, 0x3DC, 0x48000040]
.text C:\windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9220D000, 0x2D5526, 0xE8000020]
.text USBPORT.SYS!DllUnload 93037CA0 5 Bytes JMP 878231D8
.text ajznmdq1.SYS 930F4000 12 Bytes [44, B8, 01, 83, EE, B6, 01, ...] {INC ESP; MOV EAX, 0xb6ee8301; ADD [EBX-0x7cfe6860], EAX}
.text ajznmdq1.SYS 930F400D 9 Bytes [97, 01, 83, 48, BB, 01, 83, ...] {XCHG EDI, EAX; ADD [EBX-0x7cfe44b8], EAX; ADD [EAX], AL}
.text ajznmdq1.SYS 930F4017 79 Bytes [00, DE, D7, D0, 8A, E6, D5, ...]
.text ajznmdq1.SYS 930F4067 90 Bytes [83, 40, F8, 08, 83, C0, CA, ...]
.text ajznmdq1.SYS 930F40C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text peauth.sys 9A164C9D 28 Bytes [D5, FB, DB, BF, 3E, 7E, 12, ...]
.text peauth.sys 9A164CC1 28 Bytes [D5, FB, DB, BF, 3E, 7E, 12, ...]
PAGE peauth.sys 9A16AE20 101 Bytes [0B, 89, 81, F4, E5, F8, D9, ...]
PAGE peauth.sys 9A16B02C 102 Bytes [56, 89, B1, 3C, EE, 86, F0, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\windows\system32\svchost.exe[1060] ntdll.dll!NtProtectVirtualMemory 76FD5360 5 Bytes JMP 0016000A
.text C:\windows\system32\svchost.exe[1060] ntdll.dll!NtWriteVirtualMemory 76FD5EE0 5 Bytes JMP 0017000A
.text C:\windows\system32\svchost.exe[1060] ntdll.dll!KiUserExceptionDispatcher 76FD6448 5 Bytes JMP 0015000A
.text C:\windows\system32\svchost.exe[1060] ole32.dll!CoCreateInstance 755257FC 5 Bytes JMP 00EE000A
.text C:\windows\system32\svchost.exe[1060] USER32.dll!GetCursorPos 7654C198 5 Bytes JMP 00EF000A
.text C:\windows\Explorer.EXE[2424] ntdll.dll!NtProtectVirtualMemory 76FD5360 5 Bytes JMP 0049000A
.text C:\windows\Explorer.EXE[2424] ntdll.dll!NtWriteVirtualMemory 76FD5EE0 5 Bytes JMP 004A000A
.text C:\windows\Explorer.EXE[2424] ntdll.dll!KiUserExceptionDispatcher 76FD6448 5 Bytes JMP 0048000A
.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[2600] kernel32.dll!SetUnhandledExceptionFilter 76F03162 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8AC11042] \SystemRoot\System32\Drivers\spav.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8AC116D6] \SystemRoot\System32\Drivers\spav.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8AC11800] \SystemRoot\System32\Drivers\spav.sys
IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8AC1113E] \SystemRoot\System32\Drivers\spav.sys
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortNotification] 00147880
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortInitialize] 157B805E
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
IAT \SystemRoot\System32\Drivers\ajznmdq1.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 864791F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 857C01F8
Device \Driver\usbohci \Device\USBPDO-0 878031F8
Device \Driver\usbohci \Device\USBPDO-1 878031F8
Device \Driver\usbehci \Device\USBPDO-2 8781F1F8
Device \Driver\usbohci \Device\USBPDO-3 878031F8
Device \Driver\usbohci \Device\USBPDO-4 878031F8

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbehci \Device\USBPDO-5 8781F1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E85A0974-B3BD-4192-9280-E058C6D36FD3} 86B931F8
Device \Driver\volmgr \Device\HarddiskVolume1 857C01F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\volmgr \Device\HarddiskVolume2 857C01F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 869B41F8
Device \Driver\cdrom \Device\CdRom1 869B41F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 857C21F8
Device \Driver\atapi \Device\Ide\IdePort0 857C21F8
Device \Driver\atapi \Device\Ide\IdePort1 857C21F8
Device \Driver\atapi \Device\Ide\IdePort2 857C21F8
Device \Driver\atapi \Device\Ide\IdePort3 857C21F8
Device \Driver\atapi \Device\Ide\IdePort4 857C21F8
Device \Driver\atapi \Device\Ide\IdePort5 857C21F8
Device \Driver\msahci \Device\Ide\PciIde0Channel0 857C31F8
Device \Driver\msahci \Device\Ide\PciIde0Channel1 857C31F8
Device \Driver\msahci \Device\Ide\PciIde0Channel2 857C31F8
Device \Driver\msahci \Device\Ide\PciIde0Channel3 857C31F8
Device \Driver\msahci \Device\Ide\PciIde0Channel4 857C31F8
Device \Driver\msahci \Device\Ide\PciIde0Channel5 857C31F8
Device \Driver\PCI_PNP8639 \Device\00000066 spav.sys
Device \Driver\volmgr \Device\HarddiskVolume3 857C01F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\NetBT \Device\NetBt_Wins_Export 86B931F8

AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbohci \Device\USBFDO-0 878031F8
Device \Driver\usbohci \Device\USBFDO-1 878031F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{1C832CF3-F3E0-4F7C-931F-1CFCAE5C41C7} 86B931F8
Device \Driver\usbehci \Device\USBFDO-2 8781F1F8
Device \Driver\usbohci \Device\USBFDO-3 878031F8
Device \Driver\sptd \Device\4082676650 spav.sys
Device \Driver\usbohci \Device\USBFDO-4 878031F8
Device \Driver\usbehci \Device\USBFDO-5 8781F1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{ED0AC351-6E28-424E-BA68-EF42B2EE8FB7} 86B931F8
Device \Driver\ajznmdq1 \Device\Scsi\ajznmdq11Port6Path0Target0Lun0 86E03500
Device \Driver\ajznmdq1 \Device\Scsi\ajznmdq11 86E03500
Device -> \Driver\atapi \Device\Harddisk0\DR0 86A6FAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0x0D 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0C 0x4F 0xAA 0xD0 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x46 0x4A 0x15 0x57 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6F 0xC8 0xA0 0x65 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0x0D 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0C 0x4F 0xAA 0xD0 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x46 0x4A 0x15 0x57 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6F 0xC8 0xA0 0x65 ...

---- Files - GMER 1.0.15 ----

File C:\windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:35 AM

Posted 18 April 2010 - 03:16 PM

Hello, Parys
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#6 Parys

Parys
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:35 AM

Posted 18 April 2010 - 05:38 PM

Hi Tom, here is the Combofix log:





ComboFix 10-04-17.07 - MissParys 04/18/2010 15:12:42.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2812.2088 [GMT -7:00]
Running from: c:\users\MissParys\Desktop\schrauber.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1799038017-1650993832-2483708768-500
c:\programdata\EXL.dll
c:\programdata\Oasis.dll
c:\programdata\Renderer2.dll
c:\programdata\Skill.dll
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-18 22:06 . 2010-04-18 22:07 -------- d-----w- C:\32788R22FWJFW
2010-04-18 22:04 . 2010-04-12 21:58 84912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100418.002\NAVENG.SYS
2010-04-18 22:04 . 2010-04-12 21:58 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100418.002\NAVENG32.DLL
2010-04-18 22:04 . 2010-04-12 21:58 1647984 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100418.002\NAVEX32A.DLL
2010-04-18 22:04 . 2010-04-12 21:58 1324720 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100418.002\NAVEX15.SYS
2010-04-18 22:04 . 2010-04-12 21:58 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100418.002\EECTRL.SYS
2010-04-18 22:04 . 2010-04-12 21:58 2747440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100418.002\CCERASER.DLL
2010-04-18 22:04 . 2010-04-12 21:58 259440 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100418.002\ECMSVR32.DLL
2010-04-18 22:04 . 2010-04-12 21:58 102448 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100418.002\ERASER.SYS
2010-04-18 09:45 . 2010-04-18 09:45 -------- d-----w- c:\windows\Sun
2010-04-17 09:24 . 2010-04-17 09:24 -------- d-----w- c:\users\MissParys\AppData\Roaming\Malwarebytes
2010-04-17 09:23 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-17 09:23 . 2010-04-17 09:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-17 09:23 . 2010-04-17 09:23 -------- d-----w- c:\programdata\Malwarebytes
2010-04-17 09:23 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 01:19 . 2010-02-04 01:40 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100415.001\Scxpx86.dll
2010-04-17 01:19 . 2010-02-04 01:40 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100415.001\IDSxpx86.dll
2010-04-17 01:19 . 2010-02-04 01:40 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100415.001\IDSviA64.sys
2010-04-17 01:19 . 2010-02-04 01:40 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100415.001\IDSvix86.sys
2010-04-17 01:19 . 2010-02-04 01:40 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100415.001\IDSXpx86.sys
2010-04-14 01:59 . 2010-02-27 12:07 3954568 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 01:59 . 2010-02-27 12:07 3899280 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 01:58 . 2009-12-29 06:55 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 01:58 . 2010-03-08 21:33 427520 ----a-w- c:\windows\system32\vbscript.dll
2010-04-14 01:58 . 2010-02-27 07:32 221696 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 01:58 . 2010-02-27 07:32 95744 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 01:58 . 2010-02-27 07:32 123392 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 01:56 . 2010-01-09 06:52 132608 ----a-w- c:\windows\system32\cabview.dll
2010-04-13 01:08 . 2010-04-13 01:08 -------- d-----w- c:\program files\Trend Micro
2010-04-12 10:23 . 2010-03-25 23:29 786800 ----a-r- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
2010-04-12 10:23 . 2010-02-27 00:20 164216 ----a-r- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\components\IPSFFPl.dll
2010-04-12 10:22 . 2010-02-04 01:40 466992 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\idsvia64.sys
2010-04-12 10:22 . 2010-02-04 01:40 343088 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\idsvix86.sys
2010-04-12 10:22 . 2010-02-04 01:40 329592 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\idsxpx86.sys
2010-04-12 10:22 . 2010-02-04 01:40 811896 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\scxpx86.dll
2010-04-12 10:22 . 2010-02-04 01:40 488312 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\idsxpx86.dll
2010-04-12 10:22 . 2010-01-19 22:45 968560 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\OCS\hsplayer.dll
2010-04-12 10:22 . 2009-09-01 08:27 892272 ------w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\CLT\cltLMSx.dll
2010-04-12 10:22 . 2010-04-12 10:23 -------- d-----w- c:\windows\system32\drivers\NIS
2010-04-12 10:22 . 2010-04-12 10:22 -------- d-----w- c:\program files\Norton Internet Security
2010-04-12 10:01 . 2010-04-17 08:27 -------- d-----w- c:\program files\QuickTime
2010-04-12 09:50 . 2010-04-18 22:06 -------- d-----w- c:\users\MissParys\AppData\Local\PMB Files
2010-04-12 09:46 . 2010-02-23 07:56 977920 ----a-w- c:\windows\system32\wininet.dll
2010-04-11 07:40 . 2010-04-12 09:40 -------- d-----w- c:\windows\system32\Wat
2010-04-09 07:23 . 2010-04-09 07:23 -------- d-----w- c:\programdata\NCH Software
2010-04-09 07:23 . 2010-04-09 07:23 -------- d-----w- c:\program files\NCH Software
2010-04-08 04:45 . 2010-04-12 09:40 -------- d-----w- c:\programdata\HShield
2010-04-08 04:45 . 2010-04-11 02:22 -------- d-----w- c:\programdata\mp3
2010-04-08 04:45 . 2010-04-09 08:11 -------- d-----w- c:\programdata\package
2010-04-08 04:45 . 2010-04-08 04:45 -------- d-----w- c:\programdata\system
2010-04-08 04:45 . 2010-04-08 04:45 -------- d-----w- c:\programdata\movie
2010-04-08 04:43 . 2007-11-07 09:19 568832 ----a-w- c:\programdata\msvcp90.dll
2010-04-05 20:35 . 2010-04-05 20:35 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-01 02:10 . 2010-03-26 03:00 5775 ----a-w- c:\program files\vacache.dat
2010-04-01 02:09 . 2010-04-12 09:40 -------- d-----w- c:\program files\HShield
2010-04-01 02:09 . 2010-04-07 05:31 -------- d-----w- c:\program files\mp3
2010-04-01 02:09 . 2010-04-01 02:09 -------- d-----w- c:\program files\system
2010-04-01 02:09 . 2010-04-01 02:09 -------- d-----w- c:\program files\package
2010-04-01 02:09 . 2010-04-01 02:09 -------- d-----w- c:\program files\movie
2010-04-01 02:08 . 2010-03-26 03:32 4 ----a-w- c:\program files\version.dat
2010-04-01 02:07 . 2010-03-26 03:00 5775 ----a-w- c:\program files\va.dat
2010-04-01 02:07 . 2009-06-26 21:58 716 ----a-w- c:\program files\default.reg
2010-04-01 02:07 . 2008-12-04 23:41 111104 ----a-w- c:\program files\Uploader.dat
2010-04-01 02:07 . 2002-08-27 00:45 352256 ----a-w- c:\program files\ijl15.dll
2010-03-31 19:15 . 2010-03-31 19:15 -------- d-----w- C:\Downloads
2010-03-31 18:59 . 2010-04-12 08:57 -------- d-----w- c:\users\MissParys\AppData\Roaming\Free Download Manager
2010-03-31 18:59 . 2010-04-12 09:40 -------- d-----w- c:\program files\Free Download Manager
2010-03-31 18:59 . 2010-03-31 18:59 -------- d-----w- c:\programdata\FreeDownloadManager.ORG
2010-03-30 22:24 . 2010-04-12 09:40 -------- d-----w- c:\program files\LogMeIn Hamachi
2010-03-25 07:37 . 2010-03-25 07:37 -------- d-----w- c:\program files\Common Files\Software Update Utility
2010-03-24 20:38 . 2010-03-24 20:38 536112 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx86.sys
2010-03-24 20:38 . 2010-03-24 20:38 201616 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHRules.dll
2010-03-24 20:38 . 2010-03-24 20:38 1407888 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHEngine.dll
2010-03-24 20:38 . 2010-03-24 20:38 678960 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx64.sys
2010-03-24 20:38 . 2010-03-24 20:38 611216 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\bbRGen.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 22:25 . 2010-01-08 02:53 -------- d-----w- c:\program files\Common Files\Akamai
2010-04-17 09:55 . 2009-12-25 08:50 -------- d-----w- c:\programdata\PMB Files
2010-04-17 06:09 . 2010-01-08 04:08 -------- d-----w- c:\programdata\FLEXnet
2010-04-13 01:22 . 2009-12-25 19:25 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-12 21:41 . 2009-09-19 22:55 -------- d-----w- c:\program files\NortonInstaller
2010-04-12 10:23 . 2009-12-25 19:25 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-04-12 10:23 . 2009-12-25 19:25 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-04-12 10:23 . 2009-12-25 19:25 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-04-12 10:23 . 2009-12-25 19:25 -------- d-----w- c:\program files\Symantec
2010-04-12 10:22 . 2009-09-19 22:55 -------- d-----w- c:\programdata\Norton
2010-04-12 10:15 . 2009-09-19 22:55 -------- d-----w- c:\programdata\NortonInstaller
2010-04-12 10:00 . 2010-01-04 06:19 -------- d-----w- c:\program files\Bonjour
2010-04-12 09:40 . 2009-07-13 23:11 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-04-12 09:40 . 2010-01-29 08:00 -------- d-----w- c:\users\MissParys\AppData\Roaming\BitTorrent
2010-04-12 09:40 . 2009-09-02 05:34 -------- d-----w- c:\programdata\Toshiba
2010-04-12 09:40 . 2010-01-04 06:19 -------- d-----w- c:\programdata\Apple Computer
2010-04-12 09:40 . 2009-12-26 06:40 -------- d-----r- c:\program files\Skype
2010-04-12 09:40 . 2009-12-25 08:50 -------- d-----w- c:\program files\Pando Networks
2010-04-12 09:40 . 2010-02-02 00:18 -------- d-----w- c:\program files\iTunes
2010-04-12 09:40 . 2009-09-19 22:12 -------- d-----w- c:\program files\Microsoft Works
2010-04-12 09:40 . 2010-03-11 07:56 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-04-12 09:40 . 2010-01-29 08:00 -------- d-----w- c:\program files\Ask.com
2010-04-12 09:40 . 2010-01-04 06:18 -------- d-----w- c:\program files\Apple Software Update
2010-04-12 09:40 . 2009-12-25 09:07 -------- d-----w- c:\program files\AIM
2010-04-12 09:37 . 2009-12-26 06:41 -------- d-----w- c:\users\MissParys\AppData\Roaming\Skype
2010-04-12 09:37 . 2010-01-04 06:20 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-04-12 09:36 . 2010-02-02 00:18 -------- d-----w- c:\program files\iPod
2010-04-12 09:35 . 2010-01-04 06:17 -------- d-----w- c:\program files\Common Files\Apple
2010-04-11 07:06 . 2009-12-26 06:43 -------- d-----w- c:\users\MissParys\AppData\Roaming\skypePM
2010-04-09 08:11 . 2010-04-08 04:44 4 ----a-w- c:\programdata\version.dat
2010-04-09 02:13 . 2010-04-08 04:45 5775 ----a-w- c:\programdata\vacache.dat
2010-04-09 02:13 . 2010-04-08 04:43 5775 ----a-w- c:\programdata\va.dat
2010-03-15 10:03 . 2010-03-15 10:00 -------- d-----w- c:\users\MissParys\AppData\Roaming\SecondLife
2010-03-15 04:38 . 2010-03-15 04:38 -------- d-----w- c:\program files\THQICE
2010-03-14 23:20 . 2010-02-23 02:21 98304 ----a-w- c:\programdata\NexonUS\NGM\npNxGameUS.dll
2010-03-14 23:20 . 2010-02-23 02:21 765952 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
2010-03-14 23:20 . 2010-02-23 02:21 401408 ----a-w- c:\programdata\NexonUS\NGM\NGMResource.dll
2010-03-14 23:20 . 2010-02-23 02:21 258352 ----a-w- c:\programdata\NexonUS\NGM\unicows.dll
2010-03-14 23:20 . 2010-02-23 02:21 172032 ----a-w- c:\programdata\NexonUS\NGM\NGM.exe
2010-03-14 23:20 . 2010-02-23 02:21 126976 ----a-w- c:\programdata\NexonUS\NGM\nxgameus.dll
2010-03-11 07:59 . 2010-03-11 07:56 -------- d-----w- c:\users\MissParys\AppData\Roaming\DAEMON Tools Lite
2010-03-11 07:56 . 2010-03-11 07:55 -------- d-----w- c:\programdata\DAEMON Tools Lite
2010-02-23 02:59 . 2010-02-23 02:21 -------- d-----w- c:\programdata\NexonUS
2010-02-21 10:18 . 2010-02-21 10:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2010-02-19 07:34 . 2010-02-19 07:34 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2010-02-19 01:37 . 2009-09-02 05:30 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-19 00:07 . 2010-02-18 23:28 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-19 00:07 . 2010-02-18 23:28 38784 ----a-w- c:\users\MissParys\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-19 00:07 . 2010-02-18 23:28 38784 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-18 23:52 . 2010-02-18 15:23 -------- d-----w- c:\program files\Electronic Arts
2010-02-18 23:29 . 2010-02-18 15:34 -------- d-----w- c:\programdata\Electronic Arts
2010-02-18 22:57 . 2010-02-18 15:14 -------- d-----w- c:\users\MissParys\AppData\Roaming\DAEMON Tools Pro
2010-02-18 15:31 . 2010-02-18 15:31 10134 ----a-r- c:\users\MissParys\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2010-02-18 15:31 . 2010-02-18 15:31 -------- d-----w- c:\program files\Microsoft WSE
2010-02-18 15:16 . 2010-02-18 15:16 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-02-18 15:15 . 2010-02-18 15:14 -------- d-----w- c:\programdata\DAEMON Tools Pro
2010-02-18 07:40 . 2009-09-02 05:34 -------- d-----w- c:\programdata\WildTangent
2010-02-18 07:38 . 2010-02-18 07:38 -------- d-----w- c:\users\MissParys\AppData\Roaming\WildTangent
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-05 21:18 . 2010-02-05 21:18 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbFB50.tmp.exe
2010-02-03 22:56 . 2010-01-30 00:38 26176 ---ha-w- c:\windows\system32\hamachi.sys
2010-02-02 07:45 . 2010-02-23 21:38 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-02 00:13 . 2010-02-02 00:13 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-12-25 08:43 . 2009-12-25 08:43 13 --sh--r- c:\windows\System32\drivers\fbd.sys
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-01-20 18:34 1197448 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-01-20 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-01-20 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-02 39408]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-04-17 2938552]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Aim"="c:\program files\AIM\aim.exe" [2010-03-08 3972440]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-30 98304]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-07-21 1545512]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2008-09-25 195080]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2009-08-21 476512]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2009-07-28 460088]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2009-08-05 738616]
"ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-08-17 1294136]
"TosWaitSrv"="c:\program files\TOSHIBA\TPHM\TosWaitSrv.exe" [2009-08-07 611672]
"Teco"="c:\program files\TOSHIBA\TECO\Teco.exe" [2009-08-11 1324384]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-08-11 2446648]
"SmartFaceVWatcher"="c:\program files\Toshiba\SmartFaceV\SmartFaceVWatcher.exe" [2009-07-29 163840]
"TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-09-17 611672]
"NortonOnlineBackupReminder"="c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" [2009-07-16 529256]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2010-03-30 1820040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-03-30 1086856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

