Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Search redirect, ie, firefox and safari


  • Please log in to reply

#1
Chemwapuwa

Chemwapuwa

    Member

  • Member
  • PipPip
  • 21 posts
Hello

I have a problem with being redirected on all search sites, it doesnt happen with direct typing of sites or pasting the address. i have run several malware removal programs and nothing works. Below is what I got from Combofix. I have leans all browsers out of history, cookies and caches several times.

Not sure what else to do any help would be great

thanks
Chem


-------------------------------------------------------------

ComboFix 10-05-10.05 - chemwapuwa 05/11/2010 15:22:39.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1666 [GMT -4:00]
Running from: c:\documents and settings\chemwapuwa\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\acpiec.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((( Files Created from 2010-04-11 to 2010-05-11 )))))))))))))))))))))))))))))))
.

2010-05-11 01:27 . 2010-05-11 01:27 -------- d-----w- c:\documents and settings\chemwapuwa\Local Settings\Application Data\Threat Expert
2010-05-11 01:18 . 2010-05-11 02:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-11 00:19 . 2010-05-11 00:19 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Malwarebytes
2010-05-11 00:19 . 2010-05-11 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-11 00:19 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-11 00:19 . 2010-05-11 00:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 00:19 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-09 20:09 . 2010-05-09 20:09 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-29 23:03 . 2010-04-29 23:03 0 ----a-w- c:\windows\nsreg.dat
2010-04-29 23:00 . 2010-04-29 23:00 -------- d-----w- c:\documents and settings\chemwapuwa\Local Settings\Application Data\Mozilla
2010-04-29 22:59 . 2010-04-29 23:00 -------- d-----w- c:\program files\SeaMonkey
2010-04-29 22:56 . 2010-04-29 22:56 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-29 21:57 . 2010-04-29 21:57 -------- d-----w- C:\i3dthemes
2010-04-29 21:48 . 2010-04-29 21:48 -------- d-----w- c:\program files\Starfield
2010-04-29 21:27 . 2010-04-29 21:27 -------- d-----w- c:\program files\LTMOD
2010-04-29 21:25 . 2010-04-29 21:25 -------- d-----w- C:\FrontPage Tools
2010-04-29 21:25 . 2010-04-29 21:25 720896 ----a-w- c:\windows\iun6002.exe
2010-04-29 21:25 . 2010-04-29 21:25 -------- d-----w- c:\program files\NetPlugin Tags
2010-04-29 21:24 . 2010-04-29 21:27 -------- d-----w- c:\program files\DPA Software
2010-04-29 21:24 . 2003-03-27 17:16 49152 ----a-w- c:\windows\system32\DPAMenu.dll
2010-04-29 21:24 . 2003-03-26 22:21 73728 ----a-w- c:\windows\system32\DPARTL.dll
2010-04-29 21:05 . 2010-05-05 02:41 -------- d-----w- C:\FPTemplates
2010-04-24 22:47 . 2010-04-24 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-04-24 22:46 . 2010-04-24 22:48 -------- d-----w- c:\program files\Canon
2010-04-23 16:59 . 2010-04-23 16:59 57312 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-22 03:49 . 2010-04-22 03:49 -------- d-----w- c:\program files\iPod
2010-04-22 03:49 . 2010-04-22 03:49 -------- d-----w- c:\program files\iTunes
2010-04-22 03:49 . 2010-04-22 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-22 03:47 . 2010-04-22 03:47 -------- d-----w- c:\program files\QuickTime
2010-04-22 03:45 . 2010-04-22 03:45 -------- d-----w- c:\program files\Bonjour
2010-04-22 03:42 . 2010-04-22 03:42 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-19 00:59 . 2010-04-19 01:00 -------- d-----w- c:\documents and settings\chemwapuwa\Local Settings\Application Data\HuluDesktop
2010-04-17 15:08 . 2010-04-17 15:08 -------- d-----w- c:\windows\system32\kodak
2010-04-17 15:06 . 2010-04-17 15:06 -------- d-----w- c:\program files\MSXML 6.0
2010-04-17 15:04 . 2010-02-22 16:01 53248 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Serializable.XmlSerializers.dll
2010-04-17 15:04 . 2010-02-22 16:01 19968 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Serializable.dll
2010-04-17 15:04 . 2010-02-22 16:01 36864 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Interop.WindowsInstaller.dll
2010-04-17 14:17 . 2010-04-17 14:17 -------- d-----w- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-11 19:21 . 2009-11-15 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-05-11 19:21 . 2009-11-15 19:41 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-05-11 03:08 . 2010-03-29 01:27 -------- d-----w- c:\program files\Google
2010-05-11 01:38 . 2010-03-29 01:27 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Skype
2010-04-28 16:10 . 2009-12-09 15:44 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Temp
2010-04-24 00:13 . 2009-11-18 07:29 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Apple Computer
2010-04-22 03:49 . 2009-11-24 02:16 -------- d-----w- c:\program files\Common Files\Apple
2010-04-17 15:10 . 2009-11-15 19:39 -------- d-----w- c:\program files\Kodak
