Jump to content


[RESOLVED] rootkit.win32.tdss.d

Started By flippylip, Aug 07 2010 12:59 AM

22 replies to this topic

#1 flippylip

    Member

  • 12 posts
  • Joined: August 07, 2010
  • 2 topics
  • Skin: IP.Board
  • Local time: 12:58 AM
  • Gender:Female
  • OS:Windows XP
  • Country:
Offline
  • :

Posted 07 August 2010 - 12:59 AM

Hello Everyone,

I am new here and i have this rootkit on my computer and kaspersky can not remove it.

Can someone help me get rid of it.

Someone else said that i should upgrade to the newest version of kaspersky and that would take care of the problem. but i can't afford it. And if i did upgrade kaspersky, won't i lose my key?

Please help!!!


Thank you.

#2 Broni Re: [RESOLVED] rootkit.win32.tdss.d

    Malware Annihilator

  • 24,879 posts
  • Joined: October 04, 2004
  • 1,859 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:58 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 9h 13m 9s

Posted 07 August 2010 - 01:02 AM

Welcome aboard Posted Image

Please, complete all steps listed here: http://www.smartestc...ease-read-this/
Posted Image Posted Image


#3 flippylip Re: [RESOLVED] rootkit.win32.tdss.d

    Member

  • 12 posts
  • Joined: August 07, 2010
  • 2 topics
  • Skin: IP.Board
  • Local time: 12:58 AM
  • Gender:Female
  • OS:Windows XP
  • Country:
Offline
  • :

Posted 07 August 2010 - 08:35 PM

[quote name='Broni' date='06 August 2010 - 09:02 PM' timestamp='1281142945' post='151655']
Welcome aboard Posted Image

Please, complete all steps listed here: http://www.smartestc...ease-read-this/
[/quote]

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4404

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/7/2010 2:09:44 PM
mbam-log-2010-08-07 (14-09-44).txt

Scan type: Quick scan
Objects scanned: 126276
Time elapsed: 11 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-07 16:14:07
Windows 5.1.2600 Service Pack 3
Running: nczboyve.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ufwyypog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xEF8131DA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xEF8137AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xEF8151EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xEF814B9C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xEF812950]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xEF816B7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xEF8135AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xEF812D92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xEF812F92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xEF814EAC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xEF817084]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xEF8130A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xEF813110]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xEF814D5E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xEF816620]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xEF8149F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xEF812AB2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xEF8133B2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xEF816BA6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xEF8132FE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xEF813178]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xEF812E7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xEF812C5A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xEF816888]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xEF8125D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xEF815A74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xEF812734]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xEF816F56]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xEF8123D0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xEF81508C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xEF8136AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xEF81671A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xEF816BD0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xEF812B08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xEF816CB4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xEF816DE0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xEF81654C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xEF81347E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xEF8134F0]

INT 0x62 ? 82FDEBF8
INT 0x63 ? 82E4EBF8
INT 0x73 ? 82E4EBF8
INT 0x82 ? 82FDEBF8
INT 0xA4 ? 82E4EBF8
INT 0xB4 ? 82E4EBF8

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + C8 804E2734 4 Bytes JMP 06EF8151
.text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [B4, 6C, 81, EF, E0, 6D, 81, ...]
.text ntoskrnl.exe!IoIsOperationSynchronous 804E876A 5 Bytes JMP EF82A9E0 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80512939 5 Bytes JMP EF82A626 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
? spee.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F7D738AC 5 Bytes JMP 82E4E1D8

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[616] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[616] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 6D] {JO 0x13; INC ECX; INSD }
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[1608] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[1608] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 6D] {JO 0x13; INC ECX; INSD }
.text c:\program files\Mozilla Firefox\firefox.exe[3592] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 c:\program files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82F742D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F8729D4C] spee.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F8729DA0] spee.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F86F9042] spee.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F86F913E] spee.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F86F90C0] spee.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F86F9800] spee.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F86F96D6] spee.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82E4E2D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8708E9C] spee.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F7F46D50] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F7F46D50] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\usbprint.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\HIDCLASS.SYS[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\STREAM.SYS[NTOSKRNL.EXE!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\mouhid.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\mrxdav.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\kmixer.sys[ntoskrnl.exe!IoCreateDevice] [F7F46C00] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82FDD1F8

AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)

Device \FileSystem\Fastfat \FatCdrom 829B1500

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbuhci \Device\USBPDO-0 82E4D1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 82F721F8
Device \Driver\dmio \Device\DmControl\DmConfig 82F721F8
Device \Driver\dmio \Device\DmControl\DmPnP 82F721F8
Device \Driver\dmio \Device\DmControl\DmInfo 82F721F8
Device \Driver\usbuhci \Device\USBPDO-1 82E4D1F8
Device \Driver\usbuhci \Device\USBPDO-2 82E4D1F8
Device \Driver\usbehci \Device\USBPDO-3 82E2B1F8

AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\Ftdisk \Device\HarddiskVolume1 82FDF1F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume2 82FDF1F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 sr.sys (System Restore Filesystem Filter Driver/Microsoft Corporation)

Device \Driver\Cdrom \Device\CdRom0 82E141F8
Device \Driver\atapi \Device\Ide\IdePort0 [F864CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F864CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F864CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F864CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 [F864CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 82A83500
Device \Driver\NetBT \Device\NetbiosSmb 82A83500

AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

Device \Driver\usbuhci \Device\USBFDO-0 82E4D1F8
Device \Driver\usbuhci \Device\USBFDO-1 82E4D1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82A5B1F8
Device \Driver\usbuhci \Device\USBFDO-2 82E4D1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82A5B1F8
Device \Driver\usbehci \Device\USBFDO-3 82E2B1F8
Device \Driver\Ftdisk \Device\FtControl 82FDF1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{9AFAA3DA-2406-482C-90F2-73DCC33E849D} 82A83500
Device \FileSystem\Fastfat \Fat 829B1500

AttachedDevice \FileSystem\Fastfat \Fat tdrpm228.sys (Acronis Try&Decide Volume Filter Driver/Acronis)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 82A121F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

---- EOF - GMER 1.0.15 ----


OTL logfile created on: 8/7/2010 4:18:03 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Administrator\Desktop\My Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 186.00 Mb Available Physical Memory | 37.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 120.48 Gb Free Space | 80.84% Space Free | Partition Type: NTFS
Drive D: | 55.93 Gb Total Space | 31.62 Gb Free Space | 56.53% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL-B9D0F5ABDA
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/07 16:14:33 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\My Downloads\OTL.exe
PRC - [2010/05/27 11:44:26 | 001,565,960 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
PRC - [2010/05/27 11:44:16 | 001,471,752 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
PRC - [2010/05/20 17:19:16 | 000,088,176 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/03/27 13:14:26 | 000,160,328 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2008/04/13 23:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2001/10/08 16:21:28 | 000,053,248 | ---- | M] (Silitek Corp.) -- C:\Program Files\LexmarkX73\ACMonitor_X73.exe
PRC - [2001/07/11 12:08:38 | 000,053,248 | ---- | M] (Jetsoft Development Company) -- C:\Program Files\LexmarkX73\AcBtnMgr_X73.exe


========== Modules (SafeList) ==========

MOD - [2010/08/07 16:14:33 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\My Downloads\OTL.exe
MOD - [2008/11/11 21:00:02 | 000,011,016 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\kloehk.dll
MOD - [2008/11/11 20:59:38 | 000,083,208 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\adialhk.dll
MOD - [2008/04/13 23:42:08 | 000,250,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ime\SPTIP.dll
MOD - [2008/04/13 23:42:02 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2008/04/13 23:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2008/04/13 16:13:20 | 000,062,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ime\SPGRMR.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - File not found [Auto | Stopped] -- -- (0321951243778897mcinstcleanup)
SRV - [2010/05/27 11:44:26 | 001,565,960 | ---- | M] (Raxco Software, Inc.) [Auto | Running] -- C:\Program Files\Raxco\PerfectDisk\PDAgent.exe -- (PDAgent)
SRV - [2010/05/27 11:44:16 | 001,471,752 | ---- | M] (Raxco Software, Inc.) [On_Demand | Running] -- C:\Program Files\Raxco\PerfectDisk\PDEngine.exe -- (PDEngine)
SRV - [2010/05/20 17:19:16 | 000,088,176 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2009/07/21 10:50:48 | 000,208,616 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe -- (AVP)
SRV - [2008/12/22 10:18:14 | 000,410,976 | ---- | M] (mst software GmbH, Germany) [On_Demand | Stopped] -- C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe -- (DfSdkS)
SRV - [2005/11/14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\drivers\TLRecAgent.sys -- (TLRecAgent)
DRV - File not found [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\drivers\ujkq.sys -- (kctwb)
DRV - [2010/05/18 19:16:17 | 000,722,416 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2010/05/18 18:54:03 | 000,902,592 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpm228.sys -- (tdrpman228) Acronis Try&Decide and Restore Points filter (build 228)
DRV - [2010/05/18 18:53:46 | 000,138,208 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2009/12/22 11:33:08 | 000,135,184 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\DefragFs.sys -- (DefragFS)
DRV - [2009/12/21 05:37:45 | 000,033,808 | ---- | M] (Kaspersky Lab) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\klbg.sys -- (klbg)
DRV - [2009/05/14 18:31:22 | 000,226,832 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2008/07/21 18:34:36 | 000,121,872 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2008/04/30 18:06:48 | 000,024,592 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2008/03/13 19:02:46 | 000,026,640 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klfltdev.sys -- (KLFLTDEV)
DRV - [2008/02/27 13:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2007/10/25 18:31:08 | 000,616,064 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PFC027.SYS -- (PAC207)
DRV - [2001/10/12 08:33:12 | 000,018,024 | ---- | M] ( ) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lxarscan.sys -- (LXARScan)
DRV - [2001/08/17 14:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.bing.com/"
FF - prefs.js..extensions.enabledItems: {DCBD1271-D228-4082-9FBC-36D9B7660B03}:1.1.9.1
FF - prefs.js..extensions.enabledItems: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}:0.6.7
FF - prefs.js..extensions.enabledItems: {9125C9CB-BE2B-4389-A0C7-46A4BDD46AEA}:0.6.0.1
FF - prefs.js..extensions.enabledItems: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}:0.4.4
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.2
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.9.98
FF - prefs.js..extensions.enabledItems: {4BBDD651-70CF-4821-84F8-2B918CF89CA3}:6.3.3.2
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: trackerwatcher@privacychoice.org:1.0.8
FF - prefs.js..extensions.enabledItems: spellbound@sourceforge.net:4.0.0
FF - prefs.js..keyword.URL: "http://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=NSC-A&o=14095&locale=en_US&q="

FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2009/05/17 11:20:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/08/06 12:36:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: c:\program files\Mozilla Firefox\components [2010/07/26 12:11:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: c:\program files\Mozilla Firefox\plugins [2010/07/26 12:11:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\THBExt [2009/12/21 03:16:48 | 000,000,000 | ---D | M]

[2009/05/14 16:01:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/08/07 14:01:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions
[2010/03/27 11:55:19 | 000,000,000 | ---D | M] (Image Zoom) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}
[2010/04/28 11:32:53 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/15 05:07:22 | 000,000,000 | ---D | M] (FEBE) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
[2010/03/27 11:55:20 | 000,000,000 | ---D | M] (Ad blocker) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}
[2010/07/22 21:16:14 | 000,000,000 | ---D | M] (deskCut) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions\{9125C9CB-BE2B-4389-A0C7-46A4BDD46AEA}
[2010/03/27 11:55:21 | 000,000,000 | ---D | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions\{DCBD1271-D228-4082-9FBC-36D9B7660B03}
[2010/07/12 11:03:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions\spellbound@sourceforge.net
[2010/06/25 11:53:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions\trackerwatcher@privacychoice.org
[2009/05/25 19:57:46 | 000,002,238 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\searchplugins\askcom.xml
[2009/07/02 17:05:04 | 000,002,164 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\searchplugins\bing.xml
[2010/08/06 19:01:42 | 000,001,942 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\searchplugins\mycroft-project.xml
[2010/08/07 14:01:53 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/09 13:14:19 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2008/06/18 02:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll

O1 HOSTS File: ([2001/08/23 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (TwcToolbarBhoApp Class) - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll ()
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (The Weather Channel Toolbar) - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll ()
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [Lexmark X73 Button Manager] C:\Program Files\LexmarkX73\AcBtnMgr_X73.exe (Jetsoft Development Company)
O4 - HKLM..\Run: [Lexmark X73 Button Monitor] C:\Program Files\LexmarkX73\ACMonitor_X73.exe (Silitek Corp.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [PrinTray] C:\WINDOWS\system32\spool\drivers\w32x86\3\printray.exe (Lexmark)
O4 - HKCU..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm ()
O9 - Extra Button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll (Kaspersky Lab)
O9 - Extra Button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - Reg Error: Value error. File not found
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\mzvkbd3.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\adialhk.dll (Kaspersky Lab)
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\kloehk.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/02/16 14:40:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (PDBoot.exe) - C:\WINDOWS\System32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (60530730744152064)