R0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-18 691696]
R2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]
R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-09-17 111960]
R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-08-07 685424]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1106000.020\SYMDS.SYS [2009-08-30 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1106000.020\SYMEFA.SYS [2010-02-04 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx86.sys [2010-03-24 536112]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1106000.020\ccHPx86.sys [2010-02-25 501888]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100415.001\IDSvix86.sys [2010-02-04 343088]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1106000.020\Ironx86.SYS [2010-02-27 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\NIS\1106000.020\SYMTDIV.SYS [2010-02-04 340016]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-30 176128]
S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-11 185712]
S2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2010-03-30 1107336]
S2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe [2010-02-25 126392]
S2 RSELSVC;TOSHIBA Modem region select service;c:\program files\TOSHIBA\RSelect\RSelSvc.exe [2009-07-07 62832]
S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-08-11 185712]
S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 12920]
S3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys [2009-11-04 17408]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-04-12 102448]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2009-07-07 7680]
S3 PGEffect;Pangu effect driver;c:\windows\system32\DRIVERS\pgeffect.sys [2009-06-23 24064]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-31 187392]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]
2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe
.
Contents of the 'Scheduled Tasks' folder

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 21:20]

2010-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 21:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uInternet Settings,ProxyOverride = *.local
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - hxxp://avatar.mabinogi.jp/3drender/renderer/mabiweb.2007.4.4.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
AddRemove-TOSHIBA Software Modem - c:\windows\agrsmdel



**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x867E4AC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
IoDeviceObjectType -> DumpProcedure -> 0xd46a624f
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.6.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-04-18 15:28:01
ComboFix-quarantined-files.txt 2010-04-18 22:27

Pre-Run: 246,576,640,000 bytes free
Post-Run: 246,993,756,160 bytes free

- - End Of File - - 97AEA5507DA1EAFD31652AB571106239


#7 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:35 AM

Posted 19 April 2010 - 12:57 PM

Hi,

Please post back with a fresh gmer logfile. How is the system running?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#8 Parys

Parys
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:35 AM

Posted 19 April 2010 - 06:54 PM

It's running normally, a little slower than before all of this happened. And a couple days ago, my taskbar randomly changed to white and looked like the taskbar from Safe Mode, I know it's because of the malware.

After GMER froze a couple times, I did it in Safe Mode instead, here's the log:


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-19 16:45:49
Windows 6.1.7600
Running: 2v7dgihj.exe; Driver: C:\Users\MISSPA~1\AppData\Local\Temp\kwtdyuow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82845AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82845104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828453F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8282D634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8282D898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828451DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82845958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828456F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82845F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828461A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8245E599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82482F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8A851000, 0x3C849, 0xE8000020]
.dsrt C:\windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8A896000, 0x3DC, 0x48000040]

---- User code sections - GMER 1.0.15 ----

.text C:\windows\system32\svchost.exe[812] ntdll.dll!NtProtectVirtualMemory 77315360 5 Bytes JMP 0012000A
.text C:\windows\system32\svchost.exe[812] ntdll.dll!NtWriteVirtualMemory 77315EE0 5 Bytes JMP 0014000A
.text C:\windows\system32\svchost.exe[812] ntdll.dll!KiUserExceptionDispatcher 77316448 5 Bytes JMP 0011000A
.text C:\windows\Explorer.EXE[1064] ntdll.dll!NtProtectVirtualMemory 77315360 5 Bytes JMP 0071000A
.text C:\windows\Explorer.EXE[1064] ntdll.dll!NtWriteVirtualMemory 77315EE0 5 Bytes JMP 0072000A
.text C:\windows\Explorer.EXE[1064] ntdll.dll!KiUserExceptionDispatcher 77316448 5 Bytes JMP 0070000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 85E43AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0x0D 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF5 0x72 0x07 0x4C ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x46 0x4A 0x15 0x57 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6F 0xC8 0xA0 0x65 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0x0D 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF5 0x72 0x07 0x4C ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x46 0x4A 0x15 0x57 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6F 0xC8 0xA0 0x65 ...

---- Files - GMER 1.0.15 ----

File C:\windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#9 Parys

Parys
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:35 AM

Posted 21 April 2010 - 02:48 AM

(A little added detail) Lately, when I'm using my internet browser, another window comes up randomly sometimes. It's always a different Ad, like I've won things and junk like that... Not sure if it's a big deal or not, though.

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:35 AM

Posted 21 April 2010 - 02:27 PM

Hi,

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 Parys

Parys
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:35 AM

Posted 21 April 2010 - 05:45 PM

Hi again Tom, here is the new log:

15:33:44:388 3196 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
15:33:44:389 3196 ================================================================================
15:33:44:389 3196 SystemInfo:

15:33:44:389 3196 OS Version: 6.1.7600 ServicePack: 0.0
15:33:44:389 3196 Product type: Workstation
15:33:44:389 3196 ComputerName: MISSPARYS-PC
15:33:44:391 3196 UserName: MissParys
15:33:44:391 3196 Windows directory: C:\windows
15:33:44:391 3196 Processor architecture: Intel x86
15:33:44:391 3196 Number of processors: 2
15:33:44:391 3196 Page size: 0x1000
15:33:44:393 3196 Boot type: Normal boot
15:33:44:393 3196 ================================================================================
15:33:44:397 3196 UnloadDriverW: NtUnloadDriver error 2
15:33:44:397 3196 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:33:44:840 3196 wfopen_ex: Trying to open file C:\windows\system32\config\system
15:33:44:840 3196 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:33:44:840 3196 wfopen_ex: Trying to KLMD file open
15:33:44:840 3196 wfopen_ex: File opened ok (Flags 2)
15:33:44:857 3196 wfopen_ex: Trying to open file C:\windows\system32\config\software
15:33:44:857 3196 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:33:44:857 3196 wfopen_ex: Trying to KLMD file open
15:33:44:857 3196 wfopen_ex: File opened ok (Flags 2)
15:33:44:871 3196 Initialize success
15:33:44:871 3196
15:33:44:872 3196 Scanning Services ...
15:33:47:275 3196 Raw services enum returned 482 services
15:33:47:290 3196
15:33:47:292 3196 Scanning Kernel memory ...
15:33:47:293 3196 Devices to scan: 1
15:33:47:293 3196
15:33:47:293 3196 Driver Name: atapi
15:33:47:293 3196 IRP_MJ_CREATE : 86A84AC8
15:33:47:293 3196 IRP_MJ_CREATE_NAMED_PIPE : 86A84AC8
15:33:47:293 3196 IRP_MJ_CLOSE : 86A84AC8
15:33:47:293 3196 IRP_MJ_READ : 86A84AC8
15:33:47:293 3196 IRP_MJ_WRITE : 86A84AC8
15:33:47:293 3196 IRP_MJ_QUERY_INFORMATION : 86A84AC8
15:33:47:293 3196 IRP_MJ_SET_INFORMATION : 86A84AC8
15:33:47:293 3196 IRP_MJ_QUERY_EA : 86A84AC8
15:33:47:293 3196 IRP_MJ_SET_EA : 86A84AC8
15:33:47:293 3196 IRP_MJ_FLUSH_BUFFERS : 86A84AC8
15:33:47:293 3196 IRP_MJ_QUERY_VOLUME_INFORMATION : 86A84AC8
15:33:47:293 3196 IRP_MJ_SET_VOLUME_INFORMATION : 86A84AC8
15:33:47:293 3196 IRP_MJ_DIRECTORY_CONTROL : 86A84AC8
15:33:47:293 3196 IRP_MJ_FILE_SYSTEM_CONTROL : 86A84AC8
15:33:47:293 3196 IRP_MJ_DEVICE_CONTROL : 86A84AC8
15:33:47:293 3196 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86A84AC8
15:33:47:293 3196 IRP_MJ_SHUTDOWN : 86A84AC8
15:33:47:293 3196 IRP_MJ_LOCK_CONTROL : 86A84AC8
15:33:47:293 3196 IRP_MJ_CLEANUP : 86A84AC8
15:33:47:294 3196 IRP_MJ_CREATE_MAILSLOT : 86A84AC8
15:33:47:294 3196 IRP_MJ_QUERY_SECURITY : 86A84AC8
15:33:47:294 3196 IRP_MJ_SET_SECURITY : 86A84AC8
15:33:47:294 3196 IRP_MJ_POWER : 86A84AC8
15:33:47:294 3196 IRP_MJ_SYSTEM_CONTROL : 86A84AC8
15:33:47:294 3196 IRP_MJ_DEVICE_CHANGE : 86A84AC8
15:33:47:294 3196 IRP_MJ_QUERY_QUOTA : 86A84AC8
15:33:47:294 3196 IRP_MJ_SET_QUOTA : 86A84AC8
15:33:47:294 3196 Driver "atapi" infected by TDSS rootkit!
15:33:47:330 3196 C:\windows\system32\DRIVERS\atapi.sys - Verdict: 1
15:33:47:330 3196 File "C:\windows\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 15:33:47:330 3196 Processing driver file: C:\windows\system32\DRIVERS\atapi.sys
15:33:48:205 3196 vfvi6
15:33:48:271 3196 dsvbh1
15:33:49:993 3196 fdfb1
15:33:49:993 3196 Backup copy found, using it..
15:33:50:241 3196 will be cured on next reboot
15:33:50:241 3196 Reboot required for cure complete..
15:33:50:343 3196 Cure on reboot scheduled successfully
15:33:50:343 3196
15:33:50:344 3196 Completed
15:33:50:344 3196
15:33:50:345 3196 Results:
15:33:50:346 3196 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
15:33:50:346 3196 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:33:50:347 3196 File objects infected / cured / cured on reboot: 1 / 0 / 1
15:33:50:347 3196
15:33:50:348 3196 fclose_ex: Trying to close file C:\windows\system32\config\system
15:33:50:349 3196 fclose_ex: Trying to close file C:\windows\system32\config\software
15:33:50:349 3196 UnloadDriverW: NtUnloadDriver error 1
15:33:50:494 3196 KLMD(ARK) unloaded successfully


#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:35 AM

Posted 23 April 2010 - 12:41 PM

Hi smile.gif


Please post back with a fresh Gmer logfile.

  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 Parys

Parys
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:35 AM

Posted 23 April 2010 - 03:59 PM

Heya, here are the logs thumbup2.gif


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-23 13:56:23
Windows 6.1.7600
Running: 2v7dgihj.exe; Driver: C:\Users\MISSPA~1\AppData\Local\Temp\kwtdyuow.sys


---- System - GMER 1.0.15 ----

SSDT 878DA188 ZwAlertResumeThread
SSDT 878DABC8 ZwAlertThread
SSDT 87872840 ZwAllocateVirtualMemory
SSDT 869C8440 ZwAlpcConnectPort
SSDT 878E0008 ZwAssignProcessToJobObject
SSDT 878DC6C0 ZwCreateMutant
SSDT 878E0230 ZwCreateSymbolicLinkObject
SSDT 87871258 ZwCreateThread
SSDT 878E06A0 ZwCreateThreadEx
SSDT 878DE048 ZwDebugActiveProcess
SSDT 87872A90 ZwDuplicateObject
SSDT 87871A28 ZwFreeVirtualMemory
SSDT 878DCF10 ZwImpersonateAnonymousToken
SSDT 878DB388 ZwImpersonateThread
SSDT 869E62D8 ZwLoadDriver
SSDT 878718C8 ZwMapViewOfSection
SSDT 878DDDC8 ZwOpenEvent
SSDT 87868720 ZwOpenProcess
SSDT 87872950 ZwOpenProcessToken
SSDT 878DEEA8 ZwOpenSection
SSDT 878685D0 ZwOpenThread
SSDT 878E0D40 ZwProtectVirtualMemory
SSDT 878D9608 ZwResumeThread
SSDT 87873BD0 ZwSetContextThread
SSDT 87871670 ZwSetInformationProcess
SSDT 878DEC20 ZwSetSystemInformation
SSDT 878DD6A8 ZwSuspendProcess
SSDT 878D86C8 ZwSuspendThread
SSDT 87871408 ZwTerminateProcess
SSDT 878734E0 ZwTerminateThread
SSDT 878727C8 ZwUnmapViewOfSection
SSDT 87871CF8 ZwWriteVirtualMemory

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83443AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83443104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 834433F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8342C2D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8342B898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 834431DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83443958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 834436F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83443F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 834441A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8305C599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83080F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 224 83088734 8 Bytes [88, A1, 8D, 87, C8, AB, 8D, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 8308874C 4 Bytes [40, 28, 87, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 248 83088758 4 Bytes [40, 84, 9C, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 830887AC 4 Bytes [08, 00, 8E, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 83088828 4 Bytes [C0, C6, 8D, 87]
.text ...
? System32\Drivers\spca.sys The system cannot find the path specified. !
.text C:\windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8B320000, 0x3C849, 0xE8000020]
.dsrt C:\windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8B365000, 0x3DC, 0x48000040]
.text C:\windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92629000, 0x2D5526, 0xE8000020]
.text USBPORT.SYS!DllUnload 91FD1CA0 5 Bytes JMP 87A9E1D8
.text a0idpfts.SYS 93061000 12 Bytes CALL 79F49347
.text a0idpfts.SYS 9306100D 9 Bytes [C7, 42, 83, 48, EB, 42, 83, ...] {MOV DWORD [EDX-0x7d], 0x8342eb48; ADD [EAX], AL}
.text a0idpfts.SYS 93061017 170 Bytes [00, DE, 77, D2, 8A, E6, 75, ...]
.text a0idpfts.SYS 930610C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text a0idpfts.SYS 930610CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text peauth.sys 99F5EC9D 28 Bytes [CF, F2, C5, 83, 46, 8E, B9, ...]
.text peauth.sys 99F5ECC1 28 Bytes [CF, F2, C5, 83, 46, 8E, B9, ...]
PAGE peauth.sys 99F64B9B 72 Bytes [E0, D4, 13, 7C, A4, 8B, E7, ...]
PAGE peauth.sys 99F64BEC 111 Bytes JMP A6FA9113
PAGE peauth.sys 99F64E20 101 Bytes [24, 20, 72, C7, 83, 34, EC, ...]
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\windows\system32\svchost.exe[1032] ntdll.dll!NtProtectVirtualMemory 77335360 5 Bytes JMP 004C000A
.text C:\windows\system32\svchost.exe[1032] ntdll.dll!NtWriteVirtualMemory 77335EE0 5 Bytes JMP 004D000A
.text C:\windows\system32\svchost.exe[1032] ntdll.dll!KiUserExceptionDispatcher 77336448 5 Bytes JMP 004B000A
.text C:\windows\system32\svchost.exe[1032] ole32.dll!CoCreateInstance 75AC57FC 5 Bytes JMP 0064000A
.text C:\windows\system32\svchost.exe[1032] USER32.dll!GetCursorPos 75D6C198 5 Bytes JMP 0065000A
.text C:\windows\Explorer.EXE[2124] ntdll.dll!NtProtectVirtualMemory 77335360 5 Bytes JMP 0027000A
.text C:\windows\Explorer.EXE[2124] ntdll.dll!NtWriteVirtualMemory 77335EE0 5 Bytes JMP 0028000A
.text C:\windows\Explorer.EXE[2124] ntdll.dll!KiUserExceptionDispatcher 77336448 5 Bytes JMP 0026000A
.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[3940] kernel32.dll!SetUnhandledExceptionFilter 771C3162 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtProtectVirtualMemory 77335360 5 Bytes JMP 001E000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!NtWriteVirtualMemory 77335EE0 5 Bytes JMP 001F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] ntdll.dll!KiUserExceptionDispatcher 77336448 5 Bytes JMP 001D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] USER32.dll!UnhookWindowsHookEx 75D6CC7B 5 Bytes JMP 6DFD82FA C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] USER32.dll!CallNextHookEx 75D6CC8F 5 Bytes JMP 6DFB9D00 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] USER32.dll!CreateWindowExW 75D70E51 5 Bytes JMP 6DFC80F7 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] USER32.dll!SetWindowsHookExW 75D7210A 5 Bytes JMP 6DF745DB C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] USER32.dll!DialogBoxIndirectParamW 75D94AA7 5 Bytes JMP 6E0EF218 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] USER32.dll!DialogBoxParamW 75D9564A 5 Bytes JMP 6DEE4B7F C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] USER32.dll!DialogBoxParamA 75DACF6A 5 Bytes JMP 6E0EF1B5 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] USER32.dll!DialogBoxIndirectParamA 75DAD29C 5 Bytes JMP 6E0EF27B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] USER32.dll!MessageBoxIndirectA 75DBE8C9 5 Bytes JMP 6E0EF14A C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] USER32.dll!MessageBoxIndirectW 75DBE9C3 5 Bytes JMP 6E0EF0DF C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] USER32.dll!MessageBoxExA 75DBEA29 5 Bytes JMP 6E0EF07D C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] USER32.dll!MessageBoxExW 75DBEA4D 5 Bytes JMP 6E0EF01B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] ole32.dll!OleLoadFromStream 75A75B88 5 Bytes JMP 6E0EF576 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4140] ole32.dll!CoCreateInstance 75AC57FC 5 Bytes JMP 6DFC8BE5 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5728] ntdll.dll!NtProtectVirtualMemory 77335360 5 Bytes JMP 0021000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5728] ntdll.dll!NtWriteVirtualMemory 77335EE0 5 Bytes JMP 0022000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5728] ntdll.dll!KiUserExceptionDispatcher 77336448 5 Bytes JMP 0020000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5728] USER32.dll!CreateWindowExW 75D70E51 5 Bytes JMP 6DFC80F7 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5728] USER32.dll!DialogBoxIndirectParamW 75D94AA7 5 Bytes JMP 6E0EF218 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5728] USER32.dll!DialogBoxParamW 75D9564A 5 Bytes JMP 6DEE4B7F C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5728] USER32.dll!DialogBoxParamA 75DACF6A 5 Bytes JMP 6E0EF1B5 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5728] USER32.dll!DialogBoxIndirectParamA 75DAD29C 5 Bytes JMP 6E0EF27B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5728] USER32.dll!MessageBoxIndirectA 75DBE8C9 5 Bytes JMP 6E0EF14A C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5728] USER32.dll!MessageBoxIndirectW 75DBE9C3 5 Bytes JMP 6E0EF0DF C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5728] USER32.dll!MessageBoxExA 75DBEA29 5 Bytes JMP 6E0EF07D C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5728] USER32.dll!MessageBoxExW 75DBEA4D 5 Bytes JMP 6E0EF01B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8AC2B042] \SystemRoot\System32\Drivers\spca.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8AC2B6D6] \SystemRoot\System32\Drivers\spca.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8AC2B800] \SystemRoot\System32\Drivers\spca.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8AC2B13E] \SystemRoot\System32\Drivers\spca.sys
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortNotification] 00147880
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortInitialize] 157B805E
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
IAT \SystemRoot\System32\Drivers\a0idpfts.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3952] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75395E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3952] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75395E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3952] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75395E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3952] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75395E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3952] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75395E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3952] @ C:\windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75395E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3952] @ C:\windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [75395E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3960] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 857C21F8

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 857BD1F8
Device \Driver\usbohci \Device\USBPDO-0 87AAC1F8
Device \Driver\usbohci \Device\USBPDO-1 87AAC1F8
Device \Driver\usbehci \Device\USBPDO-2 87AAD1F8
Device \Driver\usbohci \Device\USBPDO-3 87AAC1F8
Device \Driver\usbohci \Device\USBPDO-4 87AAC1F8

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbehci \Device\USBPDO-5 87AAD1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E85A0974-B3BD-4192-9280-E058C6D36FD3} 86B63500
Device \Driver\volmgr \Device\HarddiskVolume1 857BD1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume2 857BD1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 866EF500
Device \Driver\ACPI_HAL \Device\00000059 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\volmgr \Device\HarddiskVolume3 857BD1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom1 866EF500
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 857BF1F8
Device \Driver\atapi \Device\Ide\IdePort0 857BF1F8
Device \Driver\atapi \Device\Ide\IdePort1 857BF1F8
Device \Driver\atapi \Device\Ide\IdePort2 857BF1F8
Device \Driver\atapi \Device\Ide\IdePort3 857BF1F8
Device \Driver\atapi \Device\Ide\IdePort4 857BF1F8
Device \Driver\atapi \Device\Ide\IdePort5 857BF1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel0 857C01F8
Device \Driver\msahci \Device\Ide\PciIde0Channel1 857C01F8
Device \Driver\msahci \Device\Ide\PciIde0Channel2 857C01F8
Device \Driver\msahci \Device\Ide\PciIde0Channel3 857C01F8
Device \Driver\msahci \Device\Ide\PciIde0Channel4 857C01F8
Device \Driver\msahci \Device\Ide\PciIde0Channel5 857C01F8
Device \Driver\PCI_PNP9073 \Device\00000067 spca.sys
Device \Driver\sptd \Device\823431084 spca.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 86B63500

AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbohci \Device\USBFDO-0 87AAC1F8
Device \Driver\usbohci \Device\USBFDO-1 87AAC1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{1C832CF3-F3E0-4F7C-931F-1CFCAE5C41C7} 86B63500
Device \Driver\usbehci \Device\USBFDO-2 87AAD1F8
Device \Driver\usbohci \Device\USBFDO-3 87AAC1F8
Device \Driver\usbohci \Device\USBFDO-4 87AAC1F8
Device \Driver\usbehci \Device\USBFDO-5 87AAD1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{ED0AC351-6E28-424E-BA68-EF42B2EE8FB7} 86B63500
Device \Driver\a0idpfts \Device\Scsi\a0idpfts1Port6Path0Target0Lun0 87AB81F8
Device \Driver\a0idpfts \Device\Scsi\a0idpfts1 87AB81F8
Device -> \Driver\atapi \Device\Harddisk0\DR0 86A94AC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0x0D 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x19 0x4D 0x41 0xBB ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x46 0x4A 0x15 0x57 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6F 0xC8 0xA0 0x65 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0x0D 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x00 0xC0 0x1C 0x57 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x46 0x4A 0x15 0x57 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6F 0xC8 0xA0 0x65 ...