2010-04-17 15:03 . 2009-10-15 23:28 72480 ----a-w- c:\documents and settings\chemwapuwa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-29 01:28 . 2010-03-29 01:28 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-29 01:28 . 2010-03-29 01:28 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\skypePM
2010-03-29 01:27 . 2010-03-29 01:26 -------- d-----r- c:\program files\Skype
2010-03-29 01:26 . 2010-03-29 01:26 -------- d-----w- c:\program files\Common Files\Skype
2010-03-29 01:26 . 2010-03-29 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-29 01:23 . 2010-03-29 01:23 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2010-03-29 01:23 . 2010-03-29 01:23 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-03-29 01:22 . 2010-03-29 01:22 851176 ----a-w- c:\windows\system32\WinUSBCoInstaller2.dll
2010-03-29 01:22 . 2010-03-29 01:22 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2010-03-29 01:22 . 2010-03-29 01:22 74752 ----a-w- c:\windows\system32\CLEyeDevices.dll
2010-03-29 01:22 . 2010-03-29 01:22 -------- d-----w- c:\program files\Code Laboratories
2010-03-26 01:23 . 2010-03-26 01:23 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Alawar
2010-03-26 01:21 . 2010-03-26 01:21 -------- d-----w- c:\program files\WildGames
2010-03-25 22:24 . 2009-12-09 15:21 -------- d-----w- c:\program files\Common Files\Livescribe
2010-03-25 22:24 . 2010-03-25 22:24 -------- d-----w- c:\program files\Livescribe
2010-03-25 22:11 . 2009-12-09 15:18 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Downloaded Installations
2010-03-22 17:26 . 2009-10-15 23:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-22 17:26 . 2010-03-22 17:26 -------- d-----w- c:\program files\ALK Technologies
2010-03-16 23:10 . 2010-03-16 23:08 -------- d-----w- c:\program files\Microsoft Streets & Trips
2010-03-16 23:09 . 2010-03-16 23:08 -------- d-----w- c:\program files\Microsoft Location Finder
2010-03-16 00:09 . 2009-11-25 03:51 -------- d-----w- c:\program files\PCStitch 7
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-20 04:38 . 2010-02-20 04:38 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-02-16 14:08 . 2006-02-28 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 15:46 . 2010-02-12 15:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 15:46 . 2010-02-12 15:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-02-12 04:33 . 2006-02-28 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2006-02-28 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((( [email protected]_00.51.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 06:19 . 2007-11-07 06:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 10:07 . 2008-07-29 10:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 10:07 . 2008-07-29 10:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2010-05-11 01:19 . 2010-05-11 01:19 228352 c:\windows\Installer\f6147.msi
+ 2008-07-29 12:05 . 2008-07-29 12:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-10-10 18:32 203264 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]
2008-04-14 00:12 27648 ----a-w- c:\windows\system32\conime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2010-02-08 16:09 1634304 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-15 18:46 159744 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-15 18:46 135168 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2007-11-01 19:47 1101824 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2007-11-01 19:51 995328 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2007-09-06 19:53 169264 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-15 18:46 131072 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-08-22 18:33 303104 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-09 14:02 26100520 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-09-28 00:26 573440 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wben]
2009-09-24 18:51 338456 ----a-w- c:\program files\Starfield\Desktop Notifier\wben.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2/11/2010 3:36 PM 300400]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [2/18/2010 1:23 PM 265728]
S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [12/9/2009 11:21 AM 20096]
.
Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-11 c:\windows\Tasks\User_Feed_Synchronization-{6D05B59C-29A6-4B50-929C-E9CB78A9A916}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.netflix.com/WiHome
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: Web-Based Email Tools - hxxp://email01.secureserver.net/Download.CAB
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-11 15:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D18EE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f19852
\Driver\iaStor -> iaStor.sys @ 0xb9e64184
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d5abb0
PacketIndicateHandler -> NDIS.sys @ 0xb9d67a21
SendHandler -> NDIS.sys @ 0xb9d4587b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\WININET.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-11 15:33:59
ComboFix-quarantined-files.txt 2010-05-11 19:33
ComboFix2.txt 2010-05-11 08:02
ComboFix3.txt 2010-05-11 02:25
ComboFix4.txt 2010-05-11 01:15
ComboFix5.txt 2010-05-11 19:17