========== Files/Folders - Created Within 90 Days ==========

[2010/08/06 18:29:12 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/08/06 17:04:01 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/08/06 13:12:34 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2010/08/04 14:14:06 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/08/04 13:43:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/08/04 13:43:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/08/04 13:39:45 | 000,033,632 | ---- | C] (mst software GmbH, Germany) -- C:\WINDOWS\System32\DfSdkBt.exe
[2010/08/04 12:12:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\pdnshxwvd
[2010/08/04 12:12:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\rxexgvqrt
[2010/08/03 13:28:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\SpiritVG
[2010/08/03 11:56:07 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/03 11:55:58 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/03 11:55:57 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/02 11:29:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alawar Stargaze
[2010/08/02 11:16:10 | 000,000,000 | ---D | C] -- C:\Program Files\Snark Busters Welcome to the Club
[2010/07/30 20:57:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Vast Studios
[2010/07/30 20:55:36 | 000,000,000 | ---D | C] -- C:\Program Files\Nightfall Mysteries Asylum Conspiracy
[2010/07/28 11:13:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\TikisLab
[2010/07/27 11:57:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\TheLostKingdomProphecy
[2010/07/26 16:03:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/07/26 16:02:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Office Genuine Advantage
[2010/07/20 20:03:24 | 000,000,000 | ---D | C] -- C:\Program Files\Deep Blue Sea 2
[2010/07/20 13:32:47 | 000,000,000 | ---D | C] -- C:\Program Files\RealArcade
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/07/16 16:01:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/07/16 16:01:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/07/16 16:01:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2010/07/15 14:48:04 | 000,000,000 | ---D | C] -- C:\Program Files\Rainbow Mystery
[2010/07/13 13:00:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/07/13 12:30:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/04 13:13:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\GamePlastic
[2010/06/27 12:02:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\vlc
[2010/06/20 10:53:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Slingo Supreme Documents
[2010/06/20 10:52:50 | 000,000,000 | ---D | C] -- C:\Program Files\Slingo Supreme
[2010/06/05 14:24:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\The Game Equation
[2010/06/02 13:37:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\7Wonders2
[2010/06/01 18:43:56 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2010/06/01 11:08:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\MumboJumbo
[2010/05/30 11:43:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\7Wonders
[2010/05/30 11:28:22 | 000,000,000 | ---D | C] -- C:\Program Files\7 Wonders Treasures Of Seven
[2010/05/30 11:26:50 | 000,000,000 | ---D | C] -- C:\Program Files\7 Wonders
[2010/05/30 11:24:15 | 000,000,000 | ---D | C] -- C:\Program Files\7 Wonders II
[2010/05/27 11:44:20 | 000,237,320 | ---- | C] (Raxco Software, Inc.) -- C:\WINDOWS\System32\PDBoot.exe
[2010/05/19 21:08:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Redrum
[2010/05/19 21:07:50 | 000,000,000 | -HSD | C] -- C:\WINDOWS\ftpcache
[2010/05/19 20:17:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Orneon
[2010/05/19 19:34:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MythPeople
[2010/05/19 19:02:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Fenomen Games
[2010/05/18 19:15:57 | 000,000,000 | ---D | C] -- C:\Program Files\Softland
[2010/05/18 19:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Softland
[2010/05/18 19:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Softland
[2010/05/18 19:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\My Backup4all
[2010/05/18 13:57:45 | 000,000,000 | ---D | C] -- C:\Program Files\Ashampoo
[2010/05/17 14:33:09 | 000,000,000 | ---D | C] -- C:\Program Files\Azkend
[2010/05/17 14:29:47 | 000,000,000 | ---D | C] -- C:\Program Files\Trial of the Gods Ariadnes Journey
[2010/05/17 14:28:44 | 000,000,000 | ---D | C] -- C:\Program Files\Rainforest Adventure
[2010/05/17 14:21:21 | 000,000,000 | ---D | C] -- C:\Program Files\Glyph 2
[2010/05/17 14:17:48 | 000,000,000 | ---D | C] -- C:\Program Files\Glyph
[2010/04/02 11:29:47 | 000,018,024 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\lxarscan.sys

========== Files - Modified Within 90 Days ==========

[2010/08/07 16:01:00 | 000,000,250 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010/08/07 13:48:46 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/08/07 13:48:42 | 000,000,287 | ---- | M] () -- C:\WINDOWS\X73_DS.ini
[2010/08/07 13:48:39 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/07 13:48:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/07 13:48:00 | 003,232,800 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/08/07 13:48:00 | 000,688,160 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/08/07 13:48:00 | 000,030,528 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/08/07 13:48:00 | 000,005,528 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/08/07 13:47:47 | 003,932,160 | ---- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2010/08/07 13:47:47 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/08/07 13:46:19 | 000,000,165 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Before you post, please read this! - Smartest Computing.url
[2010/08/06 21:16:23 | 000,000,125 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Smartest Computing.url
[2010/08/06 20:11:34 | 000,002,463 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HiJackThis.lnk
[2010/08/06 11:02:45 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/04 13:39:46 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\1-Click-Optimizer.lnk
[2010/08/04 13:39:46 | 000,000,793 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Ashampoo WinOptimizer 6.lnk
[2010/08/04 13:39:46 | 000,000,775 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ashampoo WinOptimizer 6.lnk
[2010/08/04 12:26:51 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
[2010/08/04 12:16:54 | 000,034,308 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\mazuki.dll
[2010/08/03 20:37:08 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/08/03 19:58:51 | 000,002,538 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\cc_20100803_195842.reg
[2010/08/03 11:56:22 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/08/03 11:56:22 | 000,000,706 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/02 12:33:22 | 000,000,154 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Snark Busters_ Welcome to the Club Walkthrough _ Gamezebo.url
[2010/08/02 12:09:56 | 000,000,056 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\The Haunted Forest Of Carousel.url
[2010/07/30 20:49:26 | 000,000,190 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Nightfall Mysteries_ Asylum Conspiracy Walkthrough _ Big Fish Games Blog.url
[2010/07/29 12:49:28 | 000,113,933 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2010/07/29 12:49:28 | 000,097,549 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2010/07/25 12:21:29 | 000,000,280 | ---- | M] () -- C:\WINDOWS\System32\PDBootState
[2010/07/24 10:57:58 | 000,001,576 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\The Cleaner.lnk
[2010/07/24 10:50:26 | 000,001,012 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/07/21 03:05:08 | 002,122,362 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/07/21 02:09:23 | 000,000,031 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2010/07/20 13:55:01 | 000,009,728 | ---- | M] () -- C:\WINDOWS\System32\BASSMOD.dll
[2010/07/20 12:06:01 | 000,002,086 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Meow.gif
[2010/07/16 17:22:07 | 000,293,272 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/16 16:06:13 | 000,542,702 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/16 16:06:13 | 000,469,718 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/16 16:06:13 | 000,083,076 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/11 17:12:44 | 000,000,465 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CT Web Pgs Misc Prog.lnk
[2010/07/05 14:21:03 | 000,001,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PerfectDisk 11.lnk
[2010/07/01 11:43:08 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\A PETs Ten Comm.doc
[2010/06/30 17:15:22 | 000,021,504 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Please Drive Safe.doc
[2010/06/27 11:46:44 | 000,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/06/26 18:18:31 | 000,001,284 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RTS Folder.lnk
[2010/06/16 12:05:13 | 000,031,232 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Rodgers Resume.doc
[2010/06/01 17:53:26 | 000,000,864 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Ashampoo Burning Studio 9.lnk
[2010/05/27 11:44:20 | 000,237,320 | ---- | M] (Raxco Software, Inc.) -- C:\WINDOWS\System32\PDBoot.exe
[2010/05/25 17:26:56 | 000,070,222 | ---- | M] () -- C:\X73_DS.bmp
[2010/05/25 17:26:46 | 000,001,439 | ---- | M] () -- C:\WINDOWS\GtX73.ini
[2010/05/25 17:26:45 | 000,360,054 | ---- | M] () -- C:\WINDOWS\bound.bmp
[2010/05/19 11:22:09 | 000,000,500 | ---- | M] () -- C:\WINDOWS\tasks\b4a_New Backup.job
[2010/05/18 19:16:17 | 000,722,416 | ---- | M] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2010/05/18 19:16:03 | 000,000,950 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Backup4all Professional 4.lnk
[2010/05/17 12:57:15 | 000,032,256 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Chris Resume.doc
[2010/05/12 11:12:26 | 000,000,078 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Application Status Information - Application Status Information.url

========== Files Created - No Company Name ==========

[2100/02/23 14:35:34 | 000,000,768 | ---- | C] () -- C:\WINDOWS\x73_lut.dat
[2100/02/08 15:53:34 | 000,001,439 | ---- | C] () -- C:\WINDOWS\GtX73.ini
[2010/08/07 13:46:18 | 000,000,165 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Before you post, please read this! - Smartest Computing.url
[2010/08/06 21:16:23 | 000,000,125 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Smartest Computing.url
[2010/08/06 17:04:01 | 000,002,463 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HiJackThis.lnk
[2010/08/04 13:39:46 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\1-Click-Optimizer.lnk
[2010/08/04 13:39:46 | 000,000,793 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Ashampoo WinOptimizer 6.lnk
[2010/08/04 13:39:46 | 000,000,775 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ashampoo WinOptimizer 6.lnk
[2010/08/03 19:58:47 | 000,002,538 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\cc_20100803_195842.reg
[2010/08/03 11:56:22 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/08/03 11:56:22 | 000,000,706 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/02 12:33:22 | 000,000,154 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Snark Busters_ Welcome to the Club Walkthrough _ Gamezebo.url
[2010/08/02 12:09:56 | 000,000,056 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\The Haunted Forest Of Carousel.url
[2010/07/30 20:49:26 | 000,000,190 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Nightfall Mysteries_ Asylum Conspiracy Walkthrough _ Big Fish Games Blog.url
[2010/07/25 11:57:32 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\PDBootState
[2010/07/24 10:57:58 | 000,001,576 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\The Cleaner.lnk
[2010/07/20 12:06:00 | 000,002,086 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Meow.gif
[2010/07/16 16:01:59 | 000,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/07/13 12:55:21 | 003,932,160 | ---- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2010/07/11 17:12:44 | 000,000,465 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CT Web Pgs Misc Prog.lnk
[2010/06/30 17:32:47 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\A PETs Ten Comm.doc
[2010/06/30 17:06:15 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Please Drive Safe.doc
[2010/06/02 11:08:13 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Wm Ryals-Rent Address.doc
[2010/06/01 17:53:26 | 000,000,864 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Ashampoo Burning Studio 9.lnk
[2010/05/18 19:31:46 | 000,000,500 | ---- | C] () -- C:\WINDOWS\tasks\b4a_New Backup.job
[2010/05/18 19:16:17 | 000,722,416 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2010/05/18 19:16:03 | 000,000,950 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Backup4all Professional 4.lnk
[2010/05/18 13:58:28 | 000,034,308 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\mazuki.dll
[2010/05/12 11:12:26 | 000,000,078 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Application Status Information - Application Status Information.url
[2010/04/23 19:49:10 | 000,000,472 | ---- | C] () -- C:\WINDOWS\System32\Remover.ini
[2009/11/22 03:35:00 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/01 12:33:28 | 000,000,092 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2009/05/25 20:10:12 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/05/25 13:57:33 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\TwcToolbarIe7.dll
[2009/05/25 13:57:33 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\TwcToolbarBho.dll
[2009/05/18 12:54:07 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2009/05/17 21:23:26 | 000,000,401 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2009/05/17 15:22:06 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2009/05/17 14:57:57 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/05/17 14:57:56 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/05/14 19:53:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2009/02/18 18:51:05 | 000,000,077 | ---- | C] () -- C:\WINDOWS\slsetup.ini
[2008/10/27 11:56:16 | 000,000,566 | ---- | C] () -- C:\WINDOWS\System32\SP207.INI
[2005/04/28 00:22:38 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/04/28 00:22:34 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/04/28 00:22:34 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2002/12/10 00:00:00 | 001,708,032 | ---- | C] () -- C:\WINDOWS\System32\MSO97V.DLL
[2002/12/10 00:00:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[2002/12/10 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\MSORFS.DLL
[2002/12/10 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
[2001/10/12 08:42:50 | 000,000,643 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2001/10/12 03:42:51 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXARICO.DLL
[2001/06/27 11:29:20 | 000,001,094 | ---- | C] () -- C:\WINDOWS\Lexmark_ICM.ini
[2000/12/05 15:56:34 | 000,114,688 | ---- | C] () -- C:\WINDOWS\lxarscan.dll
[2000/10/24 09:08:36 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL
[2000/10/24 09:08:33 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2000/01/11 12:50:48 | 000,000,047 | ---- | C] () -- C:\WINDOWS\ACMonitor_X73.ini
[2000/01/11 12:42:22 | 000,000,287 | ---- | C] () -- C:\WINDOWS\X73_DS.ini
[1999/04/20 04:15:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\unvise32.dll