---- Files - GMER 1.0.15 ----

File C:\windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----








OTL logfile created on: 4/23/2010 1:31:31 PM - Run 1
OTL by OldTimer - Version 3.2.2.0 Folder = C:\Users\MissParys\Desktop
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 62.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.71 Gb Total Space | 220.29 Gb Free Space | 76.30% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MISSPARYS-PC
Current User Name: MissParys
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/23 13:29:25 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Users\MissParys\Desktop\OTL.exe
PRC - [2010/04/17 02:55:01 | 002,938,552 | ---- | M] () -- C:\Program Files\Pando Networks\Media Booster\PMB.exe
PRC - [2010/03/30 11:16:16 | 001,820,040 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
PRC - [2010/03/30 11:16:12 | 001,107,336 | ---- | M] (LogMeIn Inc.) -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/03/08 14:04:49 | 003,972,440 | ---- | M] (AOL Inc.) -- C:\Program Files\AIM\aim.exe
PRC - [2010/02/25 16:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccsvchst.exe
PRC - [2010/02/05 14:20:37 | 000,298,608 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
PRC - [2009/10/30 22:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/10/30 04:57:08 | 000,369,200 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2009/09/17 16:37:18 | 000,111,960 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
PRC - [2009/09/17 16:36:58 | 001,021,272 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
PRC - [2009/09/01 22:47:16 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/08/21 09:29:40 | 000,464,224 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
PRC - [2009/08/21 09:29:20 | 000,476,512 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
PRC - [2009/08/17 10:48:46 | 001,294,136 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
PRC - [2009/08/17 10:48:42 | 000,051,512 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
PRC - [2009/08/11 16:09:54 | 000,185,712 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TECO\TecoService.exe
PRC - [2009/08/11 16:09:38 | 001,324,384 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TECO\TEco.exe
PRC - [2009/08/10 19:55:46 | 000,185,712 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
PRC - [2009/08/06 17:05:18 | 000,583,024 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
PRC - [2009/08/06 17:04:56 | 000,685,424 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
PRC - [2009/08/05 14:04:54 | 000,738,616 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
PRC - [2009/07/29 23:54:38 | 000,348,160 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2009/07/29 23:54:10 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2009/07/28 21:12:56 | 007,625,248 | ---- | M] (Realtek Semiconductor) -- C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
PRC - [2009/07/28 20:26:42 | 000,062,848 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
PRC - [2009/07/28 15:43:04 | 000,128,344 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
PRC - [2009/07/28 14:00:10 | 000,460,088 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
PRC - [2009/07/13 18:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/13 18:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sppsvc.exe
PRC - [2009/07/13 15:24:00 | 000,304,496 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
PRC - [2009/07/07 09:37:32 | 000,062,832 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe
PRC - [2009/03/27 18:10:56 | 000,014,336 | ---- | M] (LSI Corporation) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe
PRC - [2009/03/10 18:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
PRC - [2008/09/25 15:49:00 | 000,195,080 | ---- | M] (LSI Corp.) -- C:\Program Files\ltmoh\ltmoh.exe


========== Modules (SafeList) ==========

MOD - [2010/04/23 13:29:25 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Users\MissParys\Desktop\OTL.exe
MOD - [2009/07/13 18:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 18:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 18:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 18:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 18:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 18:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 18:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 18:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 18:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 18:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 18:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/04/19 00:58:01 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/04/12 02:42:07 | 002,504,280 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\rswin_3653.dll -- (Akamai)
SRV - [2010/03/30 11:16:12 | 001,107,336 | ---- | M] (LogMeIn Inc.) [Auto | Running] -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/02/25 16:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ccSvcHst.exe -- (NIS)
SRV - [2010/01/07 20:56:45 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2009/09/17 16:37:18 | 000,111,960 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)
SRV - [2009/08/21 09:29:40 | 000,464,224 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2009/08/17 10:48:42 | 000,051,512 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)
SRV - [2009/08/11 16:09:54 | 000,185,712 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TECO\TecoService.exe -- (TOSHIBA eco Utility Service)
SRV - [2009/08/10 19:55:46 | 000,185,712 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe -- (cfWiMAXService)
SRV - [2009/08/06 17:04:56 | 000,685,424 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe -- (TPCHSrv)
SRV - [2009/07/29 23:54:10 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009/07/28 15:43:04 | 000,128,344 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2009/07/13 18:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 18:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 18:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 18:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 18:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 18:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 18:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 18:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 18:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 18:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 18:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 18:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 18:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 18:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 18:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 18:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 18:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 18:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 18:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 18:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/07/07 09:37:32 | 000,062,832 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\RSelect\RSelSvc.exe -- (RSELSVC)
SRV - [2009/05/22 11:02:20 | 000,250,616 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/03/27 18:10:56 | 000,014,336 | ---- | M] (LSI Corporation) [Auto | Running] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2009/03/10 18:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)


========== Driver Services (SafeList) ==========

DRV - [2010/04/12 14:58:55 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100422.019\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/04/12 14:58:55 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/04/12 14:58:55 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/04/12 14:58:55 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100422.019\NAVENG.SYS -- (NAVENG)
DRV - [2010/04/12 03:23:18 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/03/24 13:38:08 | 000,536,112 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100324.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/02/26 19:23:54 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\windows\system32\drivers\NIS\1106000.020\Ironx86.SYS -- (SymIRON)
DRV - [2010/02/26 19:23:21 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | On_Demand | Running] -- C:\windows\system32\drivers\NIS\1106000.020\SRTSP.SYS -- (SRTSP)
DRV - [2010/02/26 19:23:21 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\windows\system32\drivers\NIS\1106000.020\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/25 16:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\windows\system32\drivers\NIS\1106000.020\ccHPx86.sys -- (ccHP)
DRV - [2010/02/18 08:16:05 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/02/03 18:40:52 | 000,340,016 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\windows\system32\drivers\NIS\1106000.020\SYMTDIV.SYS -- (SYMTDIv)
DRV - [2010/02/03 18:40:50 | 000,172,592 | ---- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\windows\system32\drivers\NIS\1106000.020\SYMEFA.SYS -- (SymEFA)
DRV - [2010/02/03 18:40:07 | 000,343,088 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100415.001\IDSvix86.sys -- (IDSVix86)
DRV - [2009/11/04 03:59:00 | 000,017,408 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\dc3d.sys -- (dc3d) MS Hardware Device Detection Driver (HID)
DRV - [2009/09/23 11:41:58 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
DRV - [2009/08/29 17:17:18 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\windows\system32\drivers\NIS\1106000.020\SYMDS.SYS -- (SymDS)
DRV - [2009/08/13 08:18:22 | 000,372,736 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTL8187Se.sys -- (RTL8187Se)
DRV - [2009/07/30 19:58:26 | 000,187,392 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rt86win7.sys -- (RTL8167)
DRV - [2009/07/30 17:45:56 | 000,022,912 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2009/07/30 12:06:30 | 004,994,560 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2009/07/28 21:02:42 | 002,735,504 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/07/24 15:57:06 | 000,275,536 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\tos_sps32.sys -- (tos_sps32)
DRV - [2009/07/21 14:18:58 | 001,161,760 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2009/07/20 17:48:32 | 000,213,552 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2009/07/14 15:28:42 | 000,023,512 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2009/07/13 18:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/13 18:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/13 18:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/13 18:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/13 18:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/13 18:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/13 18:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/13 18:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/13 18:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/13 18:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/13 18:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/13 18:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/13 18:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/13 18:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/13 18:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/13 18:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/13 18:20:36 | 000,133,200 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/07/13 18:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/13 18:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/13 18:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/13 18:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/13 18:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/13 18:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/13 18:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/13 18:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/13 18:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/13 18:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/13 18:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/13 18:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/13 18:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/13 18:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 18:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/13 18:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/13 18:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/13 18:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/13 18:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/13 18:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/13 18:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/13 18:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/13 18:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/13 17:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/13 17:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\rdpbus.sys -- (rdpbus)
DRV - [2009/07/13 17:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/13 16:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/13 16:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/13 16:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/13 16:52:04 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vwififlt.sys -- (vwififlt)
DRV - [2009/07/13 16:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/13 16:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\1394ohci.sys -- (1394ohci)
DRV - [2009/07/13 16:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/13 16:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/13 16:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/13 16:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/13 16:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/13 16:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/13 16:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/13 16:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/13 16:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/13 16:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 15:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 15:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 15:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 15:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 15:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 15:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 15:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 15:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 15:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/07/13 15:02:46 | 001,096,704 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009/07/07 08:53:06 | 000,007,680 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2009/06/24 18:23:12 | 000,159,776 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RtHDMIV.sys -- (RTHDMIAzAudService)
DRV - [2009/06/22 17:04:58 | 000,024,064 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PGEffect.sys -- (PGEffect)
DRV - [2009/06/19 19:31:08 | 000,012,920 | ---- | M] (TOSHIBA Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\TVALZFL.sys -- (TVALZFL)
DRV - [2009/05/09 02:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2009/05/05 00:30:28 | 000,014,392 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\AtiPcie.sys -- (AtiPcie) AMD PCI Express (3GIO)
DRV - [2008/02/29 11:13:48 | 000,028,944 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LUsbFilt.sys -- (LUsbFilt)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?br...A&bmod=TSNA

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?br...A&bmod=TSNA
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\ [2010/04/12 03:23:30 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\IPSFFPlgn\ [2010/04/12 03:23:29 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2009/06/10 14:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\ipsbho.dll (Symantec Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.6.0.32\coieplg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [LogMeIn Hamachi Ui] C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
O4 - HKLM..\Run: [LtMoh] C:\Program Files\ltmoh\ltmoh.exe (LSI Corp.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [NortonOnlineBackupReminder] C:\Program Files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe (Toshiba)
O4 - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SmartFaceVWatcher] C:\Program Files\TOSHIBA\SmartFaceV\SmartFaceVWatcher.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [Teco] C:\Program Files\TOSHIBA\TECO\Teco.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [ToshibaServiceStation] C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TosWaitSrv] C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [TWebCamera] C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe (TOSHIBA CORPORATION.)
O4 - HKCU..\Run: [Aim] C:\Program Files\AIM\aim.exe (AOL Inc.)
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/MessengerGam...1/GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} http://avatar.mabinogi.jp/3drender/rendere...eb.2007.4.4.cab (MabinogiWebAvatarRenderer Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O30 - LSA: Security Packages - (pku2u) - C:\windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/07/13 19:37:08 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 90 Days ==========

[2010/04/23 13:29:21 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Users\MissParys\Desktop\OTL.exe
[2010/04/21 15:32:36 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Users\MissParys\Desktop\TDSSKiller.exe
[2010/04/21 15:32:36 | 000,000,000 | ---D | C] -- C:\Users\MissParys\Desktop\tdsskiller
[2010/04/19 18:42:21 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/04/19 18:34:27 | 000,000,000 | ---D | C] -- C:\GamepotUSA
[2010/04/18 15:28:12 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/04/18 15:28:06 | 000,000,000 | ---D | C] -- C:\windows\temp
[2010/04/18 15:28:06 | 000,000,000 | ---D | C] -- C:\Users\MissParys\AppData\Local\temp
[2010/04/18 15:09:43 | 000,031,232 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
[2010/04/18 15:09:42 | 000,161,792 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
[2010/04/18 15:09:40 | 000,136,704 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
[2010/04/18 15:09:08 | 000,000,000 | ---D | C] -- C:\windows\ERDNT
[2010/04/18 15:06:40 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/18 15:06:17 | 000,212,480 | ---- | C] (SteelWerX) -- C:\windows\SWXCACLS.exe
[2010/04/18 15:06:13 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
[2010/04/18 02:45:55 | 000,000,000 | ---D | C] -- C:\windows\Sun
[2010/04/17 02:55:37 | 940,197,287 | ---- | C] (GamepotUSA ) -- C:\Users\MissParys\Desktop\FEZsetup_2010-04-01.exe
[2010/04/17 02:24:09 | 000,000,000 | ---D | C] -- C:\Users\MissParys\AppData\Roaming\Malwarebytes
[2010/04/17 02:23:59 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2010/04/17 02:23:57 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2010/04/17 02:23:57 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/17 02:23:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/04/17 01:28:09 | 000,000,000 | ---D | C] -- C:\Users\MissParys\AppData\Roaming\DanceMixer
[2010/04/17 01:28:09 | 000,000,000 | ---D | C] -- C:\Program Files\DanceMixer
[2010/04/16 21:49:14 | 000,000,000 | ---D | C] -- C:\Users\MissParys\Desktop\Warcraft III
[2010/04/12 18:08:51 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/12 03:22:53 | 000,501,888 | ---- | C] (Symantec Corporation) -- C:\windows\System32\drivers\NIS\1106000.020\cchpx86.sys
[2010/04/12 03:22:53 | 000,340,016 | ---- | C] (Symantec Corporation) -- C:\windows\System32\drivers\NIS\1106000.020\symtdiv.sys
[2010/04/12 03:22:53 | 000,328,752 | R--- | C] (Symantec Corporation) -- C:\windows\System32\drivers\NIS\1106000.020\symds.sys
[2010/04/12 03:22:53 | 000,325,680 | ---- | C] (Symantec Corporation) -- C:\windows\System32\drivers\NIS\1106000.020\srtsp.sys
[2010/04/12 03:22:53 | 000,172,592 | ---- | C] (Symantec Corporation) -- C:\windows\System32\drivers\NIS\1106000.020\symefa.sys
[2010/04/12 03:22:53 | 000,116,784 | ---- | C] (Symantec Corporation) -- C:\windows\System32\drivers\NIS\1106000.020\ironx86.sys
[2010/04/12 03:22:53 | 000,043,696 | ---- | C] (Symantec Corporation) -- C:\windows\System32\drivers\NIS\1106000.020\srtspx.sys
[2010/04/12 03:22:36 | 000,000,000 | ---D | C] -- C:\windows\System32\drivers\NIS\1106000.020
[2010/04/12 03:22:18 | 000,000,000 | ---D | C] -- C:\windows\System32\drivers\NIS
[2010/04/12 03:22:16 | 000,000,000 | ---D | C] -- C:\Program Files\Norton Internet Security
[2010/04/12 03:01:54 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/04/12 02:50:07 | 000,000,000 | ---D | C] -- C:\Users\MissParys\AppData\Local\PMB Files
[2010/04/11 00:40:07 | 000,000,000 | ---D | C] -- C:\windows\System32\Wat
[2010/04/09 00:23:25 | 000,000,000 | ---D | C] -- C:\ProgramData\NCH Software
[2010/04/09 00:23:18 | 000,000,000 | ---D | C] -- C:\Program Files\NCH Software
[2010/04/07 21:45:04 | 000,000,000 | ---D | C] -- C:\ProgramData\system
[2010/04/07 21:45:04 | 000,000,000 | ---D | C] -- C:\ProgramData\package
[2010/04/07 21:45:04 | 000,000,000 | ---D | C] -- C:\ProgramData\mp3
[2010/04/07 21:45:04 | 000,000,000 | ---D | C] -- C:\ProgramData\movie
[2010/04/07 21:45:04 | 000,000,000 | ---D | C] -- C:\ProgramData\HShield
[2010/04/07 21:43:26 | 000,568,832 | ---- | C] (Microsoft Corporation) -- C:\ProgramData\msvcp90.dll
[2010/04/05 13:35:07 | 000,000,000 | ---D | C] -- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/05 13:28:10 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/03/31 19:09:16 | 000,000,000 | ---D | C] -- C:\Program Files\system
[2010/03/31 19:09:16 | 000,000,000 | ---D | C] -- C:\Program Files\package
[2010/03/31 19:09:16 | 000,000,000 | ---D | C] -- C:\Program Files\mp3
[2010/03/31 19:09:16 | 000,000,000 | ---D | C] -- C:\Program Files\movie
[2010/03/31 19:09:16 | 000,000,000 | ---D | C] -- C:\Program Files\HShield
[2010/03/31 19:07:19 | 000,352,256 | ---- | C] (Intel Corporation) -- C:\Program Files\ijl15.dll
[2010/03/31 12:15:37 | 000,000,000 | ---D | C] -- C:\Downloads
[2010/03/31 11:59:37 | 000,000,000 | ---D | C] -- C:\Users\MissParys\AppData\Roaming\Free Download Manager
[2010/03/31 11:59:32 | 000,000,000 | ---D | C] -- C:\ProgramData\FreeDownloadManager.ORG
[2010/03/31 11:59:32 | 000,000,000 | ---D | C] -- C:\Program Files\Free Download Manager
[2010/03/30 15:24:57 | 000,000,000 | ---D | C] -- C:\Program Files\LogMeIn Hamachi
[2010/03/25 00:37:26 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Software Update Utility
[2010/03/15 03:00:49 | 000,000,000 | ---D | C] -- C:\Users\MissParys\AppData\Roaming\Mozilla
[2010/03/15 03:00:40 | 000,000,000 | ---D | C] -- C:\Users\MissParys\AppData\Roaming\SecondLife
[2010/03/15 03:00:39 | 000,000,000 | ---D | C] -- C:\Users\MissParys\AppData\Local\SecondLife
[2010/03/14 22:08:09 | 000,000,000 | ---D | C] -- C:\Users\MissParys\Documents\Dragonica
[2010/03/14 21:38:40 | 000,000,000 | ---D | C] -- C:\Program Files\THQICE
[2010/03/11 03:17:02 | 000,000,000 | ---D | C] -- C:\Users\MissParys\AppData\Local\CrashDumps
[2010/03/11 03:14:16 | 000,000,000 | ---D | C] -- C:\Users\MissParys\Documents\Spelunky
[2010/03/11 03:13:58 | 000,000,000 | ---D | C] -- C:\Users\MissParys\Documents\levels
[2010/03/11 00:56:49 | 000,000,000 | ---D | C] -- C:\Program Files\DAEMON Tools Lite
[2010/03/11 00:56:21 | 000,000,000 | ---D | C] -- C:\Users\MissParys\AppData\Roaming\DAEMON Tools Lite
[2010/03/11 00:55:41 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Lite
[2010/02/22 19:21:00 | 000,000,000 | ---D | C] -- C:\ProgramData\NexonUS
[2010/02/18 17:23:14 | 011,302,160 | ---- | C] (Electronic Arts, Inc.) -- C:\Users\MissParys\Documents\TS3.exe
[2010/02/18 17:06:45 | 000,000,000 | ---D | C] -- C:\Users\MissParys\Documents\Electronic Arts
[2010/02/18 16:28:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/02/18 08:34:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Electronic Arts
[2010/02/18 08:31:21 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft WSE
[2010/02/18 08:23:54 | 000,000,000 | ---D | C] -- C:\Program Files\Electronic Arts
[2010/02/18 08:14:59 | 000,000,000 | ---D | C] -- C:\Users\MissParys\AppData\Roaming\DAEMON Tools Pro
[2010/02/18 08:14:59 | 000,000,000 | ---D | C] -- C:\ProgramData\DAEMON Tools Pro
[2010/02/18 00:38:39 | 000,000,000 | ---D | C] -- C:\Users\MissParys\AppData\Roaming\WildTangent
[2010/02/11 02:23:01 | 000,000,000 | ---D | C] -- C:\Nexon
[2010/02/10 18:05:55 | 000,000,000 | ---D | C] -- C:\Users\MissParys\Documents\Game
[2010/02/01 17:18:23 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/02/01 17:18:22 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/01/30 03:20:42 | 000,000,000 | ---D | C] -- C:\Users\MissParys\AppData\Local\Microsoft Games
[2010/01/29 21:30:31 | 000,000,000 | ---D | C] -- C:\Users\MissParys\AppData\Local\LogMeIn Hamachi
[2010/01/29 20:18:40 | 000,000,000 | ---D | C] -- C:\windows\System32\directx
[2010/01/29 19:55:04 | 000,000,000 | ---D | C] -- C:\Users\MissParys\Documents\left4dead2
[2010/01/29 19:48:59 | 000,000,000 | ---D | C] -- C:\Users\MissParys\Documents\Left 4 Dead 2
[2010/01/29 17:38:55 | 000,026,176 | -H-- | C] (LogMeIn, Inc.) -- C:\windows\System32\hamachi.sys
[2010/01/29 01:00:35 | 000,000,000 | ---D | C] -- C:\Program Files\Ask.com
[2010/01/29 01:00:30 | 000,000,000 | ---D | C] -- C:\Users\MissParys\AppData\Roaming\BitTorrent
[2010/01/29 01:00:20 | 000,000,000 | ---D | C] -- C:\Users\MissParys\Documents\BitTorrent
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/04/23 13:29:25 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Users\MissParys\Desktop\OTL.exe
[2010/04/23 13:26:35 | 000,000,882 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/23 13:26:28 | 000,000,006 | -H-- | M] () -- C:\windows\tasks\SA.DAT
[2010/04/23 13:26:21 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2010/04/23 13:26:16 | 2211,577,856 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/23 02:17:34 | 002,359,296 | -HS- | M] () -- C:\Users\MissParys\ntuser.dat
[2010/04/23 02:17:24 | 001,323,279 | -H-- | M] () -- C:\Users\MissParys\AppData\Local\IconCache.db
[2010/04/23 01:37:01 | 000,000,886 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/22 23:40:52 | 000,924,848 | ---- | M] () -- C:\windows\System32\drivers\NIS\1106000.020\Cat.DB
[2010/04/22 22:39:31 | 000,001,182 | ---- | M] () -- C:\Users\MissParys\Desktop\ Mabinogi .lnk
[2010/04/22 15:11:45 | 000,015,568 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/04/22 15:11:45 | 000,015,568 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/04/21 15:32:00 | 000,154,469 | ---- | M] () -- C:\Users\MissParys\Desktop\tdsskiller.zip
[2010/04/19 18:38:34 | 000,001,816 | ---- | M] () -- C:\Users\Public\Desktop\Fantasy Earth Zero.lnk
[2010/04/19 18:27:21 | 940,197,287 | ---- | M] (GamepotUSA ) -- C:\Users\MissParys\Desktop\FEZsetup_2010-04-01.exe
[2010/04/19 16:39:08 | 000,001,135 | ---- | M] () -- C:\Users\MissParys\Desktop\2v7dgihj.exe - Shortcut.lnk
[2010/04/18 15:24:46 | 000,000,215 | ---- | M] () -- C:\windows\system.ini
[2010/04/18 15:05:20 | 003,919,755 | R--- | M] () -- C:\Users\MissParys\Desktop\schrauber.exe
[2010/04/17 02:24:02 | 000,000,994 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/12 18:22:42 | 000,525,824 | ---- | M] () -- C:\Users\MissParys\Desktop\dds.scr
[2010/04/12 18:08:52 | 000,002,054 | ---- | M] () -- C:\Users\MissParys\Desktop\HijackThis.lnk
[2010/04/12 03:23:18 | 000,124,976 | ---- | M] (Symantec Corporation) -- C:\windows\System32\drivers\SYMEVENT.SYS
[2010/04/12 03:23:18 | 000,007,443 | ---- | M] () -- C:\windows\System32\drivers\SYMEVENT.CAT
[2010/04/12 03:23:18 | 000,000,805 | ---- | M] () -- C:\windows\System32\drivers\SYMEVENT.INF
[2010/04/12 03:23:03 | 000,002,510 | ---- | M] () -- C:\Users\Public\Desktop\Norton Internet Security.lnk
[2010/04/12 03:01:38 | 000,524,288 | -HS- | M] () -- C:\Users\MissParys\ntuser.dat{dec6ad17-4615-11df-a92f-9fc2e9f184ab}.TMContainer00000000000000000002.regtrans-ms
[2010/04/12 03:01:38 | 000,524,288 | -HS- | M] () -- C:\Users\MissParys\ntuser.dat{dec6ad17-4615-11df-a92f-9fc2e9f184ab}.TMContainer00000000000000000001.regtrans-ms
[2010/04/12 03:01:38 | 000,065,536 | -HS- | M] () -- C:\Users\MissParys\ntuser.dat{dec6ad17-4615-11df-a92f-9fc2e9f184ab}.TM.blf
[2010/04/11 02:01:52 | 000,000,036 | ---- | M] () -- C:\Users\MissParys\AppData\Local\housecall.guid.cache
[2010/04/09 01:11:13 | 000,000,004 | ---- | M] () -- C:\ProgramData\version.dat
[2010/04/08 19:13:06 | 000,005,775 | ---- | M] () -- C:\ProgramData\vacache.dat
[2010/04/08 19:13:06 | 000,005,775 | ---- | M] () -- C:\ProgramData\va.dat
[2010/04/02 20:30:50 | 000,561,830 | ---- | M] () -- C:\Users\MissParys\Documents\jinsu_nogiparty_lv234_eng.zip
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2010/03/26 13:27:20 | 000,713,888 | ---- | M] () -- C:\windows\System32\PerfStringBackup.INI
[2010/03/26 13:27:20 | 000,615,360 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2010/03/26 13:27:20 | 000,103,702 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2010/03/25 20:32:42 | 000,000,004 | ---- | M] () -- C:\Program Files\version.dat
[2010/03/25 20:00:02 | 000,005,775 | ---- | M] () -- C:\Program Files\vacache.dat
[2010/03/25 20:00:02 | 000,005,775 | ---- | M] () -- C:\Program Files\va.dat
[2010/03/25 00:37:34 | 000,000,700 | -H-- | M] () -- C:\IPH.PH
[2010/03/25 00:37:33 | 000,001,872 | ---- | M] () -- C:\Users\Public\Desktop\AIM.lnk
[2010/03/22 10:43:42 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\Users\MissParys\Desktop\TDSSKiller.exe
[2010/03/14 21:43:21 | 000,001,069 | ---- | M] () -- C:\Users\Public\Desktop\Dragonica Online.lnk
[2010/03/14 16:20:49 | 000,000,188 | ---- | M] () -- C:\Users\Public\Desktop\PopTag!.url
[2010/03/12 18:02:38 | 000,261,632 | ---- | M] () -- C:\windows\PEV.exe
[2010/03/11 00:56:51 | 000,001,911 | ---- | M] () -- C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
[2010/03/01 20:32:06 | 000,007,442 | ---- | M] () -- C:\windows\System32\drivers\NIS\1106000.020\srtspx.cat
[2010/03/01 20:32:06 | 000,007,438 | ---- | M] () -- C:\windows\System32\drivers\NIS\1106000.020\srtsp.cat
[2010/02/26 19:23:54 | 000,116,784 | ---- | M] (Symantec Corporation) -- C:\windows\System32\drivers\NIS\1106000.020\ironx86.sys
[2010/02/26 19:23:54 | 000,007,438 | ---- | M] () -- C:\windows\System32\drivers\NIS\1106000.020\iron.cat
[2010/02/26 19:23:54 | 000,000,741 | ---- | M] () -- C:\windows\System32\drivers\NIS\1106000.020\iron.inf
[2010/02/26 19:23:21 | 000,325,680 | ---- | M] (Symantec Corporation) -- C:\windows\System32\drivers\NIS\1106000.020\srtsp.sys
[2010/02/26 19:23:21 | 000,043,696 | ---- | M] (Symantec Corporation) -- C:\windows\System32\drivers\NIS\1106000.020\srtspx.sys
[2010/02/26 19:23:21 | 000,001,388 | ---- | M] () -- C:\windows\System32\drivers\NIS\1106000.020\srtspx.inf
[2010/02/26 19:23:21 | 000,001,382 | ---- | M] () -- C:\windows\System32\drivers\NIS\1106000.020\srtsp.inf
[2010/02/25 16:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) -- C:\windows\System32\drivers\NIS\1106000.020\cchpx86.sys
[2010/02/25 10:54:56 | 000,007,396 | ---- | M] () -- C:\windows\System32\drivers\NIS\1106000.020\cchpx86.cat
[2010/02/21 03:18:36 | 000,000,000 | -H-- | M] () -- C:\windows\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2010/02/19 00:34:16 | 000,000,000 | -H-- | M] () -- C:\windows\System32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
[2010/02/18 18:52:12 | 000,002,036 | ---- | M] () -- C:\Users\Public\Desktop\The Sims™ 3.lnk
[2010/02/18 17:46:07 | 011,302,160 | ---- | M] (Electronic Arts, Inc.) -- C:\Users\MissParys\Documents\TS3.exe
[2010/02/18 08:16:05 | 000,691,696 | ---- | M] () -- C:\windows\System32\drivers\sptd.sys
[2010/02/05 13:52:57 | 000,001,754 | ---- | M] () -- C:\windows\System32\drivers\NIS\1106000.020\cchpx86.inf
[2010/02/03 18:40:52 | 000,340,016 | ---- | M] (Symantec Corporation) -- C:\windows\System32\drivers\NIS\1106000.020\symtdiv.sys
[2010/02/03 18:40:51 | 000,007,787 | ---- | M] () -- C:\windows\System32\drivers\NIS\1106000.020\symnetv.cat
[2010/02/03 18:40:51 | 000,007,368 | ---- | M] () -- C:\windows\System32\drivers\NIS\1106000.020\symnet.cat
[2010/02/03 18:40:51 | 000,001,473 | ---- | M] () -- C:\windows\System32\drivers\NIS\1106000.020\symnetv.inf
[2010/02/03 18:40:51 | 000,001,445 | ---- | M] () -- C:\windows\System32\drivers\NIS\1106000.020\symnet.inf
[2010/02/03 18:40:50 | 000,172,592 | ---- | M] (Symantec Corporation) -- C:\windows\System32\drivers\NIS\1106000.020\symefa.sys
[2010/02/03 18:40:50 | 000,007,444 | ---- | M] () -- C:\windows\System32\drivers\NIS\1106000.020\symefa.cat
[2010/02/03 18:40:50 | 000,003,374 | ---- | M] () -- C:\windows\System32\drivers\NIS\1106000.020\symefa.inf
[2010/02/03 15:56:56 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) -- C:\windows\System32\hamachi.sys
[2010/02/01 17:18:56 | 000,002,429 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/01/29 20:24:14 | 000,000,955 | ---- | M] () -- C:\Users\MissParys\Desktop\Left 4 Dead 2 [blaze69].lnk
[2010/01/29 00:50:14 | 003,059,512 | ---- | M] () -- C:\Users\MissParys\Documents\BitTorrent-6.3b.exe
[1 C:\windows\*.tmp files -> C:\windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/21 15:31:58 | 000,154,469 | ---- | C] () -- C:\Users\MissParys\Desktop\tdsskiller.zip
[2010/04/19 18:38:32 | 000,001,816 | ---- | C] () -- C:\Users\Public\Desktop\Fantasy Earth Zero.lnk
[2010/04/19 16:39:08 | 000,001,135 | ---- | C] () -- C:\Users\MissParys\Desktop\2v7dgihj.exe - Shortcut.lnk
[2010/04/18 15:09:43 | 000,077,312 | ---- | C] () -- C:\windows\MBR.exe
[2010/04/18 15:09:42 | 000,261,632 | ---- | C] () -- C:\windows\PEV.exe
[2010/04/18 15:09:41 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
[2010/04/18 15:09:41 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
[2010/04/18 15:09:41 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
[2010/04/18 15:05:20 | 003,919,755 | R--- | C] () -- C:\Users\MissParys\Desktop\schrauber.exe
[2010/04/17 02:24:02 | 000,000,994 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/12 18:22:33 | 000,525,824 | ---- | C] () -- C:\Users\MissParys\Desktop\dds.scr
[2010/04/12 18:08:52 | 000,002,054 | ---- | C] () -- C:\Users\MissParys\Desktop\HijackThis.lnk
[2010/04/12 03:23:25 | 000,924,848 | ---- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\Cat.DB
[2010/04/12 03:23:03 | 000,002,510 | ---- | C] () -- C:\Users\Public\Desktop\Norton Internet Security.lnk
[2010/04/12 03:22:53 | 000,007,787 | ---- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\symnetv.cat
[2010/04/12 03:22:53 | 000,007,444 | ---- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\symefa.cat
[2010/04/12 03:22:53 | 000,007,442 | ---- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\srtspx.cat
[2010/04/12 03:22:53 | 000,007,438 | ---- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\srtsp.cat
[2010/04/12 03:22:53 | 000,007,438 | ---- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\iron.cat
[2010/04/12 03:22:53 | 000,007,425 | R--- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\symds.cat
[2010/04/12 03:22:53 | 000,007,396 | ---- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\cchpx86.cat
[2010/04/12 03:22:53 | 000,007,368 | ---- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\symnet.cat
[2010/04/12 03:22:53 | 000,003,374 | ---- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\symefa.inf
[2010/04/12 03:22:53 | 000,002,793 | R--- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\symds.inf
[2010/04/12 03:22:53 | 000,001,754 | ---- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\cchpx86.inf
[2010/04/12 03:22:53 | 000,001,473 | ---- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\symnetv.inf
[2010/04/12 03:22:53 | 000,001,445 | ---- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\symnet.inf
[2010/04/12 03:22:53 | 000,001,388 | ---- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\srtspx.inf
[2010/04/12 03:22:53 | 000,001,382 | ---- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\srtsp.inf
[2010/04/12 03:22:53 | 000,000,741 | ---- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\iron.inf
[2010/04/12 03:22:53 | 000,000,172 | ---- | C] () -- C:\windows\System32\drivers\NIS\1106000.020\isolate.ini
[2010/04/12 02:49:57 | 000,524,288 | -HS- | C] () -- C:\Users\MissParys\ntuser.dat{dec6ad17-4615-11df-a92f-9fc2e9f184ab}.TMContainer00000000000000000002.regtrans-ms
[2010/04/12 02:49:57 | 000,524,288 | -HS- | C] () -- C:\Users\MissParys\ntuser.dat{dec6ad17-4615-11df-a92f-9fc2e9f184ab}.TMContainer00000000000000000001.regtrans-ms
[2010/04/12 02:49:57 | 000,065,536 | -HS- | C] () -- C:\Users\MissParys\ntuser.dat{dec6ad17-4615-11df-a92f-9fc2e9f184ab}.TM.blf
[2010/04/11 02:01:52 | 000,000,036 | ---- | C] () -- C:\Users\MissParys\AppData\Local\housecall.guid.cache
[2010/04/08 18:28:48 | 000,561,830 | ---- | C] () -- C:\Users\MissParys\Documents\jinsu_nogiparty_lv234_eng.zip
[2010/04/07 21:45:21 | 000,005,775 | ---- | C] () -- C:\ProgramData\vacache.dat
[2010/04/07 21:44:20 | 000,000,004 | ---- | C] () -- C:\ProgramData\version.dat
[2010/04/07 21:43:27 | 000,111,104 | ---- | C] () -- C:\ProgramData\Uploader.dat
[2010/04/07 21:43:27 | 000,005,775 | ---- | C] () -- C:\ProgramData\va.dat
[2010/03/31 19:10:18 | 000,005,775 | ---- | C] () -- C:\Program Files\vacache.dat
[2010/03/31 19:08:26 | 000,000,004 | ---- | C] () -- C:\Program Files\version.dat
[2010/03/31 19:07:19 | 000,111,104 | ---- | C] () -- C:\Program Files\Uploader.dat
[2010/03/31 19:07:19 | 000,005,775 | ---- | C] () -- C:\Program Files\va.dat
[2010/03/31 19:07:19 | 000,000,716 | ---- | C] () -- C:\Program Files\default.reg
[2010/03/14 21:43:21 | 000,001,069 | ---- | C] () -- C:\Users\Public\Desktop\Dragonica Online.lnk
[2010/03/14 16:20:49 | 000,000,188 | ---- | C] () -- C:\Users\Public\Desktop\PopTag!.url
[2010/03/11 00:56:50 | 000,001,911 | ---- | C] () -- C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
[2010/03/11 00:34:37 | 000,053,824 | ---- | C] () -- C:\Users\MissParys\Documents\NS-SIMS3_DC-poseden.mds
[2010/02/22 20:03:21 | 000,001,182 | ---- | C] () -- C:\Users\MissParys\Desktop\ Mabinogi .lnk
[2010/02/21 03:18:36 | 000,000,000 | -H-- | C] () -- C:\windows\System32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
[2010/02/19 00:34:16 | 000,000,000 | -H-- | C] () -- C:\windows\System32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
[2010/02/18 19:10:09 | 000,017,029 | ---- | C] () -- C:\Users\MissParys\Documents\ALI.213
[2010/02/18 18:52:12 | 000,002,036 | ---- | C] () -- C:\Users\Public\Desktop\The Sims™ 3.lnk
[2010/02/18 08:16:05 | 000,691,696 | ---- | C] () -- C:\windows\System32\drivers\sptd.sys
[2010/02/05 14:21:03 | 000,000,886 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/05 14:21:01 | 000,000,882 | ---- | C] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/01 17:18:56 | 000,002,429 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/01/29 20:24:14 | 000,000,955 | ---- | C] () -- C:\Users\MissParys\Desktop\Left 4 Dead 2 [blaze69].lnk
[2010/01/29 00:50:03 | 003,059,512 | ---- | C] () -- C:\Users\MissParys\Documents\BitTorrent-6.3b.exe
[2009/12/25 01:43:12 | 000,000,013 | RHS- | C] () -- C:\windows\System32\drivers\fbd.sys
[2009/09/19 16:30:04 | 000,000,000 | ---- | C] () -- C:\windows\NDSTray.INI
[2009/09/19 15:46:33 | 000,073,728 | ---- | C] () -- C:\windows\System32\RtNicProp32.dll
[2009/07/13 16:51:43 | 000,073,728 | ---- | C] () -- C:\windows\System32\BthpanContextHandler.dll
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\windows\System32\BWContextHandler.dll