========== LOP Check ==========

[2010/05/30 11:44:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\7Wonders
[2010/08/04 13:15:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Ashampoo
[2009/05/20 22:41:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\CTXM
[2009/05/20 22:37:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\EA
[2010/08/04 13:16:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ERS G-Studio
[2009/08/11 20:28:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Faerie Solitaire
[2010/06/20 10:53:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\funkitron
[2009/05/14 16:01:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ImgBurn
[2009/05/20 22:23:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\iWin
[2009/07/11 22:12:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Octoshape
[2009/05/27 11:07:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OfficeUpdate12
[2010/05/19 20:17:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Orneon
[2010/06/25 12:16:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PlayFirst
[2009/07/05 13:58:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Quirky Games
[2009/05/20 22:45:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Sahmon Games
[2010/04/11 12:32:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Skip-Bo
[2010/05/18 19:15:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Softland
[2010/05/11 02:50:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SolSuite
[2009/12/30 22:29:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SpinTop
[2010/07/28 11:13:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\TikisLab
[2009/07/21 21:42:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\uTorrent
[2010/07/30 20:57:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Vast Studios
[2010/03/27 10:43:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Vso
[2009/05/14 20:00:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2010/08/02 11:29:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alawar Stargaze
[2010/08/06 21:29:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AlawarWrapper
[2009/05/17 16:50:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ashampoo
[2010/04/30 16:53:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Deadtime Stories
[2010/05/19 19:02:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fenomen Games
[2010/07/04 13:13:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GamePlastic
[2009/05/20 22:35:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HipSoft
[2010/06/05 11:54:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
[2010/05/19 19:34:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MythPeople
[2009/11/09 02:15:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\page
[2010/06/25 12:16:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2010/05/04 22:11:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Playrix Entertainment
[2009/09/11 20:53:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Princess Isabella
[2010/05/19 21:08:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Redrum
[2009/05/17 22:09:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2010/05/17 14:39:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2010/05/18 19:16:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Softland
[2010/07/15 14:50:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SugarGames
[2010/07/27 21:06:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/07/20 11:18:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\The Game Equation
[2010/04/22 10:51:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TreeCardGames
[2010/05/19 11:22:09 | 000,000,500 | ---- | M] () -- C:\WINDOWS\Tasks\b4a_New Backup.job
[2010/08/07 13:48:46 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job
[2010/08/07 16:01:00 | 000,000,250 | ---- | M] () -- C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/13 23:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 23:51:44 | 020,056,462 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/04/13 18:10:32 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 23:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\dllcache\eventlog.dll
[2008/04/13 23:41:54 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: EXPLORER.EXE >
[2008/04/13 23:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 23:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\system32\dllcache\explorer.exe

< MD5 for: NETLOGON.DLL >
[2008/04/13 23:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\dllcache\netlogon.dll
[2008/04/13 23:42:02 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/13 23:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\dllcache\scecli.dll
[2008/04/13 23:42:06 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< MD5 for: USERINIT.EXE >
[2008/04/13 23:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\dllcache\userinit.exe
[2008/04/13 23:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/04/13 23:42:02 | 001,384,479 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\msvbvm60.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010/05/18 19:16:17 | 000,722,416 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\sptd.sys

< %systemroot%\System32\config\*.sav >
[2004/02/16 08:13:10 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/02/16 08:13:10 | 001,089,536 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/02/16 08:13:09 | 000,888,832 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:33DB8278
@Alternate Data Stream - 96 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1DEE6B65
@Alternate Data Stream - 94 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7679D513
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D0467BDF
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:73D27958
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2398E95B
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6C75AF4C
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C5CE2DF6
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B83F1B83
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3DF63AD7
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:57DC3B52
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:848CC150
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E5B14AE
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7B2BB690
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3D36932D
< End of report >


OTL Extras logfile created on: 8/7/2010 4:18:03 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Administrator\Desktop\My Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 186.00 Mb Available Physical Memory | 37.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 120.48 Gb Free Space | 80.84% Space Free | Partition Type: NTFS
Drive D: | 55.93 Gb Total Space | 31.62 Gb Free Space | 56.53% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL-B9D0F5ABDA
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- c:\program files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 7.0.1.325\English\setup.exe" = C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 7.0.1.325\English\setup.exe:*:Enabled:Kaspersky Internet Security 7.0 Setup -- (Kaspersky Lab)
"C:\Documents and Settings\Administrator\Local Settings\Temp\~os441.tmp\ossproxy.exe" = C:\Documents and Settings\Administrator\Local Settings\Temp\~os441.tmp\ossproxy.exe:*:Enabled:ossproxy.exe -- File not found
"C:\Program Files\RelevantKnowledge\rlvknlg.exe" = C:\Program Files\RelevantKnowledge\rlvknlg.exe:*:Enabled:rlvknlg.exe -- File not found
"C:\Program Files\Softland\Backup4all Professional 4\Backup4all.exe" = C:\Program Files\Softland\Backup4all Professional 4\Backup4all.exe:*:Enabled:Backup4all Professional 4 -- (Softland)
"C:\Program Files\Softland\Backup4all Professional 4\b4aCmd.exe" = C:\Program Files\Softland\Backup4all Professional 4\b4aCmd.exe:*:Enabled:Backup4all Professional 4 command line -- (Softland)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 15
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
"{35FE11EE-9E26-4183-B627-332F9982839E}" = Microsoft Picture It! Publishing Gold 2001
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{67E4EE98-59F4-4210-89A6-A20AF5BEC689}" = Microsoft Streets and Trips 2005
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6EECB283-E65F-40EF-86D3-D51BF02A8D43}" = Microsoft Office Converter Pack
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = NASCAR Toolbar
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}" = Kaspersky Internet Security 2009
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91130409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Small Business
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7607FC8-72AD-486D-B6B7-A402D5876309}" = PerfectDisk 11 Professional
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C679F9B9-C65D-4C65-BD6C-BF90B859E281}" = PC Camera
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{C9850CA5-749A-49A8-B5C9-967D61606A70}" = Backup4all Professional 4
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CF097717-F174-4144-954A-FBC4BF301033}" = Nero 7 Ultra Edition
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{E40CE517-0D42-4198-96B4-C8232B257EB5}" = Data Lifeguard Diagnostic for Windows
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}" = Acrobat.com
"4 Elements_is1" = 4 Elements
"7 Wonders II_is1" = 7 Wonders II
"7 Wonders Treasures Of Seven_is1" = 7 Wonders Treasures Of Seven
"7 Wonders_is1" = 7 Wonders
"Adobe Acrobat 4.0" = Adobe Acrobat 4.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AI RoboForm" = AI RoboForm (All Users)
"Archipelago_is1" = Archipelago
"Ashampoo Burning Studio 9_is1" = Ashampoo Burning Studio 9.21
"Ashampoo WinOptimizer 6_is1" = Ashampoo WinOptimizer 6.01
"Astro Avenger 2_is1" = Astro Avenger 2
"Avalanche" = Avalanche
"Azkend 1.02" = Azkend 1.02
"Bejeweled 2" = Bejeweled 2
"Belarc Advisor" = Belarc Advisor 7.2
"Bespelled Deluxe 1.03" = Bespelled Deluxe 1.03
"Big Kahuna Reef 2 - Chain Reaction_is1" = Big Kahuna Reef 2 - Chain Reaction
"Bookworm Adventures 2 1.00" = Bookworm Adventures 2 1.00
"CCleaner" = CCleaner
"Chainz 2_is1" = Chainz 2
"Collapse III" = Collapse III
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Devastation Zone Troopers_is1" = Devastation Zone Troopers
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"ESET Online Scanner" = ESET Online Scanner v3
"Faerie Solitaire_is1" = Faerie Solitaire
"Flip Words 2_is1" = Flip Words 2
"Glyph 2_is1" = Glyph 2
"Glyph_is1" = Glyph
"Hidden Wonders of the Depths 2 1.00" = Hidden Wonders of the Depths 2 1.00
"Hidden Wonders of the Depths 3 Atlantis Adventures 1.00" = Hidden Wonders of the Depths 3 Atlantis Adventures 1.00
"Hidden Wonders Of The Depths_is1" = Hidden Wonders Of The Depths
"Hoyle Board Games" = Hoyle Board Games
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ImgBurn" = ImgBurn
"InstallShield_{C679F9B9-C65D-4C65-BD6C-BF90B859E281}" = PC Camera
"InstallWIX_{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}" = Kaspersky Internet Security 2009
"Jewel Quest 2_is1" = Jewel Quest 2
"Jewel Quest Heritage 1.00" = Jewel Quest Heritage 1.00
"Jewel Quest Solitaire II_is1" = Jewel Quest Solitaire II
"Lexmark X73" = Lexmark X73
"Lost In Reefs 1.00" = Lost In Reefs 1.00
"Lost Treasures Of El Dorado_is1" = Lost Treasures Of El Dorado
"Luxor Adventures 1.00" = Luxor Adventures 1.00
"MadCaps_is1" = MadCaps
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"Nightfall Mysteries Asylum Conspiracy 1.00" = Nightfall Mysteries Asylum Conspiracy 1.00
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"One Million Recipes 6.00" = One Million Recipes 6.00
"PPTView97" = Microsoft PowerPoint Viewer 97
"PROSet" = Intel® PRO Ethernet Adapter and Software
"Rainbow Mystery" = Rainbow Mystery
"Rainbow Web 2_is1" = Rainbow Web 2
"Rainbow Web_is1" = Rainbow Web
"Rainforest Adventure 1.00" = Rainforest Adventure 1.00
"Ricochet Infinity_is1" = Ricochet Infinity
"Shockwave" = Shockwave
"Sierra Utilities" = Sierra Utilities
"SKIPBO Castaway Caper_is1" = SKIPBO Castaway Caper
"Slingo Supreme 1.00" = Slingo Supreme 1.00
"Snark Busters Welcome to the Club 1.00" = Snark Busters Welcome to the Club 1.00
"SolSuite_is1" = SolSuite 2010 v10.1
"The Lost Inca Prophecy 1.00" = The Lost Inca Prophecy 1.00
"The Weather Channel Toolbar" = The Weather Channel Toolbar
"The_Cleaner" = The Cleaner
"Treasure Island_is1" = Treasure Island
"Trial of the Gods Ariadnes Journey 1.00" = Trial of the Gods Ariadnes Journey 1.00
"TriPeaks Solitaire To Go_is1" = TriPeaks Solitaire To Go
"Unlocker" = Unlocker 1.8.7
"VLC media player" = VLC media player 1.1.0
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinRAR archiver" = WinRAR archiver
"Xvid_is1" = Xvid 1.1.3 final uninstall

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 7/28/2010 6:48:11 PM | Computer Name = DELL-B9D0F5ABDA | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 7/28/2010 6:48:11 PM | Computer Name = DELL-B9D0F5ABDA | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 8/3/2010 12:00:29 PM | Computer Name = DELL-B9D0F5ABDA | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 8/3/2010 12:00:29 PM | Computer Name = DELL-B9D0F5ABDA | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 8/5/2010 12:39:18 PM | Computer Name = DELL-B9D0F5ABDA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 8/5/2010 12:39:19 PM | Computer Name = DELL-B9D0F5ABDA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 8/6/2010 1:08:15 PM | Computer Name = DELL-B9D0F5ABDA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 8/6/2010 1:08:16 PM | Computer Name = DELL-B9D0F5ABDA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 8/6/2010 1:20:39 PM | Computer Name = DELL-B9D0F5ABDA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 8/6/2010 1:20:39 PM | Computer Name = DELL-B9D0F5ABDA | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 8/7/2010 1:47:00 PM | Computer Name = DELL-B9D0F5ABDA | Source = Service Control Manager | ID = 7034
Description = The LexBce Server service terminated unexpectedly. It has done this
1 time(s).

Error - 8/7/2010 1:47:00 PM | Computer Name = DELL-B9D0F5ABDA | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 8/7/2010 1:47:00 PM | Computer Name = DELL-B9D0F5ABDA | Source = Service Control Manager | ID = 7034
Description = The MBAMService service terminated unexpectedly. It has done this
1 time(s).

Error - 8/7/2010 1:47:00 PM | Computer Name = DELL-B9D0F5ABDA | Source = Service Control Manager | ID = 7034
Description = The McAfee SiteAdvisor Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 8/7/2010 1:47:00 PM | Computer Name = DELL-B9D0F5ABDA | Source = Service Control Manager | ID = 7034
Description = The PDAgent service terminated unexpectedly. It has done this 1 time(s).

Error - 8/7/2010 1:47:00 PM | Computer Name = DELL-B9D0F5ABDA | Source = Service Control Manager | ID = 7034
Description = The PDEngine service terminated unexpectedly. It has done this 1
time(s).