========== LOP Check ==========

[2009/12/25 02:07:38 | 000,000,000 | ---D | M] -- C:\Users\MissParys\AppData\Roaming\acccore
[2010/04/12 02:40:32 | 000,000,000 | ---D | M] -- C:\Users\MissParys\AppData\Roaming\BitTorrent
[2010/03/11 00:59:19 | 000,000,000 | ---D | M] -- C:\Users\MissParys\AppData\Roaming\DAEMON Tools Lite
[2010/02/18 15:57:04 | 000,000,000 | ---D | M] -- C:\Users\MissParys\AppData\Roaming\DAEMON Tools Pro
[2010/04/17 01:28:09 | 000,000,000 | ---D | M] -- C:\Users\MissParys\AppData\Roaming\DanceMixer
[2010/04/12 01:57:22 | 000,000,000 | ---D | M] -- C:\Users\MissParys\AppData\Roaming\Free Download Manager
[2010/03/15 03:03:42 | 000,000,000 | ---D | M] -- C:\Users\MissParys\AppData\Roaming\SecondLife
[2009/12/25 21:24:07 | 000,000,000 | ---D | M] -- C:\Users\MissParys\AppData\Roaming\TOSHIBA
[2010/02/18 00:38:39 | 000,000,000 | ---D | M] -- C:\Users\MissParys\AppData\Roaming\WildTangent
[2009/12/25 01:42:50 | 000,000,000 | ---D | M] -- C:\Users\MissParys\AppData\Roaming\WinBatch
[2010/04/21 23:33:11 | 000,032,624 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2009/12/25 02:56:42 | 1266,929,792 | ---- | M] () -- C:\$RV1JWYZ.exe


< MD5 for: AGP440.SYS >
[2009/07/13 18:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\ERDNT\cache\AGP440.sys
[2009/07/13 18:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys
[2009/07/13 18:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys
[2009/07/13 18:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/13 18:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\ERDNT\cache\atapi.sys
[2010/04/21 15:36:04 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009/07/13 18:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009/07/13 18:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/13 18:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\ERDNT\cache\cngaudit.dll
[2009/07/13 18:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009/07/13 18:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/13 18:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iaStorV.sys
[2009/07/13 18:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/13 18:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/13 18:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\ERDNT\cache\netlogon.dll
[2009/07/13 18:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll
[2009/07/13 18:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/07/13 18:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys
[2009/07/13 18:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/13 18:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/13 18:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\ERDNT\cache\scecli.dll
[2009/07/13 18:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll
[2009/07/13 18:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/07/29 23:55:04 | 000,442,368 | ---- | M] (Advanced Micro Devices, Inc.) Unable to obtain MD5 -- C:\Windows\System32\ATIDEMGX.dll
[2009/07/13 18:15:13 | 000,346,112 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll
[2009/07/13 18:15:13 | 000,215,552 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010/02/18 08:16:05 | 000,691,696 | ---- | M] () Unable to obtain MD5 -- C:\Windows\System32\drivers\sptd.sys

< %systemroot%\System32\config\*.sav >

========== Files - Unicode (All) ==========
[2010/04/01 05:47:53 | 000,000,000 | ---D | M](C:\Users\MissParys\Documents\????) -- C:\Users\MissParys\Documents\마비노기
[2010/03/31 19:10:19 | 000,000,000 | ---D | C](C:\Users\MissParys\Documents\????) -- C:\Users\MissParys\Documents\마비노기