Error - 8/7/2010 1:49:09 PM | Computer Name = DELL-B9D0F5ABDA | Source = Service Control Manager | ID = 7000
Description = The Acronis Scheduler2 Service service failed to start due to the
following error: %%2

Error - 8/7/2010 1:49:09 PM | Computer Name = DELL-B9D0F5ABDA | Source = Service Control Manager | ID = 7000
Description = The TLRecAgent service failed to start due to the following error:
%%2

Error - 8/7/2010 1:49:09 PM | Computer Name = DELL-B9D0F5ABDA | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Windows User Mode Driver
Framework service to connect.

Error - 8/7/2010 1:49:09 PM | Computer Name = DELL-B9D0F5ABDA | Source = Service Control Manager | ID = 7000
Description = The Windows User Mode Driver Framework service failed to start due
to the following error: %%1053


< End of report >

#4 Broni Re: [RESOLVED] rootkit.win32.tdss.d

    Malware Annihilator

  • 24,879 posts
  • Joined: October 04, 2004
  • 1,859 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:58 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 9h 13m 9s

Posted 08 August 2010 - 01:35 AM

Sorry for the late reply. I was out all day celebrating my sister's BD :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Posted Image Posted Image


#5 flippylip Re: [RESOLVED] rootkit.win32.tdss.d

    Member

  • 12 posts
  • Joined: August 07, 2010
  • 2 topics
  • Skin: IP.Board
  • Local time: 12:58 AM
  • Gender:Female
  • OS:Windows XP
  • Country:
Offline
  • :

Posted 08 August 2010 - 02:20 AM

View PostBroni, on 08 August 2010 - 01:35 AM, said:

Sorry for the late reply. I was out all day celebrating my sister's BD :)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Combofix Log:

ComboFix 10-08-07.01 - Administrator 08/07/2010 22:00:10.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.292 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\inst.exe
c:\documents and settings\All Users\Application Data\mazuki.dll
c:\progra~1\COMMON~1\{525D3~1
c:\progra~1\COMMON~1\{525D3~1\slscp.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 )))))))))))))))))))))))))))))))
.

2100-02-23 18:35 . 2001-02-22 13:54 768 ----a-w- c:\windows\x73_lut.dat
2010-08-06 22:29 . 2010-08-06 22:29 -------- d-----w- c:\program files\ESET
2010-08-06 21:04 . 2010-08-06 21:04 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-06 21:04 . 2010-08-06 21:04 -------- d-----w- c:\program files\Trend Micro
2010-08-06 17:12 . 2010-08-06 17:25 -------- d-----w- C:\TDSSKiller_Quarantine
2010-08-04 17:39 . 2008-12-22 14:18 33632 ----a-w- c:\windows\system32\DfSdkBt.exe
2010-08-04 16:12 . 2010-08-06 19:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\pdnshxwvd
2010-08-04 16:12 . 2010-08-06 19:23 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\rxexgvqrt
2010-08-03 17:28 . 2010-08-03 17:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\SpiritVG
2010-08-03 15:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-03 15:55 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-03 15:55 . 2010-08-03 15:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-02 15:29 . 2010-08-02 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alawar Stargaze
2010-08-02 15:16 . 2010-08-02 15:28 -------- d-----w- c:\program files\Snark Busters Welcome to the Club
2010-07-31 00:57 . 2010-07-31 00:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vast Studios
2010-07-31 00:55 . 2010-07-31 00:56 -------- d-----w- c:\program files\Nightfall Mysteries Asylum Conspiracy
2010-07-28 15:13 . 2010-07-28 15:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\TikisLab
2010-07-27 15:57 . 2010-08-04 17:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TheLostKingdomProphecy
2010-07-26 20:03 . 2010-07-26 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-07-26 20:02 . 2010-07-26 20:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage
2010-07-21 00:03 . 2010-07-21 00:03 -------- d-----w- c:\program files\Deep Blue Sea 2
2010-07-20 17:32 . 2010-07-20 17:58 -------- d-----w- c:\program files\RealArcade
2010-07-15 18:48 . 2010-07-15 18:48 -------- d-----w- c:\program files\Rainbow Mystery
2010-07-13 17:00 . 2010-07-13 17:00 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-13 17:00 . 2010-07-13 17:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-13 16:30 . 2010-07-13 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-08 02:06 . 2009-05-14 22:17 688160 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-08-08 02:06 . 2009-05-14 22:17 5528 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-08-08 02:06 . 2009-05-14 22:17 3232800 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-08-08 02:06 . 2009-05-14 22:17 30528 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-08-08 01:16 . 2009-08-18 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2010-08-07 17:50 . 2009-05-14 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-08-06 23:11 . 2009-05-23 17:12 -------- d-----w- c:\program files\Unlocker
2010-08-06 23:06 . 2009-05-21 02:28 -------- d-----w- c:\program files\Ricochet Infinity
2010-08-06 17:29 . 2008-04-13 22:50 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-06 16:36 . 2009-07-22 00:17 -------- d-----w- c:\program files\McAfee
2010-08-05 18:30 . 2009-06-04 14:53 -------- d-----w- c:\program files\Big Kahuna Reef 2
2010-08-04 17:41 . 2010-05-30 15:26 -------- d-----w- c:\program files\7 Wonders
2010-08-04 17:41 . 2010-05-30 15:28 -------- d-----w- c:\program files\7 Wonders Treasures Of Seven
2010-08-04 17:41 . 2010-05-30 15:24 -------- d-----w- c:\program files\7 Wonders II
2010-08-04 17:39 . 2010-05-18 17:57 -------- d-----w- c:\program files\Ashampoo
2010-08-04 17:16 . 2009-10-04 03:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\ERS G-Studio
2010-08-04 17:15 . 2009-07-16 00:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ashampoo
2010-08-04 16:26 . 2009-05-14 20:10 -------- d-----w- c:\program files\CCleaner
2010-07-29 16:49 . 2009-05-14 22:18 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-29 16:49 . 2009-05-14 22:18 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-28 01:06 . 2009-07-18 17:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-21 06:09 . 2009-05-18 01:27 31 ----a-w- c:\windows\popcinfo.dat
2010-07-20 15:18 . 2010-06-05 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\The Game Equation
2010-07-15 18:50 . 2009-08-06 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SugarGames
2010-07-14 23:55 . 2010-06-27 16:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-07-12 06:52 . 2010-05-09 17:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-07-04 17:13 . 2010-07-04 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\GamePlastic
2010-07-04 17:02 . 2009-05-18 17:52 -------- d-----w- c:\program files\Avalanche
2010-07-01 15:07 . 2010-04-14 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-25 19:42 . 2009-05-17 19:57 -------- d-----w- c:\program files\One Million Recipes
2010-06-25 16:16 . 2009-05-21 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2010-06-25 16:16 . 2009-05-21 02:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\PlayFirst
2010-06-20 14:53 . 2009-09-26 02:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\funkitron
2010-06-20 14:52 . 2010-06-20 14:52 -------- d-----w- c:\program files\Slingo Supreme
2010-06-14 20:50 . 2009-05-18 17:27 -------- d-----w- c:\program files\Jewel Quest 2
2010-06-14 14:31 . 2004-02-16 18:37 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-27 15:44 . 2010-05-27 15:44 237320 ----a-w- c:\windows\system32\PDBoot.exe
2010-05-18 23:16 . 2010-05-18 23:16 722416 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-18 22:54 . 2010-05-18 22:54 902592 ----a-w- c:\windows\system32\drivers\tdrpm228.sys
2010-05-18 22:53 . 2010-05-18 18:11 138208 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-05-18 18:11 . 2009-05-14 23:58 581984 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-05-18 16:53 . 2009-05-14 23:58 971552 ----a-w- c:\windows\system32\drivers\tdrpm174.sys
2006-11-20 13:01 . 2006-11-20 13:01 163840 ----a-w- c:\program files\Common Files\AMCap.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-03-27 160328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-07-21 208616]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [2001-10-08 53248]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [2001-07-11 53248]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 36864]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Softland\\Backup4all Professional 4\\Backup4all.exe"=
"c:\\Program Files\\Softland\\Backup4all Professional 4\\b4aCmd.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 33808]
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [5/18/2010 6:54 PM 902592]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/3/2010 11:56 AM 304464]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/21/2009 8:17 PM 88176]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 24592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/3/2010 11:55 AM 20952]
R3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [10/25/2007 6:31 PM 616064]
S0 kctwb;kctwb;c:\windows\system32\drivers\ujkq.sys --> c:\windows\system32\drivers\ujkq.sys [?]
S2 0321951243778897mcinstcleanup;0321951243778897mcinstcleanup; [x]
S2 TLRecAgent;TLRecAgent;\??\c:\windows\system32\drivers\TLRecAgent.sys --> c:\windows\system32\drivers\TLRecAgent.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [8/4/2010 1:39 PM 410976]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/18/2010 7:16 PM 722416]
.
Contents of the 'Scheduled Tasks' folder

2010-08-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-05-19 c:\windows\Tasks\b4a_New Backup.job
- c:\program files\Softland\Backup4all Professional 4\b4aSchedStarter.exe [2009-11-13 15:29]

2010-08-08 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=NSC-A&o=14095&locale=en_US&q=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-07 22:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-261903793-1606980848-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3368)
c:\windows\system32\WININET.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\windows\system32\fxssvc.exe
c:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-08-07 22:10:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-08 02:10

Pre-Run: 138,295,906,304 bytes free
Post-Run: 138,183,806,976 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\windows
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

- - End Of File - - 21D0F09962C98C96200F98E22F5B713F

P.S. Kaspersky is still saying that there are threats and to nutralize them when you have to reboot the computer.

#6 Broni Re: [RESOLVED] rootkit.win32.tdss.d

    Malware Annihilator

  • 24,879 posts
  • Joined: October 04, 2004
  • 1,859 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:58 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 9h 13m 9s

Posted 08 August 2010 - 02:47 AM

I can see, you ran TDSSKiller before you posted here.
I assume, it found and killed something, correct?
Can you post TDSSKiller_xxxx_log.txt, usually located in root, C:\ folder?

==========================================================================================================


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\ujkq.sys


Folder::
c:\documents and settings\Administrator\Local Settings\Application Data\pdnshxwvd
c:\documents and settings\Administrator\Local Settings\Application Data\rxexgvqrt


Driver::
kctwb
0321951243778897mcinstcleanup

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=-


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt

Posted Image Posted Image


#7 flippylip Re: [RESOLVED] rootkit.win32.tdss.d

    Member

  • 12 posts
  • Joined: August 07, 2010
  • 2 topics
  • Skin: IP.Board
  • Local time: 12:58 AM
  • Gender:Female
  • OS:Windows XP
  • Country:
Offline
  • :

Posted 08 August 2010 - 09:44 PM

View PostBroni, on 08 August 2010 - 02:47 AM, said:

I can see, you ran TDSSKiller before you posted here.
I assume, it found and killed something, correct?
Can you post TDSSKiller_xxxx_log.txt, usually located in root, C:\ folder?

==========================================================================================================


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\ujkq.sys


Folder::
c:\documents and settings\Administrator\Local Settings\Application Data\pdnshxwvd
c:\documents and settings\Administrator\Local Settings\Application Data\rxexgvqrt


Driver::
kctwb
0321951243778897mcinstcleanup

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=-


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt

Problem solved!!!

Here is what i did:

Kaspersky said that there was 2 files:

1. Quicktime

2. Rootkit

I deleted quicktime from my system and went into the registry and deleted everything with Quicktime in it. Then i went back into Kaspersky and deleted the line that quicktime was on. Then i highlighted Rootkit and told it to disinfect it and it did. Then i rebooted the system and everything thing is OK now. Everything in Kaspersky is Green which is good, and no notifications about any threats.

#8 Broni Re: [RESOLVED] rootkit.win32.tdss.d

    Malware Annihilator

  • 24,879 posts
  • Joined: October 04, 2004
  • 1,859 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:58 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 9h 13m 9s

Posted 08 August 2010 - 10:58 PM

OK. I still need you to run Combofix fix.

A whole cleaning process has to be completed, if you don't want to come back here in couple of days with more problems.
Posted Image Posted Image


#9 flippylip Re: [RESOLVED] rootkit.win32.tdss.d

    Member

  • 12 posts
  • Joined: August 07, 2010
  • 2 topics
  • Skin: IP.Board
  • Local time: 12:58 AM
  • Gender:Female
  • OS:Windows XP
  • Country:
Offline
  • :

Posted 09 August 2010 - 03:10 PM

View PostBroni, on 08 August 2010 - 10:58 PM, said:

OK. I still need you to run Combofix fix.

A whole cleaning process has to be completed, if you don't want to come back here in couple of days with more problems.