========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:BEB15613

< End of report >
===============





OTL Extras logfile created on: 4/23/2010 1:31:31 PM - Run 1
OTL by OldTimer - Version 3.2.2.0 Folder = C:\Users\MissParys\Desktop
Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 62.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.71 Gb Total Space | 220.29 Gb Free Space | 76.30% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MISSPARYS-PC
Current User Name: MissParys
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MIF5BA~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"AntiVirusOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{008D69EB-70FF-46AB-9C75-924620DF191A}" = TOSHIBA Speech System SR Engine(U.S.) Version1.0
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}" = MyToshiba
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0D795777-9D60-4692-8386-F2B3F2B5E5BF}" = Label@Once 1.0
"{0DB8F853-899A-8628-E0D7-29FB190CF848}" = Catalyst Control Center Graphics Full Existing
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{0FB630AB-7BD8-40AE-B223-60397D57C3C9}" = Realtek WLAN Driver
"{117BCF94-6A1E-6741-39F5-09444381445E}" = CCC Help Italian
"{1211D6B0-B7B5-CB9A-99A2-066473FC35CA}" = CCC Help Swedish
"{12B3A009-A080-4619-9A2A-C6DB151D8D67}" = TOSHIBA Assist
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{14956199-1890-C3D4-F8B8-3C0C6FD82993}" = ccc-core-static
"{14E94112-5F6B-4049-B177-4C7E69D3C3A0}_is1" = Dragonica Online
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1D210042-41EE-4472-2219-6A900366B9A3}" = CCC Help French
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 14
"{2ABB6396-785C-E2CB-579E-79BAF98E0527}" = Catalyst Control Center Graphics Previews Vista
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3B843B38-04B1-4CE6-8888-586273E0F289}" = Quickbooks Financial Center
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3E1B8E31-9692-207B-77B7-A8339AF03795}" = Catalyst Control Center Graphics Full New
"{3FBF6F99-8EC6-41B4-8527-0A32241B5496}" = TOSHIBA Speech System TTS Engine(U.S.) Version1.0
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{51C77E17-3337-6409-16A9-A90CA8B9BBF6}" = ccc-utility
"{53536479-DFB0-47ED-9D10-43F3708C222D}" = TOSHIBA eco Utility
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{58630658-9DF7-E873-9F5D-0EAF87D25DAA}" = CCC Help Norwegian
"{594A3C2C-19B3-E02E-359C-B8D134F6B939}" = CCC Help Korean
"{5AF550B4-BB67-4E7E-82F1-2C4300279050}" = ToshibaRegistration
"{5DA0E02F-970B-424B-BF41-513A5018E4C0}" = TOSHIBA Disc Creator
"{5E6F6CF3-BACC-4144-868C-E14622C658F3}" = TOSHIBA Web Camera Application
"{6055830B-40E4-C794-3F04-2D0CD8AF1AAC}" = CCC Help Russian
"{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C5F3BDC-0A1B-4436-A696-5939629D5C31}" = TOSHIBA DVD PLAYER
"{6E932CA6-FD17-7694-FD7C-14CE25770EA5}" = Catalyst Control Center Graphics Previews Common
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{739A6E9D-5D7D-8A5D-EC8A-4BD11E5749AA}" = CCC Help Hungarian
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{7B15D70E-9449-4CFB-B9BC-798465B2BD5C}" = Norton Internet Security
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{89F7D66C-777D-473B-AA11-319C0F190EAC}" = TOSHIBA Internal Modem Region Select Utility
"{8A74DEFD-A224-49CC-AB80-4E88BC730125}" = LogMeIn Hamachi
"{8C72927B-7410-131A-E641-B9C505F4973C}" = CCC Help Japanese
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{911AB6CA-E04C-1E98-523D-8FCFAB4F456C}" = CCC Help Czech
"{9216C6A7-694A-4437-BD00-BD1CF58E1839}" = CCC Help Spanish
"{92DE68CE-BC3E-7323-EA53-99490C8BD34D}" = Catalyst Control Center Graphics Light
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9668AE11-E05C-8169-F6D8-FBF7B507D7DB}" = CCC Help German
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader
"{96BC4641-5E7A-468C-B018-27265FCA4149}" = DanceMixer
"{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}" = Toshiba Application and Driver Installer
"{979587FD-F264-3C71-B0BE-6FC8DA993790}" = CCC Help Thai
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{999307CD-D57D-8C98-27ED-07F384ACFAA1}" = CCC Help Turkish
"{9AEAF9CC-390B-49C0-8F7F-14092BF163B6}" = NetZero Launcher
"{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}" = TOSHIBA PC Health Monitor
"{A208044D-A88B-4ACF-AE95-E4F213E6EDC0}" = TOSHIBA Supervisor Password
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A7594D38-0B7E-BCF7-A938-1AC03A6477FB}" = CCC Help English
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC6569FA-6919-442A-8552-073BE69E247A}" = TOSHIBA Service Station
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AC7BE07B-14D3-6EB5-814A-EB0A63CBFB47}" = CCC Help Polish
"{B1CDB3C6-8DD8-4864-8589-BDFBDA033941}" = CCC Help Chinese Traditional
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B4BB4CF2-F475-FB20-7AFA-F8AED032BFF8}" = ATI Catalyst Install Manager
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}" = TOSHIBA Recovery Media Creator
"{B7A9964C-A9A7-4714-B494-50067238876E}" = Fantasy Earth Zero
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BDABF8CD-7436-EC6C-DD82-439225E22557}" = CCC Help Finnish
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}" = Toshiba Online Backup
"{C5A15C68-0DF3-8A13-352E-E605491D7E3D}" = Catalyst Control Center InstallProxy
"{C730E42C-935A-45BB-A0C5-37E5234D111B}" = TOSHIBA Face Recognition
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}" = PlayReady PC Runtime x86
"{CFAE78A9-A7A4-537E-7CC0-5A794FFBF73F}" = Catalyst Control Center Core Implementation
"{D0387727-C89D-4774-B643-B9333EAA09DE}" = TOSHIBA Hardware Setup
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D19A1978-2FB2-B39A-5D30-C1EA38F788DD}" = CCC Help Danish
"{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"{D5A9DA4B-E4F9-FB49-017D-769FC540F1F0}" = EA Download Manager UI
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D8634D93-03DD-01F1-AC7D-EE468AA24F45}" = CCC Help Dutch
"{DA84ECBF-4B79-47F2-B34C-95C38484C058}" = Skype Launcher
"{E151E679-4EC8-36F9-A691-C7600688A1CA}" = CCC Help Chinese Standard
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3D63B95-4B21-414A-A2C7-D6D6A6AC6D79}" = Catalyst Control Center - Branding
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{E69992ED-A7F6-406C-9280-1C156417BC49}" = Toshiba Quality Application
"{EBC6193C-ED23-E332-9A9C-D5CB83CDDE2B}" = Catalyst Control Center Localization All
"{EE033C1F-443E-41EC-A0E2-559B539A4E4D}" = TOSHIBA Speech System Applications
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F3529665-D75E-4D6D-98F0-745C78C68E9B}" = TOSHIBA ConfigFree
"{F439D7AF-03F3-4F8E-AEC4-571BFE977C61}" = iTunes
"{F544CA20-6810-E275-D288-F0D92CFADE4A}" = CCC Help Greek
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"{FEED29DD-7BF3-582C-3353-1F2634C2323D}" = CCC Help Portuguese
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"AIM_7" = AIM 7
"Akamai" = Akamai NetSession Interface
"BitTorrent" = BitTorrent
"com.ea.Vault.919CACB699904AC5D41B606703500DD39747C02D.1" = EA Download Manager UI
"EA Download Manager" = EA Download Manager
"HijackThis" = HijackThis 2.0.2
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{53536479-DFB0-47ED-9D10-43F3708C222D}" = TOSHIBA eco Utility
"InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}" = TOSHIBA Extended Tiles for Windows Mobility Center
"InstallShield_{89F7D66C-777D-473B-AA11-319C0F190EAC}" = TOSHIBA Internal Modem Region Select Utility
"InstallShield_{B7A9964C-A9A7-4714-B494-50067238876E}" = Fantasy Earth Zero
"InstallShield_{C730E42C-935A-45BB-A0C5-37E5234D111B}" = TOSHIBA Face Recognition
"InstallShield_{D4322448-B6AF-4316-B859-D8A0E84DCB38}" = TOSHIBA HDD/SSD Alert
"InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}" = TOSHIBA Value Added Package
"LogMeIn Hamachi" = LogMeIn Hamachi
"LTMOH" = LSI V92 MOH Application
"Mabinogi" = Mabinogi
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"NIS" = Norton Internet Security
"PopTag" = PopTag!
"SoftwareUpdUtility" = Download Updater (AOL LLC)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WildTangent toshiba Master Uninstall" = WildTangent Games
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/15/2010 5:15:28 AM | Computer Name = MissParys-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2605

Error - 4/15/2010 5:15:30 AM | Computer Name = MissParys-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 4/15/2010 5:15:30 AM | Computer Name = MissParys-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3884

Error - 4/15/2010 5:15:30 AM | Computer Name = MissParys-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3884

Error - 4/15/2010 5:15:31 AM | Computer Name = MissParys-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 4/15/2010 5:15:31 AM | Computer Name = MissParys-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 5132

Error - 4/15/2010 5:15:31 AM | Computer Name = MissParys-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 5132

Error - 4/15/2010 5:15:32 AM | Computer Name = MissParys-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 4/15/2010 5:15:32 AM | Computer Name = MissParys-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 6396

Error - 4/15/2010 5:15:32 AM | Computer Name = MissParys-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 6396

[ System Events ]
Error - 4/18/2010 6:49:32 AM | Computer Name = MissParys-PC | Source = Service Control Manager | ID = 7031
Description = The User Profile Service service terminated unexpectedly. It has
done this 2 time(s). The following corrective action will be taken in 300000 milliseconds:
Restart the service.

Error - 4/18/2010 6:49:32 AM | Computer Name = MissParys-PC | Source = Service Control Manager | ID = 7031
Description = The Task Scheduler service terminated unexpectedly. It has done this
2 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 4/18/2010 6:49:32 AM | Computer Name = MissParys-PC | Source = Service Control Manager | ID = 7031
Description = The System Event Notification Service service terminated unexpectedly.
It has done this 2 time(s). The following corrective action will be taken in
300000 milliseconds: Restart the service.

Error - 4/18/2010 6:49:32 AM | Computer Name = MissParys-PC | Source = Service Control Manager | ID = 7031
Description = The Themes service terminated unexpectedly. It has done this 2 time(s).
The following corrective action will be taken in 60000 milliseconds: Restart the
service.

Error - 4/18/2010 6:49:32 AM | Computer Name = MissParys-PC | Source = Service Control Manager | ID = 7031
Description = The Windows Management Instrumentation service terminated unexpectedly.
It has done this 2 time(s). The following corrective action will be taken in
300000 milliseconds: Restart the service.

Error - 4/18/2010 6:49:34 AM | Computer Name = MissParys-PC | Source = Service Control Manager | ID = 7000
Description = The Computer Browser service failed to start due to the following
error: %%1115

Error - 4/18/2010 6:49:34 AM | Computer Name = MissParys-PC | Source = Service Control Manager | ID = 7000
Description = The IKE and AuthIP IPsec Keying Modules service failed to start due
to the following error: %%1115

Error - 4/18/2010 6:49:34 AM | Computer Name = MissParys-PC | Source = Service Control Manager | ID = 7023
Description = The Server service terminated with the following error: %%13

Error - 4/18/2010 5:54:09 PM | Computer Name = MissParys-PC | Source = atikmdag | ID = 52236
Description = CPLIB :: General - Invalid Parameter

Error - 4/18/2010 5:54:09 PM | Computer Name = MissParys-PC | Source = atikmdag | ID = 43029
Description = Display is not active


< End of report >


#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:11:35 AM

Posted 25 April 2010 - 02:23 AM

Hi,
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


Also please post back with a fresh Gmer logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 Parys

Parys
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:35 AM

Posted 25 April 2010 - 02:46 PM

I didn't have to redownload TDSSKiller since I already had it from last time, here's the logs:







GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-25 12:43:40
Windows 6.1.7600
Running: 2v7dgihj.exe; Driver: C:\Users\MISSPA~1\AppData\Local\Temp\kwtdyuow.sys


---- System - GMER 1.0.15 ----

SSDT 86DFA4E8 ZwAlertResumeThread
SSDT 86DF2B00 ZwAlertThread
SSDT 86DF38B8 ZwAllocateVirtualMemory
SSDT 86BAC200 ZwAlpcConnectPort
SSDT 86D74DE0 ZwAssignProcessToJobObject
SSDT 86DFBDF0 ZwCreateMutant
SSDT 86E01468 ZwCreateSymbolicLinkObject
SSDT 86DFB008 ZwCreateThread
SSDT 86E01558 ZwCreateThreadEx
SSDT 86D74EC0 ZwDebugActiveProcess
SSDT 86D85B18 ZwDuplicateObject
SSDT 86DF26D0 ZwFreeVirtualMemory
SSDT 86DBAAA8 ZwImpersonateAnonymousToken
SSDT 86DBAB88 ZwImpersonateThread
SSDT 86BD4E00 ZwLoadDriver
SSDT 86DF25D0 ZwMapViewOfSection
SSDT 86DFBD10 ZwOpenEvent
SSDT 86DFB0F8 ZwOpenProcess
SSDT 86D85A38 ZwOpenProcessToken
SSDT 86EA6310 ZwOpenSection
SSDT 86D85BE8 ZwOpenThread
SSDT 86E01638 ZwProtectVirtualMemory
SSDT 86D5C680 ZwResumeThread
SSDT 86DFB388 ZwSetContextThread
SSDT 86DFB468 ZwSetInformationProcess
SSDT 86EA61C8 ZwSetSystemInformation
SSDT 86EA63F0 ZwSuspendProcess
SSDT 86EA6650 ZwSuspendThread
SSDT 86DF2E88 ZwTerminateProcess
SSDT 86EA6730 ZwTerminateThread
SSDT 86DFB558 ZwUnmapViewOfSection
SSDT 86DF37C8 ZwWriteVirtualMemory

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8301BAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8301B104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8301B3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83003634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83003898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8301B1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8301B958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8301B6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8301BF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8301C1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8307B599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8309FF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 224 830A7734 8 Bytes CALL 839156DD
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 830A774C 4 Bytes [B8, 38, DF, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 248 830A7758 4 Bytes [00, C2, BA, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 830A77AC 4 Bytes [E0, 4D, D7, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 830A7828 4 Bytes [F0, BD, DF, 86]
.text ...
? system32\drivers\klmdb.sys The system cannot find the path specified. !
? System32\Drivers\spro.sys The system cannot find the path specified. !
? system32\drivers\tsk5E45.tmp The system cannot find the path specified. !
.text C:\windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8B528000, 0x3C849, 0xE8000020]
.dsrt C:\windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8B56D000, 0x3DC, 0x48000040]
.text C:\windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92838000, 0x2D5526, 0xE8000020]
.text USBPORT.SYS!DllUnload 901B4CA0 5 Bytes JMP 87BA91D8
.text adgj66k8.SYS 95620000 2 Bytes [44, 68]
.text adgj66k8.SYS 95620003 9 Bytes [83, EE, 66, 00, 83, A0, 47, ...] {SUB ESI, 0x66; ADD [EBX-0x7cffb860], AL}
.text adgj66k8.SYS 9562000D 9 Bytes [47, 00, 83, 48, 6B, 00, 83, ...] {INC EDI; ADD [EBX-0x7cff94b8], AL; ADD [EAX], AL}
.text adgj66k8.SYS 95620017 170 Bytes [00, DE, 27, F2, 8A, E6, 25, ...]
.text adgj66k8.SYS 956200C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text peauth.sys 99B50C9D 28 Bytes [04, 68, BA, 7D, F1, F7, 4B, ...]
.text peauth.sys 99B50CC1 28 Bytes [04, 68, BA, 7D, F1, F7, 4B, ...]
PAGE peauth.sys 99B56E20 101 Bytes [09, A3, D9, 44, 28, B7, 47, ...]
PAGE peauth.sys 99B5702C 102 Bytes [90, 00, 38, 29, C4, D2, 58, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\windows\system32\svchost.exe[1064] ntdll.dll!NtProtectVirtualMemory 773B5360 5 Bytes JMP 0012000A
.text C:\windows\system32\svchost.exe[1064] ntdll.dll!NtWriteVirtualMemory 773B5EE0 5 Bytes JMP 002D000A
.text C:\windows\system32\svchost.exe[1064] ntdll.dll!KiUserExceptionDispatcher 773B6448 5 Bytes JMP 0011000A
.text C:\windows\Explorer.EXE[2284] ntdll.dll!NtProtectVirtualMemory 773B5360 5 Bytes JMP 0027000A
.text C:\windows\Explorer.EXE[2284] ntdll.dll!NtWriteVirtualMemory 773B5EE0 5 Bytes JMP 004E000A
.text C:\windows\Explorer.EXE[2284] ntdll.dll!KiUserExceptionDispatcher 773B6448 5 Bytes JMP 0026000A
.text C:\Program Files\Pando Networks\Media Booster\PMB.exe[3416] kernel32.dll!SetUnhandledExceptionFilter 75973162 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] ntdll.dll!NtProtectVirtualMemory 773B5360 5 Bytes JMP 002C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] ntdll.dll!NtWriteVirtualMemory 773B5EE0 5 Bytes JMP 002D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] ntdll.dll!KiUserExceptionDispatcher 773B6448 5 Bytes JMP 001B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!CreateWindowExW 75CB0E51 5 Bytes JMP 6DA780F7 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!DialogBoxIndirectParamW 75CD4AA7 5 Bytes JMP 6DB9F218 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!DialogBoxParamW 75CD564A 5 Bytes JMP 6D994B7F C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!DialogBoxParamA 75CECF6A 5 Bytes JMP 6DB9F1B5 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!DialogBoxIndirectParamA 75CED29C 5 Bytes JMP 6DB9F27B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!MessageBoxIndirectA 75CFE8C9 5 Bytes JMP 6DB9F14A C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!MessageBoxIndirectW 75CFE9C3 5 Bytes JMP 6DB9F0DF C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!MessageBoxExA 75CFEA29 5 Bytes JMP 6DB9F07D C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5612] USER32.dll!MessageBoxExW 75CFEA4D 5 Bytes JMP 6DB9F01B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] ntdll.dll!NtProtectVirtualMemory 773B5360 5 Bytes JMP 001C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] ntdll.dll!NtWriteVirtualMemory 773B5EE0 5 Bytes JMP 001D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] ntdll.dll!KiUserExceptionDispatcher 773B6448 5 Bytes JMP 001B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] USER32.dll!UnhookWindowsHookEx 75CACC7B 5 Bytes JMP 6DA882FA C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] USER32.dll!CallNextHookEx 75CACC8F 5 Bytes JMP 6DA69D00 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] USER32.dll!CreateWindowExW 75CB0E51 5 Bytes JMP 6DA780F7 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] USER32.dll!SetWindowsHookExW 75CB210A 5 Bytes JMP 6DA245DB C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] USER32.dll!DialogBoxIndirectParamW 75CD4AA7 5 Bytes JMP 6DB9F218 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] USER32.dll!DialogBoxParamW 75CD564A 5 Bytes JMP 6D994B7F C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] USER32.dll!DialogBoxParamA 75CECF6A 5 Bytes JMP 6DB9F1B5 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] USER32.dll!DialogBoxIndirectParamA 75CED29C 5 Bytes JMP 6DB9F27B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] USER32.dll!MessageBoxIndirectA 75CFE8C9 5 Bytes JMP 6DB9F14A C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] USER32.dll!MessageBoxIndirectW 75CFE9C3 5 Bytes JMP 6DB9F0DF C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] USER32.dll!MessageBoxExA 75CFEA29 5 Bytes JMP 6DB9F07D C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] USER32.dll!MessageBoxExW 75CFEA4D 5 Bytes JMP 6DB9F01B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] ole32.dll!OleLoadFromStream 757C5B88 5 Bytes JMP 6DB9F576 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5788] ole32.dll!CoCreateInstance 758157FC 5 Bytes JMP 6DA78BE5 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortNotification] 00147880
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortStallExecution] C25DC033
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortInitialize] 157B805E
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500
IAT \SystemRoot\System32\Drivers\adgj66k8.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3432] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75415E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3432] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75415E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3432] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75415E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3432] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75415E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3432] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75415E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3432] @ C:\windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75415E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3432] @ C:\windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [75415E25] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\WININET.dll [ADVAPI32.dll!RegOpenKeyExW] [005E8483] C:\Program Files\AIM\aim.exe (AOL Instant Messenger/AOL Inc.)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\WININET.dll [ADVAPI32.dll!RegQueryValueExA] [005E8415] C:\Program Files\AIM\aim.exe (AOL Instant Messenger/AOL Inc.)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\AIM\aim.exe[3540] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 859C11F8
Device \Driver\sptd \Device\3246472460 spro.sys

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\volmgr \Device\VolMgrControl 859BD1F8
Device \Driver\usbohci \Device\USBPDO-0 87BAB500
Device \Driver\usbohci \Device\USBPDO-1 87BAB500
Device \Driver\usbehci \Device\USBPDO-2 87C351F8
Device \Driver\usbohci \Device\USBPDO-3 87BAB500
Device \Driver\usbohci \Device\USBPDO-4 87BAB500

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbehci \Device\USBPDO-5 87C351F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E85A0974-B3BD-4192-9280-E058C6D36FD3} 86BAB1F8
Device \Driver\volmgr \Device\HarddiskVolume1 859BD1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume2 859BD1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\cdrom \Device\CdRom0 86BBE1F8
Device \Driver\cdrom \Device\CdRom1 86BBE1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel0 859BF1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel1 859BF1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel2 859BF1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel3 859BF1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel4 859BF1F8
Device \Driver\msahci \Device\Ide\PciIde0Channel5 859BF1F8
Device \Driver\volmgr \Device\HarddiskVolume3 859BD1F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\PCI_PNP0449 \Device\00000068 spro.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 86BAB1F8
Device \Driver\ACPI_HAL \Device\0000005a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbohci \Device\USBFDO-0 87BAB500
Device \Driver\usbohci \Device\USBFDO-1 87BAB500
Device \Driver\NetBT \Device\NetBT_Tcpip_{1C832CF3-F3E0-4F7C-931F-1CFCAE5C41C7} 86BAB1F8
Device \Driver\usbehci \Device\USBFDO-2 87C351F8
Device \Driver\usbohci \Device\USBFDO-3 87BAB500
Device \Driver\usbohci \Device\USBFDO-4 87BAB500
Device \Driver\usbehci \Device\USBFDO-5 87C351F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{ED0AC351-6E28-424E-BA68-EF42B2EE8FB7} 86BAB1F8
Device \Driver\adgj66k8 \Device\Scsi\adgj66k81Port6Path0Target0Lun0 87DC11F8
Device \Driver\adgj66k8 \Device\Scsi\adgj66k81 87DC11F8
Device -> \Driver\atapi \Device\Harddisk0\DR0 86C7EAC8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0x0D 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9C 0x93 0xC0 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x46 0x4A 0x15 0x57 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6F 0xC8 0xA0 0x65 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0x0D 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9C 0x93 0xC0 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x46 0x4A 0x15 0x57 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6F 0xC8 0xA0 0x65 ...

---- Files - GMER 1.0.15 ----

File C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100424.020 0 bytes
File C:\windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----










12:29:11:483 4800 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
12:29:11:483 4800 ================================================================================
12:29:11:483 4800 SystemInfo:

12:29:11:483 4800 OS Version: 6.1.7600 ServicePack: 0.0
12:29:11:483 4800 Product type: Workstation
12:29:11:483 4800 ComputerName: MISSPARYS-PC
12:29:11:483 4800 UserName: MissParys
12:29:11:483 4800 Windows directory: C:\windows
12:29:11:483 4800 Processor architecture: Intel x86
12:29:11:483 4800 Number of processors: 2
12:29:11:483 4800 Page size: 0x1000
12:29:11:483 4800 Boot type: Normal boot
12:29:11:483 4800 ================================================================================
12:29:11:499 4800 UnloadDriverW: NtUnloadDriver error 2
12:29:11:499 4800 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:29:11:702 4800 wfopen_ex: Trying to open file C:\windows\system32\config\system
12:29:11:702 4800 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:29:11:702 4800 wfopen_ex: Trying to KLMD file open
12:29:11:702 4800 wfopen_ex: File opened ok (Flags 2)
12:29:11:717 4800 wfopen_ex: Trying to open file C:\windows\system32\config\software
12:29:11:717 4800 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:29:11:717 4800 wfopen_ex: Trying to KLMD file open
12:29:11:717 4800 wfopen_ex: File opened ok (Flags 2)
12:29:11:733 4800 Initialize success
12:29:11:733 4800
12:29:11:733 4800 Scanning Services ...
12:29:14:713 4800 Raw services enum returned 482 services
12:29:14:744 4800
12:29:14:744 4800 Scanning Kernel memory ...
12:29:14:744 4800 Devices to scan: 1
12:29:14:744 4800
12:29:14:744 4800 Driver Name: atapi
12:29:14:744 4800 IRP_MJ_CREATE : 86A93AC8
12:29:14:744 4800 IRP_MJ_CREATE_NAMED_PIPE : 86A93AC8
12:29:14:744 4800 IRP_MJ_CLOSE : 86A93AC8
12:29:14:744 4800 IRP_MJ_READ : 86A93AC8
12:29:14:744 4800 IRP_MJ_WRITE : 86A93AC8
12:29:14:744 4800 IRP_MJ_QUERY_INFORMATION : 86A93AC8
12:29:14:744 4800 IRP_MJ_SET_INFORMATION : 86A93AC8
12:29:14:744 4800 IRP_MJ_QUERY_EA : 86A93AC8
12:29:14:744 4800 IRP_MJ_SET_EA : 86A93AC8
12:29:14:744 4800 IRP_MJ_FLUSH_BUFFERS : 86A93AC8
12:29:14:744 4800 IRP_MJ_QUERY_VOLUME_INFORMATION : 86A93AC8
12:29:14:744 4800 IRP_MJ_SET_VOLUME_INFORMATION : 86A93AC8
12:29:14:744 4800 IRP_MJ_DIRECTORY_CONTROL : 86A93AC8
12:29:14:744 4800 IRP_MJ_FILE_SYSTEM_CONTROL : 86A93AC8
12:29:14:744 4800 IRP_MJ_DEVICE_CONTROL : 86A93AC8
12:29:14:744 4800 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86A93AC8
12:29:14:744 4800 IRP_MJ_SHUTDOWN : 86A93AC8
12:29:14:744 4800 IRP_MJ_LOCK_CONTROL : 86A93AC8
12:29:14:744 4800 IRP_MJ_CLEANUP : 86A93AC8
12:29:14:744 4800 IRP_MJ_CREATE_MAILSLOT : 86A93AC8
12:29:14:744 4800 IRP_MJ_QUERY_SECURITY : 86A93AC8
12:29:14:744 4800 IRP_MJ_SET_SECURITY : 86A93AC8
12:29:14:744 4800 IRP_MJ_POWER : 86A93AC8
12:29:14:744 4800 IRP_MJ_SYSTEM_CONTROL : 86A93AC8
12:29:14:744 4800 IRP_MJ_DEVICE_CHANGE : 86A93AC8
12:29:14:744 4800 IRP_MJ_QUERY_QUOTA : 86A93AC8
12:29:14:744 4800 IRP_MJ_SET_QUOTA : 86A93AC8
12:29:14:744 4800 Driver "atapi" infected by TDSS rootkit!
12:29:14:775 4800 C:\windows\system32\drivers\atapi.sys - Verdict: 1
12:29:14:775 4800 File "C:\windows\system32\drivers\atapi.sys" infected by TDSS rootkit ... 12:29:14:775 4800 Processing driver file: C:\windows\system32\drivers\atapi.sys
12:29:15:727 4800 vfvi6
12:29:15:805 4800 dsvbh1
12:29:17:661 4800 fdfb1
12:29:17:661 4800 Backup copy found, using it..
12:29:17:833 4800 will be cured on next reboot
12:29:17:833 4800 Reboot required for cure complete..
12:29:17:957 4800 Cure on reboot scheduled successfully
12:29:17:957 4800
12:29:17:957 4800 Completed
12:29:17:957 4800
12:29:17:957 4800 Results:
12:29:17:957 4800 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
12:29:17:957 4800 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:29:17:957 4800 File objects infected / cured / cured on reboot: 1 / 0 / 1
12:29:17:957 4800
12:29:17:957 4800 fclose_ex: Trying to close file C:\windows\system32\config\system
12:29:17:957 4800 fclose_ex: Trying to close file C:\windows\system32\config\software
12:29:17:957 4800 UnloadDriverW: NtUnloadDriver error 1
12:29:18:082 4800 KLMD(ARK) unloaded successfully





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users