ComboFix 10-08-08.02 - Administrator 08/09/2010 10:55:19.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.278 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\windows\system32\drivers\ujkq.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\pdnshxwvd
c:\documents and settings\Administrator\Local Settings\Application Data\rxexgvqrt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_0321951243778897MCINSTCLEANUP
-------\Service_0321951243778897mcinstcleanup
-------\Service_kctwb


((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))
.

2100-02-23 18:35 . 2001-02-22 13:54 768 ----a-w- c:\windows\x73_lut.dat
2010-08-06 17:12 . 2010-08-06 17:25 -------- d-----w- C:\TDSSKiller_Quarantine
2010-08-04 17:39 . 2008-12-22 14:18 33632 ----a-w- c:\windows\system32\DfSdkBt.exe
2010-08-03 17:28 . 2010-08-03 17:28 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\SpiritVG
2010-08-03 15:56 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-03 15:55 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-03 15:55 . 2010-08-03 15:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-02 15:29 . 2010-08-02 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Alawar Stargaze
2010-07-31 00:57 . 2010-07-31 00:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\Vast Studios
2010-07-31 00:55 . 2010-07-31 00:56 -------- d-----w- c:\program files\Nightfall Mysteries Asylum Conspiracy
2010-07-28 15:13 . 2010-07-28 15:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\TikisLab
2010-07-27 15:57 . 2010-08-04 17:41 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TheLostKingdomProphecy
2010-07-26 20:03 . 2010-07-26 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-07-26 20:02 . 2010-07-26 20:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Office Genuine Advantage
2010-07-21 00:03 . 2010-07-21 00:03 -------- d-----w- c:\program files\Deep Blue Sea 2
2010-07-20 17:32 . 2010-07-20 17:58 -------- d-----w- c:\program files\RealArcade
2010-07-15 18:48 . 2010-07-15 18:48 -------- d-----w- c:\program files\Rainbow Mystery
2010-07-13 17:00 . 2010-07-13 17:00 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-13 17:00 . 2010-07-13 17:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-07-13 16:30 . 2010-07-13 16:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-09 15:02 . 2009-05-14 22:17 688160 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-08-09 15:02 . 2009-05-14 22:17 5528 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-08-09 15:02 . 2009-05-14 22:17 3232800 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-08-09 15:02 . 2009-05-14 22:17 30528 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-08-09 14:15 . 2009-05-14 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-08-08 22:49 . 2009-06-04 14:53 -------- d-----w- c:\program files\Big Kahuna Reef 2
2010-08-08 16:53 . 2009-07-22 00:17 -------- d-----w- c:\program files\McAfee
2010-08-08 01:16 . 2009-08-18 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\AlawarWrapper
2010-08-06 23:11 . 2009-05-23 17:12 -------- d-----w- c:\program files\Unlocker
2010-08-06 23:06 . 2009-05-21 02:28 -------- d-----w- c:\program files\Ricochet Infinity
2010-08-06 17:29 . 2008-04-13 22:50 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-04 17:41 . 2010-05-30 15:26 -------- d-----w- c:\program files\7 Wonders
2010-08-04 17:41 . 2010-05-30 15:28 -------- d-----w- c:\program files\7 Wonders Treasures Of Seven
2010-08-04 17:41 . 2010-05-30 15:24 -------- d-----w- c:\program files\7 Wonders II
2010-08-04 17:39 . 2010-05-18 17:57 -------- d-----w- c:\program files\Ashampoo
2010-08-04 17:16 . 2009-10-04 03:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\ERS G-Studio
2010-08-04 17:15 . 2009-07-16 00:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ashampoo
2010-08-04 16:26 . 2009-05-14 20:10 -------- d-----w- c:\program files\CCleaner
2010-07-29 16:49 . 2009-05-14 22:18 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-07-29 16:49 . 2009-05-14 22:18 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-07-28 01:06 . 2009-07-18 17:46 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-21 06:09 . 2009-05-18 01:27 31 ----a-w- c:\windows\popcinfo.dat
2010-07-20 15:18 . 2010-06-05 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\The Game Equation
2010-07-15 18:50 . 2009-08-06 20:58 -------- d-----w- c:\documents and settings\All Users\Application Data\SugarGames
2010-07-14 23:55 . 2010-06-27 16:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-07-12 06:52 . 2010-05-09 17:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-07-04 17:13 . 2010-07-04 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\GamePlastic
2010-07-04 17:02 . 2009-05-18 17:52 -------- d-----w- c:\program files\Avalanche
2010-07-01 15:07 . 2010-04-14 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-06-25 19:42 . 2009-05-17 19:57 -------- d-----w- c:\program files\One Million Recipes
2010-06-25 16:16 . 2009-05-21 02:37 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2010-06-25 16:16 . 2009-05-21 02:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\PlayFirst
2010-06-20 14:53 . 2009-09-26 02:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\funkitron
2010-06-20 14:52 . 2010-06-20 14:52 -------- d-----w- c:\program files\Slingo Supreme
2010-06-14 20:50 . 2009-05-18 17:27 -------- d-----w- c:\program files\Jewel Quest 2
2010-06-14 14:31 . 2004-02-16 18:37 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-27 15:44 . 2010-05-27 15:44 237320 ----a-w- c:\windows\system32\PDBoot.exe
2010-05-18 23:16 . 2010-05-18 23:16 722416 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-18 22:54 . 2010-05-18 22:54 902592 ----a-w- c:\windows\system32\drivers\tdrpm228.sys
2010-05-18 22:53 . 2010-05-18 18:11 138208 ----a-w- c:\windows\system32\drivers\snapman.sys
2010-05-18 18:11 . 2009-05-14 23:58 581984 ----a-w- c:\windows\system32\drivers\timntr.sys
2010-05-18 16:53 . 2009-05-14 23:58 971552 ----a-w- c:\windows\system32\drivers\tdrpm174.sys
2006-11-20 13:01 . 2006-11-20 13:01 163840 ----a-w- c:\program files\Common Files\AMCap.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-08-08_02.07.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-09 15:02 . 2010-08-09 15:02 16384 c:\windows\Temp\Perflib_Perfdata_6f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2010-03-27 160328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2009-07-21 208616]
"Lexmark X73 Button Monitor"="c:\progra~1\LEXMAR~1\ACMonitor_X73.exe" [2001-10-08 53248]
"Lexmark X73 Button Manager"="c:\progra~1\LEXMAR~1\AcBtnMgr_X73.exe" [2001-07-11 53248]
"PrinTray"="c:\windows\System32\spool\DRIVERS\W32X86\3\printray.exe" [2001-10-12 36864]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Softland\\Backup4all Professional 4\\Backup4all.exe"=
"c:\\Program Files\\Softland\\Backup4all Professional 4\\b4aCmd.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29 PM 33808]
R0 tdrpman228;Acronis Try&Decide and Restore Points filter (build 228);c:\windows\system32\drivers\tdrpm228.sys [5/18/2010 6:54 PM 902592]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/3/2010 11:56 AM 304464]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/21/2009 8:17 PM 88176]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 6:06 PM 24592]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/3/2010 11:55 AM 20952]
R3 PAC207;PC Camera;c:\windows\system32\drivers\PFC027.SYS [10/25/2007 6:31 PM 616064]
S2 TLRecAgent;TLRecAgent;\??\c:\windows\system32\drivers\TLRecAgent.sys --> c:\windows\system32\drivers\TLRecAgent.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [8/4/2010 1:39 PM 410976]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/18/2010 7:16 PM 722416]
.
Contents of the 'Scheduled Tasks' folder

2010-05-19 c:\windows\Tasks\b4a_New Backup.job
- c:\program files\Softland\Backup4all Professional 4\b4aSchedStarter.exe [2009-11-13 15:29]

2010-08-09 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/
IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=NSC-A&o=14095&locale=en_US&q=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-09 11:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-261903793-1606980848-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2844)
c:\windows\system32\WININET.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Raxco\PerfectDisk\PDAgent.exe
c:\windows\system32\fxssvc.exe
c:\program files\Raxco\PerfectDisk\PDEngine.exe
c:\windows\system32\wscntfy.exe
c:\program files\Raxco\PerfectDisk\PDAgentS1.exe
.
**************************************************************************
.
Completion time: 2010-08-09 11:06:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-09 15:06
ComboFix2.txt 2010-08-08 02:10

Pre-Run: 138,752,999,424 bytes free
Post-Run: 138,707,701,760 bytes free

- - End Of File - - 19C008703C5C656752CE579508A2B344

2010/08/06 18:17:24.0703 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41
2010/08/06 18:17:24.0703 ================================================================================
2010/08/06 18:17:24.0703 SystemInfo:
2010/08/06 18:17:24.0703
2010/08/06 18:17:24.0703 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/06 18:17:24.0703 Product type: Workstation
2010/08/06 18:17:24.0718 ComputerName: DELL-B9D0F5ABDA
2010/08/06 18:17:24.0718 UserName: Administrator
2010/08/06 18:17:24.0718 Windows directory: C:\WINDOWS
2010/08/06 18:17:24.0718 System windows directory: C:\WINDOWS
2010/08/06 18:17:24.0718 Processor architecture: Intel x86
2010/08/06 18:17:24.0718 Number of processors: 1
2010/08/06 18:17:24.0718 Page size: 0x1000
2010/08/06 18:17:24.0718 Boot type: Normal boot
2010/08/06 18:17:24.0718 ================================================================================
2010/08/06 18:17:25.0203 Initialize success
2010/08/06 18:17:26.0843 ================================================================================
2010/08/06 18:17:26.0843 Scan started
2010/08/06 18:17:26.0843 Mode: Manual;
2010/08/06 18:17:26.0843 ================================================================================
2010/08/06 18:17:28.0062 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/06 18:17:28.0109 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/06 18:17:28.0218 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/08/06 18:17:28.0265 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/06 18:17:28.0312 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/06 18:17:28.0687 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/06 18:17:28.0734 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/06 18:17:28.0812 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/06 18:17:28.0890 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/06 18:17:28.0953 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
2010/08/06 18:17:29.0000 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/06 18:17:29.0078 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/06 18:17:29.0140 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/08/06 18:17:29.0218 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/06 18:17:29.0250 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/06 18:17:29.0296 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/06 18:17:29.0609 DefragFS (4bb22f61e7257ed353a39130b3ed2461) C:\WINDOWS\system32\drivers\DefragFS.sys
2010/08/06 18:17:29.0718 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/06 18:17:29.0828 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/06 18:17:29.0921 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/06 18:17:29.0968 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/06 18:17:30.0015 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/06 18:17:30.0140 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/06 18:17:30.0203 E1000 (854293999e91bf2eb9e786166de4a35f) C:\WINDOWS\system32\DRIVERS\e1000325.sys
2010/08/06 18:17:30.0281 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/06 18:17:30.0359 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/08/06 18:17:30.0406 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/06 18:17:30.0453 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/08/06 18:17:30.0484 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/08/06 18:17:30.0546 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/06 18:17:30.0578 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/06 18:17:30.0640 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/06 18:17:30.0703 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/06 18:17:30.0796 HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
2010/08/06 18:17:30.0953 HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
2010/08/06 18:17:31.0140 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/06 18:17:31.0296 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/06 18:17:31.0375 ialm (da58a8be6a445835f603720c4bc8837e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/08/06 18:17:31.0468 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/06 18:17:31.0578 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/08/06 18:17:31.0625 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/06 18:17:31.0671 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/08/06 18:17:31.0718 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/06 18:17:31.0765 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/06 18:17:31.0812 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/06 18:17:31.0875 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/06 18:17:31.0921 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/06 18:17:31.0968 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/06 18:17:32.0015 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/06 18:17:32.0062 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/06 18:17:32.0156 kl1 (cd6a8fa9395460ffe7fd8881a6c67254) C:\WINDOWS\system32\drivers\kl1.sys
2010/08/06 18:17:32.0250 klbg (f9089982ed97340984e3dd60edd75490) C:\WINDOWS\system32\drivers\klbg.sys
2010/08/06 18:17:32.0328 KLFLTDEV (73eb94ad1c85b4a3c5a8b4d879f668b9) C:\WINDOWS\system32\DRIVERS\klfltdev.sys
2010/08/06 18:17:32.0406 KLIF (2627c389ba33065b2e98118ce9d71e57) C:\WINDOWS\system32\DRIVERS\klif.sys
2010/08/06 18:17:32.0468 klim5 (cd16a39c6f61c2ae0272e1f431353bf7) C:\WINDOWS\system32\DRIVERS\klim5.sys
2010/08/06 18:17:32.0515 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/06 18:17:32.0640 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/06 18:17:33.0015 LXARScan (e8d15acd2f65a2e8756768353e08a9a0) C:\WINDOWS\system32\Drivers\Lxarscan.sys
2010/08/06 18:17:33.0140 MBAMProtector (67b48a903430c6d4fb58cbaca1866601) C:\WINDOWS\system32\drivers\mbam.sys
2010/08/06 18:17:33.0328 mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/08/06 18:17:33.0406 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/06 18:17:33.0500 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/06 18:17:33.0578 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/08/06 18:17:33.0656 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/06 18:17:33.0703 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/06 18:17:33.0765 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/06 18:17:33.0875 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/06 18:17:33.0968 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/06 18:17:34.0093 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/06 18:17:34.0234 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/06 18:17:34.0296 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/06 18:17:34.0359 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/06 18:17:34.0421 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/06 18:17:34.0515 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/08/06 18:17:34.0640 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/06 18:17:34.0734 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/08/06 18:17:34.0859 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/06 18:17:34.0984 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/08/06 18:17:35.0140 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/06 18:17:35.0218 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/06 18:17:35.0296 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/06 18:17:35.0359 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/06 18:17:35.0421 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/06 18:17:35.0515 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/06 18:17:35.0937 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/06 18:17:36.0093 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/06 18:17:36.0375 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/06 18:17:36.0500 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/06 18:17:36.0578 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/06 18:17:36.0750 PAC207 (9482616a0f87384c5afb5f34a317bf6c) C:\WINDOWS\system32\DRIVERS\PFC027.SYS
2010/08/06 18:17:36.0968 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/08/06 18:17:37.0062 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/06 18:17:37.0125 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/06 18:17:37.0187 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/06 18:17:37.0375 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2010/08/06 18:17:37.0437 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/06 18:17:37.0531 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2010/08/06 18:17:38.0062 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/06 18:17:38.0125 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/06 18:17:38.0218 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/06 18:17:38.0390 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/06 18:17:38.0796 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/06 18:17:38.0859 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/06 18:17:39.0015 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/06 18:17:39.0062 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/06 18:17:39.0125 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/06 18:17:39.0171 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/06 18:17:39.0281 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/06 18:17:39.0421 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/06 18:17:39.0484 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/06 18:17:39.0656 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/06 18:17:39.0718 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/06 18:17:39.0765 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/06 18:17:39.0812 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/06 18:17:39.0937 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/08/06 18:17:40.0015 smwdm (70b8dd8707dbf6142530c106365df67d) C:\WINDOWS\system32\drivers\smwdm.sys
2010/08/06 18:17:40.0109 snapman (e60646143eb6b746eb3ab58ef7d5cff7) C:\WINDOWS\system32\DRIVERS\snapman.sys
2010/08/06 18:17:40.0187 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/06 18:17:40.0296 sptd (a80cd850d69d996c832bea37e3a6aa1e) C:\WINDOWS\system32\Drivers\sptd.sys
2010/08/06 18:17:40.0296 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: a80cd850d69d996c832bea37e3a6aa1e
2010/08/06 18:17:40.0312 sptd - detected Locked file (1)
2010/08/06 18:17:40.0359 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/06 18:17:40.0453 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/06 18:17:40.0546 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/08/06 18:17:40.0640 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/06 18:17:40.0703 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/06 18:17:40.0906 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/06 18:17:40.0984 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/06 18:17:41.0062 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/06 18:17:41.0171 tdrpman228 (664469f03c955e851c5de58eea233f5a) C:\WINDOWS\system32\DRIVERS\tdrpm228.sys
2010/08/06 18:17:41.0312 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/06 18:17:41.0359 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/06 18:17:41.0531 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/06 18:17:41.0671 UnlockerDriver5 (4847639d852763ee39415c929470f672) C:\Program Files\Unlocker\UnlockerDriver5.sys
2010/08/06 18:17:41.0812 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/06 18:17:41.0906 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/06 18:17:41.0953 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/06 18:17:42.0000 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/06 18:17:42.0062 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/06 18:17:42.0125 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/06 18:17:42.0171 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/06 18:17:42.0218 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/06 18:17:42.0250 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/06 18:17:42.0343 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/06 18:17:42.0421 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/06 18:17:42.0500 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/06 18:17:42.0609 winachsf (1225ebea76aac3c84df6c54fe5e5d8be) C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
2010/08/06 18:17:42.0828 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/08/06 18:17:42.0921 ================================================================================
2010/08/06 18:17:42.0921 Scan finished
2010/08/06 18:17:42.0921 ================================================================================
2010/08/06 18:17:42.0953 Detected object count: 1
2010/08/06 18:18:11.0375 Locked file(sptd) - User select action: Skip
2010/08/06 18:18:47.0375 Deinitialize success

#10 Broni Re: [RESOLVED] rootkit.win32.tdss.d

    Malware Annihilator

  • 24,879 posts
  • Joined: October 04, 2004
  • 1,859 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:58 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 9h 13m 9s

Posted 09 August 2010 - 11:04 PM

Good :)

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

====================================================================================================

Please, re-run OTL "Quick scan" and post fresh log.
Posted Image Posted Image


#11 flippylip Re: [RESOLVED] rootkit.win32.tdss.d

    Member

  • 12 posts
  • Joined: August 07, 2010
  • 2 topics
  • Skin: IP.Board
  • Local time: 12:58 AM
  • Gender:Female
  • OS:Windows XP
  • Country:
Offline
  • :

Posted 09 August 2010 - 11:58 PM

View PostBroni, on 09 August 2010 - 11:04 PM, said:

Good :)

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

====================================================================================================

Please, re-run OTL "Quick scan" and post fresh log.

OTL logfile created on: 8/9/2010 7:42:10 PM - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 164.00 Mb Available Physical Memory | 32.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 129.24 Gb Free Space | 86.71% Space Free | Partition Type: NTFS
Drive D: | 55.93 Gb Total Space | 52.36 Gb Free Space | 93.61% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DELL-B9D0F5ABDA
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/08/07 16:14:33 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
PRC - [2010/05/27 11:44:26 | 001,565,960 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
PRC - [2010/05/27 11:44:16 | 001,471,752 | ---- | M] (Raxco Software, Inc.) -- C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
PRC - [2010/05/20 17:19:16 | 000,088,176 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2010/03/27 13:14:26 | 000,160,328 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2008/04/13 23:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2001/10/08 16:21:28 | 000,053,248 | ---- | M] (Silitek Corp.) -- C:\Program Files\LexmarkX73\ACMonitor_X73.exe
PRC - [2001/07/11 12:08:38 | 000,053,248 | ---- | M] (Jetsoft Development Company) -- C:\Program Files\LexmarkX73\AcBtnMgr_X73.exe


========== Modules (SafeList) ==========

MOD - [2010/08/07 16:14:33 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
MOD - [2008/04/13 23:42:08 | 000,250,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ime\SPTIP.dll
MOD - [2008/04/13 23:42:02 | 000,413,696 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp60.dll
MOD - [2008/04/13 23:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx
MOD - [2008/04/13 16:13:20 | 000,062,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ime\SPGRMR.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2010/05/27 11:44:26 | 001,565,960 | ---- | M] (Raxco Software, Inc.) [Auto | Running] -- C:\Program Files\Raxco\PerfectDisk\PDAgent.exe -- (PDAgent)
SRV - [2010/05/27 11:44:16 | 001,471,752 | ---- | M] (Raxco Software, Inc.) [On_Demand | Running] -- C:\Program Files\Raxco\PerfectDisk\PDEngine.exe -- (PDEngine)
SRV - [2010/05/20 17:19:16 | 000,088,176 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2009/07/21 10:50:48 | 000,208,616 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe -- (AVP)
SRV - [2008/12/22 10:18:14 | 000,410,976 | ---- | M] (mst software GmbH, Germany) [On_Demand | Stopped] -- C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe -- (DfSdkS)
SRV - [2005/11/14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Auto | Stopped] -- C:\WINDOWS\System32\drivers\TLRecAgent.sys -- (TLRecAgent)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
DRV - [2010/05/18 19:16:17 | 000,722,416 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd)
DRV - [2010/05/18 18:54:03 | 000,902,592 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tdrpm228.sys -- (tdrpman228) Acronis Try&Decide and Restore Points filter (build 228)
DRV - [2010/05/18 18:53:46 | 000,138,208 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)
DRV - [2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2009/12/22 11:33:08 | 000,135,184 | ---- | M] (Raxco Software, Inc.) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\DefragFs.sys -- (DefragFS)
DRV - [2009/12/21 05:37:45 | 000,033,808 | ---- | M] (Kaspersky Lab) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\klbg.sys -- (klbg)
DRV - [2009/05/14 18:31:22 | 000,226,832 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2008/07/21 18:34:36 | 000,121,872 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2008/04/30 18:06:48 | 000,024,592 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2008/03/13 19:02:46 | 000,026,640 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klfltdev.sys -- (KLFLTDEV)
DRV - [2008/02/27 13:49:00 | 000,003,840 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\System32\Drivers\BANTExt.sys -- (BANTExt)
DRV - [2007/10/25 18:31:08 | 000,616,064 | ---- | M] (PixArt Imaging Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\PFC027.SYS -- (PAC207)
DRV - [2001/10/12 08:33:12 | 000,018,024 | ---- | M] ( ) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\lxarscan.sys -- (LXARScan)
DRV - [2001/08/17 14:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.bing.com/"
FF - prefs.js..extensions.enabledItems: {DCBD1271-D228-4082-9FBC-36D9B7660B03}:1.1.9.1
FF - prefs.js..extensions.enabledItems: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}:0.6.7
FF - prefs.js..extensions.enabledItems: {9125C9CB-BE2B-4389-A0C7-46A4BDD46AEA}:0.6.0.1
FF - prefs.js..extensions.enabledItems: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}:0.4.4
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.2
FF - prefs.js..extensions.enabledItems: {22119944-ED35-4ab1-910B-E619EA06A115}:6.9.98
FF - prefs.js..extensions.enabledItems: {4BBDD651-70CF-4821-84F8-2B918CF89CA3}:6.3.3.2
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: trackerwatcher@privacychoice.org:1.0.8
FF - prefs.js..extensions.enabledItems: spellbound@sourceforge.net:4.0.0
FF - prefs.js..keyword.URL: "http://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=NSC-A&o=14095&locale=en_US&q="

FF - HKLM\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2009/05/17 11:20:10 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/08/08 12:52:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: c:\program files\Mozilla Firefox\components [2010/07/26 12:11:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: c:\program files\Mozilla Firefox\plugins [2010/07/26 12:11:06 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\{eea12ec4-729d-4703-bc37-106ce9879ce2}: C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\THBExt [2009/12/21 03:16:48 | 000,000,000 | ---D | M]

[2009/05/14 16:01:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/08/08 17:45:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions
[2010/03/27 11:55:19 | 000,000,000 | ---D | M] (Image Zoom) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}
[2010/04/28 11:32:53 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/15 05:07:22 | 000,000,000 | ---D | M] (FEBE) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
[2010/03/27 11:55:20 | 000,000,000 | ---D | M] (Ad blocker) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}
[2010/07/22 21:16:14 | 000,000,000 | ---D | M] (deskCut) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions\{9125C9CB-BE2B-4389-A0C7-46A4BDD46AEA}
[2010/03/27 11:55:21 | 000,000,000 | ---D | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions\{DCBD1271-D228-4082-9FBC-36D9B7660B03}
[2010/07/12 11:03:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions\spellbound@sourceforge.net
[2010/06/25 11:53:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\extensions\trackerwatcher@privacychoice.org
[2009/05/25 19:57:46 | 000,002,238 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\searchplugins\askcom.xml
[2009/07/02 17:05:04 | 000,002,164 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\searchplugins\bing.xml
[2010/08/06 19:01:42 | 000,001,942 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jssanbcn.default\searchplugins\mycroft-project.xml
[2010/08/08 17:45:34 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/09 13:14:19 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2008/06/18 02:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll

O1 HOSTS File: ([2010/08/09 11:02:42 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (TwcToolbarBhoApp Class) - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll ()
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (The Weather Channel Toolbar) - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll ()
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [Lexmark X73 Button Manager] C:\Program Files\LexmarkX73\AcBtnMgr_X73.exe (Jetsoft Development Company)
O4 - HKLM..\Run: [Lexmark X73 Button Monitor] C:\Program Files\LexmarkX73\ACMonitor_X73.exe (Silitek Corp.)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [PrinTray] C:\WINDOWS\system32\spool\drivers\w32x86\3\printray.exe (Lexmark)
O4 - HKCU..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm ()
O9 - Extra Button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll (Kaspersky Lab)
O9 - Extra Button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - Reg Error: Value error. File not found
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/02/16 14:40:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (PDBoot.exe) - C:\WINDOWS\System32\PDBoot.exe (Raxco Software, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/08/09 19:41:20 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/08/09 10:27:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Scans
[2010/08/08 17:57:01 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Administrator\Recent
[2010/08/07 21:59:14 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/08/07 21:56:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/08/06 13:12:34 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2010/08/04 13:43:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/08/04 13:43:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/08/04 13:39:45 | 000,033,632 | ---- | C] (mst software GmbH, Germany) -- C:\WINDOWS\System32\DfSdkBt.exe
[2010/08/03 13:28:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\SpiritVG
[2010/08/03 11:56:07 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/08/03 11:55:58 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/08/03 11:55:57 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/08/02 11:29:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alawar Stargaze
[2010/07/30 20:57:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Vast Studios
[2010/07/30 20:55:36 | 000,000,000 | ---D | C] -- C:\Program Files\Nightfall Mysteries Asylum Conspiracy
[2010/07/28 11:13:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\TikisLab
[2010/07/27 11:57:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\TheLostKingdomProphecy
[2010/07/26 16:03:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
[2010/07/26 16:02:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Office Genuine Advantage
[2010/07/20 20:03:24 | 000,000,000 | ---D | C] -- C:\Program Files\Deep Blue Sea 2
[2010/07/20 13:32:47 | 000,000,000 | ---D | C] -- C:\Program Files\RealArcade
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-TW
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\zh-HK
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\tr-TR
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\sv-SE
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\pt-BR
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nl-NL
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\nb-NO
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ko-KR
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\it-IT
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\he-IL
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fr-FR
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\fi-FI
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\es-ES
[2010/07/16 16:01:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\el-GR
[2010/07/16 16:01:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\de-DE
[2010/07/16 16:01:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\da-DK
[2010/07/16 16:01:58 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\ar-SA
[2010/07/15 14:48:04 | 000,000,000 | ---D | C] -- C:\Program Files\Rainbow Mystery
[2010/07/13 13:00:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2010/07/13 12:30:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/07/04 13:13:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\GamePlastic
[2010/06/27 12:02:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\vlc
[2010/06/20 10:53:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\Slingo Supreme Documents
[2010/06/20 10:52:50 | 000,000,000 | ---D | C] -- C:\Program Files\Slingo Supreme
[2010/06/05 14:24:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\The Game Equation
[2010/06/02 13:37:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\7Wonders2
[2010/06/01 18:43:56 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2010/06/01 11:08:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\MumboJumbo
[2010/05/30 11:43:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\7Wonders
[2010/05/30 11:28:22 | 000,000,000 | ---D | C] -- C:\Program Files\7 Wonders Treasures Of Seven
[2010/05/30 11:26:50 | 000,000,000 | ---D | C] -- C:\Program Files\7 Wonders
[2010/05/30 11:24:15 | 000,000,000 | ---D | C] -- C:\Program Files\7 Wonders II
[2010/05/27 11:44:20 | 000,237,320 | ---- | C] (Raxco Software, Inc.) -- C:\WINDOWS\System32\PDBoot.exe
[2010/05/19 21:08:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Redrum
[2010/05/19 21:07:50 | 000,000,000 | -HSD | C] -- C:\WINDOWS\ftpcache
[2010/05/19 20:17:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Orneon
[2010/05/19 19:34:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MythPeople
[2010/05/19 19:02:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Fenomen Games
[2010/05/18 19:16:17 | 000,722,416 | ---- | C] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys
[2010/05/18 19:15:57 | 000,000,000 | ---D | C] -- C:\Program Files\Softland
[2010/05/18 19:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Softland
[2010/05/18 19:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Softland
[2010/05/18 19:15:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\My Documents\My Backup4all
[2010/05/18 13:57:45 | 000,000,000 | ---D | C] -- C:\Program Files\Ashampoo
[2010/05/17 14:33:09 | 000,000,000 | ---D | C] -- C:\Program Files\Azkend
[2010/05/17 14:29:47 | 000,000,000 | ---D | C] -- C:\Program Files\Trial of the Gods Ariadnes Journey
[2010/05/17 14:28:44 | 000,000,000 | ---D | C] -- C:\Program Files\Rainforest Adventure
[2010/05/17 14:21:21 | 000,000,000 | ---D | C] -- C:\Program Files\Glyph 2
[2010/05/17 14:17:48 | 000,000,000 | ---D | C] -- C:\Program Files\Glyph
[2010/04/02 11:29:47 | 000,018,024 | ---- | C] ( ) -- C:\WINDOWS\System32\drivers\lxarscan.sys

========== Files - Modified Within 90 Days ==========

[2010/08/09 19:40:16 | 000,000,287 | ---- | M] () -- C:\WINDOWS\X73_DS.ini
[2010/08/09 19:39:43 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/08/09 19:39:39 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/09 19:39:31 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/09 19:38:56 | 003,932,160 | ---- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2010/08/09 19:38:56 | 003,232,800 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/08/09 19:38:56 | 000,688,160 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/08/09 19:38:56 | 000,030,528 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/08/09 19:38:56 | 000,005,528 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/08/09 19:38:40 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/08/09 16:25:46 | 000,021,504 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\2010 haunted forest.doc
[2010/08/09 11:02:57 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/08/09 11:02:42 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/08/07 21:59:19 | 000,000,264 | RHS- | M] () -- C:\boot.ini
[2010/08/07 19:09:40 | 000,000,129 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\My House Reeks of Skunk Odor.url
[2010/08/07 18:59:09 | 000,000,127 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Removing Skunk Smell from House.url
[2010/08/07 18:57:38 | 000,000,148 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Get Rid Of Skunk Smell In House _ Remove Skunk Odor Spray.url
[2010/08/07 16:14:33 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/08/06 11:02:45 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/08/04 13:39:46 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\1-Click-Optimizer.lnk
[2010/08/04 13:39:46 | 000,000,793 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Ashampoo WinOptimizer 6.lnk
[2010/08/04 13:39:46 | 000,000,775 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ashampoo WinOptimizer 6.lnk
[2010/08/04 12:26:51 | 000,000,692 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CCleaner.lnk
[2010/08/03 19:58:51 | 000,002,538 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\cc_20100803_195842.reg
[2010/08/03 11:56:22 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/08/03 11:56:22 | 000,000,706 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/02 12:09:56 | 000,000,056 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\The Haunted Forest Of Carousel.url
[2010/07/30 20:49:26 | 000,000,190 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Nightfall Mysteries_ Asylum Conspiracy Walkthrough _ Big Fish Games Blog.url
[2010/07/29 12:49:28 | 000,113,933 | ---- | M] () -- C:\WINDOWS\System32\drivers\klin.dat
[2010/07/29 12:49:28 | 000,097,549 | ---- | M] () -- C:\WINDOWS\System32\drivers\klick.dat
[2010/07/25 12:21:29 | 000,000,280 | ---- | M] () -- C:\WINDOWS\System32\PDBootState
[2010/07/24 10:57:58 | 000,001,576 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\The Cleaner.lnk
[2010/07/24 10:50:26 | 000,001,012 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/07/21 03:05:08 | 002,122,362 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/07/21 02:09:23 | 000,000,031 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2010/07/20 13:55:01 | 000,009,728 | ---- | M] () -- C:\WINDOWS\System32\BASSMOD.dll
[2010/07/20 12:06:01 | 000,002,086 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Meow.gif
[2010/07/16 17:22:07 | 000,293,272 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/16 16:06:13 | 000,542,702 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/16 16:06:13 | 000,469,718 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/16 16:06:13 | 000,083,076 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/11 17:12:44 | 000,000,465 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\CT Web Pgs Misc Prog.lnk
[2010/07/05 14:21:03 | 000,001,874 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PerfectDisk 11.lnk
[2010/07/01 11:43:08 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\A PETs Ten Comm.doc
[2010/06/30 17:15:22 | 000,021,504 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Please Drive Safe.doc
[2010/06/27 11:46:44 | 000,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/06/26 18:18:31 | 000,001,284 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\RTS Folder.lnk
[2010/06/16 12:05:13 | 000,031,232 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Rodgers Resume.doc
[2010/06/01 17:53:26 | 000,000,864 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Ashampoo Burning Studio 9.lnk
[2010/05/27 11:44:20 | 000,237,320 | ---- | M] (Raxco Software, Inc.) -- C:\WINDOWS\System32\PDBoot.exe
[2010/05/25 17:26:56 | 000,070,222 | ---- | M] () -- C:\X73_DS.bmp
[2010/05/25 17:26:46 | 000,001,439 | ---- | M] () -- C:\WINDOWS\GtX73.ini
[2010/05/25 17:26:45 | 000,360,054 | ---- | M] () -- C:\WINDOWS\bound.bmp
[2010/05/19 11:22:09 | 000,000,500 | ---- | M] () -- C:\WINDOWS\tasks\b4a_New Backup.job
[2010/05/18 19:16:17 | 000,722,416 | ---- | M] (Duplex Secure Ltd.) -- C:\WINDOWS\System32\drivers\sptd.sys
[2010/05/18 19:16:03 | 000,000,950 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Backup4all Professional 4.lnk
[2010/05/17 12:57:15 | 000,032,256 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Chris Resume.doc
[2010/05/12 11:12:26 | 000,000,078 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Application Status Information - Application Status Information.url

========== Files Created - No Company Name ==========

[2100/02/23 14:35:34 | 000,000,768 | ---- | C] () -- C:\WINDOWS\x73_lut.dat
[2100/02/08 15:53:34 | 000,001,439 | ---- | C] () -- C:\WINDOWS\GtX73.ini
[2010/08/08 16:14:29 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\2010 haunted forest.doc
[2010/08/07 21:59:19 | 000,000,193 | ---- | C] () -- C:\Boot.bak
[2010/08/07 21:59:16 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/08/07 19:09:40 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\My House Reeks of Skunk Odor.url
[2010/08/07 18:59:09 | 000,000,127 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Removing Skunk Smell from House.url
[2010/08/07 18:57:38 | 000,000,148 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Get Rid Of Skunk Smell In House _ Remove Skunk Odor Spray.url
[2010/08/04 13:39:46 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\1-Click-Optimizer.lnk
[2010/08/04 13:39:46 | 000,000,793 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Ashampoo WinOptimizer 6.lnk
[2010/08/04 13:39:46 | 000,000,775 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ashampoo WinOptimizer 6.lnk
[2010/08/03 19:58:47 | 000,002,538 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\cc_20100803_195842.reg
[2010/08/03 11:56:22 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2010/08/03 11:56:22 | 000,000,706 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/08/02 12:09:56 | 000,000,056 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\The Haunted Forest Of Carousel.url
[2010/07/30 20:49:26 | 000,000,190 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Nightfall Mysteries_ Asylum Conspiracy Walkthrough _ Big Fish Games Blog.url
[2010/07/25 11:57:32 | 000,000,280 | ---- | C] () -- C:\WINDOWS\System32\PDBootState
[2010/07/24 10:57:58 | 000,001,576 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\The Cleaner.lnk
[2010/07/20 12:06:00 | 000,002,086 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Meow.gif
[2010/07/16 16:01:59 | 000,000,236 | ---- | C] () -- C:\WINDOWS\tasks\OGALogon.job
[2010/07/13 12:55:21 | 003,932,160 | ---- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2010/07/11 17:12:44 | 000,000,465 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\CT Web Pgs Misc Prog.lnk
[2010/06/30 17:32:47 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\A PETs Ten Comm.doc
[2010/06/30 17:06:15 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Please Drive Safe.doc
[2010/06/02 11:08:13 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Wm Ryals-Rent Address.doc
[2010/06/01 17:53:26 | 000,000,864 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Ashampoo Burning Studio 9.lnk
[2010/05/18 19:31:46 | 000,000,500 | ---- | C] () -- C:\WINDOWS\tasks\b4a_New Backup.job
[2010/05/18 19:16:03 | 000,000,950 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Backup4all Professional 4.lnk
[2010/05/12 11:12:26 | 000,000,078 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Application Status Information - Application Status Information.url
[2010/04/23 19:49:10 | 000,000,472 | ---- | C] () -- C:\WINDOWS\System32\Remover.ini
[2009/11/22 03:35:00 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/08/01 12:33:28 | 000,000,092 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2009/05/25 20:10:12 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/05/25 13:57:33 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\TwcToolbarIe7.dll
[2009/05/25 13:57:33 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\TwcToolbarBho.dll
[2009/05/18 12:54:07 | 000,009,728 | ---- | C] () -- C:\WINDOWS\System32\BASSMOD.dll
[2009/05/17 21:23:26 | 000,000,401 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2009/05/17 15:22:06 | 000,003,840 | ---- | C] () -- C:\WINDOWS\System32\drivers\BANTExt.sys
[2009/05/17 14:57:57 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009/05/17 14:57:56 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009/05/14 19:53:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2009/02/18 18:51:05 | 000,000,077 | ---- | C] () -- C:\WINDOWS\slsetup.ini
[2008/10/27 11:56:16 | 000,000,566 | ---- | C] () -- C:\WINDOWS\System32\SP207.INI
[2005/04/28 00:22:38 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2005/04/28 00:22:34 | 000,831,488 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2005/04/28 00:22:34 | 000,159,744 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2002/12/10 00:00:00 | 001,708,032 | ---- | C] () -- C:\WINDOWS\System32\MSO97V.DLL
[2002/12/10 00:00:00 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[2002/12/10 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\MSORFS.DLL
[2002/12/10 00:00:00 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL
[2001/10/12 08:42:50 | 000,000,643 | ---- | C] () -- C:\WINDOWS\LEXSTAT.INI
[2001/10/12 03:42:51 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXARICO.DLL
[2001/06/27 11:29:20 | 000,001,094 | ---- | C] () -- C:\WINDOWS\Lexmark_ICM.ini
[2000/12/05 15:56:34 | 000,114,688 | ---- | C] () -- C:\WINDOWS\lxarscan.dll
[2000/10/24 09:08:36 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL
[2000/10/24 09:08:33 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2000/01/11 12:50:48 | 000,000,047 | ---- | C] () -- C:\WINDOWS\ACMonitor_X73.ini
[2000/01/11 12:42:22 | 000,000,287 | ---- | C] () -- C:\WINDOWS\X73_DS.ini
[1999/04/20 04:15:00 | 000,022,016 | ---- | C] () -- C:\WINDOWS\unvise32.dll

========== LOP Check ==========

[2010/05/30 11:44:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\7Wonders
[2010/08/04 13:15:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Ashampoo
[2009/05/20 22:41:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\CTXM
[2009/05/20 22:37:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\EA
[2010/08/04 13:16:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ERS G-Studio
[2009/08/11 20:28:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Faerie Solitaire
[2010/06/20 10:53:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\funkitron
[2009/05/14 16:01:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ImgBurn
[2009/05/20 22:23:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\iWin
[2009/07/11 22:12:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Octoshape
[2009/05/27 11:07:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OfficeUpdate12
[2010/05/19 20:17:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Orneon
[2010/06/25 12:16:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\PlayFirst
[2009/07/05 13:58:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Quirky Games
[2009/05/20 22:45:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Sahmon Games
[2010/04/11 12:32:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Skip-Bo
[2010/05/18 19:15:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Softland
[2010/05/11 02:50:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SolSuite
[2009/12/30 22:29:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\SpinTop
[2010/07/28 11:13:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\TikisLab
[2009/07/21 21:42:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\uTorrent
[2010/07/30 20:57:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Vast Studios
[2010/03/27 10:43:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Vso
[2009/05/14 20:00:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Acronis
[2010/08/02 11:29:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alawar Stargaze
[2010/08/07 21:16:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AlawarWrapper
[2009/05/17 16:50:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ashampoo
[2010/04/30 16:53:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Deadtime Stories
[2010/05/19 19:02:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fenomen Games
[2010/07/04 13:13:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GamePlastic
[2009/05/20 22:35:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HipSoft
[2010/06/05 11:54:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
[2010/05/19 19:34:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MythPeople
[2009/11/09 02:15:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\page
[2010/06/25 12:16:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2010/05/04 22:11:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Playrix Entertainment
[2009/09/11 20:53:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Princess Isabella
[2010/05/19 21:08:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Redrum
[2009/05/17 22:09:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RoboForm
[2010/05/17 14:39:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2010/05/18 19:16:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Softland
[2010/07/15 14:50:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SugarGames
[2010/07/27 21:06:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/07/20 11:18:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\The Game Equation
[2010/04/22 10:51:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TreeCardGames
[2010/05/19 11:22:09 | 000,000,500 | ---- | M] () -- C:\WINDOWS\Tasks\b4a_New Backup.job
[2010/08/09 19:39:43 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:33DB8278
@Alternate Data Stream - 96 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1DEE6B65
@Alternate Data Stream - 94 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7679D513
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D0467BDF
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:73D27958
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2398E95B
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6C75AF4C
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C5CE2DF6
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B83F1B83
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3DF63AD7
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:57DC3B52
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:848CC150
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E5B14AE
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7B2BB690
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3D36932D
< End of report >

#12 Broni Re: [RESOLVED] rootkit.win32.tdss.d

    Malware Annihilator

  • 24,879 posts
  • Joined: October 04, 2004
  • 1,859 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:58 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 9h 13m 9s

Posted 10 August 2010 - 12:38 AM

Your computer would greatly benefit from adding another 512MB of RAM.

Update your Java version here: http://www.java.com/...d/installed.jsp

=================================================================================================

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

==============================================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra Button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - Reg Error: Value error. File not found
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:33DB8278
@Alternate Data Stream - 96 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1DEE6B65
@Alternate Data Stream - 94 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7679D513
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D0467BDF
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:73D27958
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2398E95B
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6C75AF4C
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C5CE2DF6
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B83F1B83
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3DF63AD7
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:57DC3B52
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:848CC150
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E5B14AE
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7B2BB690
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3D36932D

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

Posted Image Posted Image


#13 flippylip Re: [RESOLVED] rootkit.win32.tdss.d

    Member

  • 12 posts
  • Joined: August 07, 2010
  • 2 topics
  • Skin: IP.Board
  • Local time: 12:58 AM
  • Gender:Female
  • OS:Windows XP
  • Country:
Offline
  • :

Posted 10 August 2010 - 03:44 PM

View PostBroni, on 10 August 2010 - 12:38 AM, said:

Your computer would greatly benefit from adding another 512MB of RAM.

Update your Java version here: http://www.java.com/...d/installed.jsp

=================================================================================================

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.

==============================================================================================

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra Button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - Reg Error: Value error. File not found
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
@Alternate Data Stream - 99 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:33DB8278
@Alternate Data Stream - 96 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:1DEE6B65
@Alternate Data Stream - 94 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7679D513
@Alternate Data Stream - 143 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D0467BDF
@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:73D27958
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2398E95B
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6C75AF4C
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C5CE2DF6
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B83F1B83
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3DF63AD7
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:57DC3B52
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:848CC150
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7E5B14AE
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:7B2BB690
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3D36932D

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.


All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2E5E800E-6AC0-411E-940A-369530A35E43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E5E800E-6AC0-411E-940A-369530A35E43}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2E5E800E-6AC0-411E-940A-369530A35E43}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2E5E800E-6AC0-411E-940A-369530A35E43}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:33DB8278 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:1DEE6B65 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7679D513 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:D0467BDF deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:73D27958 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:2398E95B deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:6C75AF4C deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:C5CE2DF6 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:B83F1B83 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:3DF63AD7 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:57DC3B52 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:848CC150 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7E5B14AE deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:7B2BB690 deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:3D36932D deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 18528818 bytes
->Temporary Internet Files folder emptied: 2215499 bytes
->Java cache emptied: 1853 bytes
->FireFox cache emptied: 41876723 bytes
->Flash cache emptied: 615 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 875296 bytes

Total Files Cleaned = 61.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08102010_113708

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#14 Broni Re: [RESOLVED] rootkit.win32.tdss.d

    Malware Annihilator

  • 24,879 posts
  • Joined: October 04, 2004
  • 1,859 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:58 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 9h 13m 9s

Posted 10 August 2010 - 10:52 PM

Cool :)

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Go to Kaspersky website and perform an online antivirus scan.

  • Disable your active antivirus program.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Posted Image Posted Image


#15 flippylip Re: [RESOLVED] rootkit.win32.tdss.d

    Member

  • 12 posts
  • Joined: August 07, 2010
  • 2 topics
  • Skin: IP.Board
  • Local time: 12:58 AM
  • Gender:Female
  • OS:Windows XP
  • Country:
Offline
  • :

Posted 11 August 2010 - 12:46 AM

View PostBroni, on 10 August 2010 - 10:52 PM, said:

Cool :)

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Go to Kaspersky website and perform an online antivirus scan.

  • Disable your active antivirus program.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Scanner will not run: Launch of the Java application is interrupted. Please establish an uninterrupted internet connection for work with the program. This is the error message that i am getting. Any suggestions? I have java set to Direct Connection. I have a cable modem, but it is only DK-Lite package, 1-2 meg.


Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
Kaspersky Internet Security 2009
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
The Cleaner
Java™ 6 Update 21
Adobe Flash Player 10.1.53.64
Adobe Reader 9.1.3
Adobe Reader 9.3
Mozilla Firefox (3.6.8)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbamservice.exe
````````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning. (Wireless connection?)

``````````End of Log````````````

#16 Broni Re: [RESOLVED] rootkit.win32.tdss.d

    Malware Annihilator

  • 24,879 posts
  • Joined: October 04, 2004
  • 1,859 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:58 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 9h 13m 9s

Posted 11 August 2010 - 01:28 AM

Very good :)
Waiting for Kaspersky scan results....
Posted Image Posted Image


#17 flippylip Re: [RESOLVED] rootkit.win32.tdss.d

    Member

  • 12 posts
  • Joined: August 07, 2010
  • 2 topics
  • Skin: IP.Board
  • Local time: 12:58 AM
  • Gender:Female
  • OS:Windows XP
  • Country:
Offline
  • :

Posted 11 August 2010 - 04:40 PM

View PostBroni, on 11 August 2010 - 01:28 AM, said:

Very good :)
Waiting for Kaspersky scan results....


The program starts and gets to 20% and stops and then I get this error message. I have tried this program about 4 times now. I have even rebooted and tried again. I have gotten this error message also: Launch of the Java application is interrupted. Please establish an uninterrupted internet connection for work with this program.

The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab.

[ERROR: java.lang.RuntimeException: Kaspersky Online Scanner 7.0 cannot be started because this computer has Kaspersky Internet Security 8.0 (9.0) installed.]

#18 Broni Re: [RESOLVED] rootkit.win32.tdss.d

    Malware Annihilator

  • 24,879 posts
  • Joined: October 04, 2004
  • 1,859 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:58 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 9h 13m 9s

Posted 12 August 2010 - 02:37 AM

Instead of Kaspersky...

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • IMPORTANT! UN-check Remove found threats
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

Posted Image Posted Image


#19 flippylip Re: [RESOLVED] rootkit.win32.tdss.d

    Member

  • 12 posts
  • Joined: August 07, 2010
  • 2 topics
  • Skin: IP.Board
  • Local time: 12:58 AM
  • Gender:Female
  • OS:Windows XP
  • Country:
Offline
  • :

Posted 12 August 2010 - 04:30 PM

View PostBroni, on 12 August 2010 - 02:37 AM, said:

Instead of Kaspersky...

Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • IMPORTANT! UN-check Remove found threats
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push List of found threats
  • Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{37508B96-7D3B-40FC-84CB-9F7A397A167B}\Microsoft\Outlook Express\Rodger II.dbx probably unknown NewHeur_PE virus
D:\Backup\CT'S Backups\CT'S Backups\1_C.zip probably a variant of Win32/Genetik trojan
D:\Windows Backup\Documents and Settings\Tanner's\Local Settings\Application Data\Identities\{84F47D9F-4FC6-4CC3-A317-E0AE9AADC968}\Rodger II.dbx probably unknown NewHeur_PE virus
D:\Windows Backup\Documents and Settings\Tanner's\Local Settings\Application Data\Identities\{84F47D9F-4FC6-4CC3-A317-E0AE9AADC968}\Microsoft\Outlook Express\Rodger II (1).dbx probably unknown NewHeur_PE virus
D:\Windows Backup\Documents and Settings\Tanner's\Local Settings\Application Data\Identities\{84F47D9F-4FC6-4CC3-A317-E0AE9AADC968}\Microsoft\Outlook Express\Rodger II.dbx probably unknown NewHeur_PE virus
D:\Windows Backup\Documents and Settings\Tanner's\Local Settings\Application Data\Identities\{8513C2E7-1B9A-4F1E-83FF-B08F8EEBB490}\Games Board.dbx probably a variant of Win32/Agent.BYYVREV trojan
D:\Windows Backup\Documents and Settings\Tanner's\Local Settings\Application Data\Identities\{8513C2E7-1B9A-4F1E-83FF-B08F8EEBB490}\Microsoft\Outlook Express\Games Board.dbx probably a variant of Win32/Agent.BYYVREV trojan

#20 Broni Re: [RESOLVED] rootkit.win32.tdss.d

    Malware Annihilator

  • 24,879 posts
  • Joined: October 04, 2004
  • 1,859 topics
  • Age: 57
  • Skin: IPBoard wide
  • Local time: 09:58 PM
  • Zodiac:Virgo
  • Gender:Male
  • Location:Daly City, CA
  • OS:Windows Vista
  • Country:
Offline
  • Time Online: 57d 9h 13m 9s

Posted 12 August 2010 - 10:44 PM

Most of suspicious files are located in your mail folders: Rodger II.dbx, Rodger II (1).dbx, Games Board.dbx
I don't want to delete whole folders, since you may have something important there.
You need to be careful with those folder. Don't click on any unknown links and scan every attachment with your AV program.

Another file:
- D:\Backup\CT'S Backups\CT'S Backups\1_C.zip
Upload it to http://www.virustotal.com/ for security check.
If anything found, delete the file.

Now...

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=========================================================================================================

Your computer is clean Posted Image


1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI). The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingc.../topic2520.html

12. Please, let me know, how is your computer doing.
Posted Image Posted Image


Back to Virus, Spyware and Malware Removal · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


This topic has been visited by 0 user(s)


  1. Smartest Computing
  2. > Security
  3. > Virus, Spyware and Malware Removal
  4. SmartestComputing rules