Pre-Run: 288,076,005,376 bytes free
Post-Run: 288,063,221,760 bytes free

- - End Of File - - D170EC2C6332AD13ED2414D1611E0435

Edited by Chemwapuwa, 11 May 2010 - 01:51 PM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,320 posts
  • MVP
  • Go to this page and Download TDSSKiller.zip to your Desktop.
  • Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  • Vista Start logo >All Programs> Accessories> RIGHT-click on Command Prompt and Select Run As Administrator. Copy/paste the following bolded command and hit

    Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If TDSSKiller alerts you that the system needs to reboot, please consent.
  • When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Then run MBAM (Step 1) and OTL (Step 5) from http://www.geekstogo...uide-t2852.html
and copy and paste your logs.

Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on george to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus program at this time :!:

Use IE or Firefox and go to http://eset.com/onlinescan and click on ESET online Scanner. Accept the terms then press Start (If you get a warning from your browser tell it you want to run it).

# Check Scan Archives
# Push the Start button.
# ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
# When the scan completes, push LIST OF THREATS FOUND
# Push EXPORT TO TEXT FILE , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
# Push the BACK button.
# Push Finish

Also do the BitDefender scan

http://www.bitdefend...nline/free.html

We Need to check for Rootkits with RootRepeal
[*]Extract RootRepeal.exe from the archive.
[*]Open Posted Image on your desktop.
[*]Before you run the scan go into Settings, Options, General and move the slider to Middle Level then close the Settings box!
[*]Click the Posted Image button.
[*]Allow RootRepeal to run a scan of your system. This may take some time.
[*]Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
[/list]

Ron
  • 0

#3
Chemwapuwa

Chemwapuwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks for your help Ron. here is the info you needed.

TDSKiller Log

22:55:00:468 3836 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
22:55:00:468 3836 ================================================================================
22:55:00:468 3836 SystemInfo:

22:55:00:468 3836 OS Version: 5.1.2600 ServicePack: 3.0
22:55:00:468 3836 Product type: Workstation
22:55:00:468 3836 ComputerName: CHEMWAPU-3E99BA
22:55:00:468 3836 UserName: chemwapuwa
22:55:00:468 3836 Windows directory: C:\WINDOWS
22:55:00:468 3836 Processor architecture: Intel x86
22:55:00:468 3836 Number of processors: 2
22:55:00:468 3836 Page size: 0x1000
22:55:00:468 3836 Boot type: Normal boot
22:55:00:468 3836 ================================================================================
22:55:00:468 3836 UnloadDriverW: NtUnloadDriver error 2
22:55:00:468 3836 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
22:55:00:500 3836 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
22:55:00:500 3836 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:55:00:500 3836 wfopen_ex: Trying to KLMD file open
22:55:00:500 3836 wfopen_ex: File opened ok (Flags 2)
22:55:00:500 3836 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
22:55:00:500 3836 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:55:00:500 3836 wfopen_ex: Trying to KLMD file open
22:55:00:500 3836 wfopen_ex: File opened ok (Flags 2)
22:55:00:500 3836 Initialize success
22:55:00:500 3836
22:55:00:500 3836 Scanning Services ...
22:55:00:578 3836 Raw services enum returned 340 services
22:55:00:593 3836 Suspicious serv PRAGMApexnmdutio (h: 1, b: 0)
22:55:00:593 3836 Heur detect PRAGMApexnmdutio
22:55:00:593 3836 RegNode HKLM\SYSTEM\ControlSet001\services\PRAGMApexnmdutio infected by TDSS rootkit ... 22:55:00:593 3836 will be deleted on reboot
22:55:00:593 3836 RegNode HKLM\SYSTEM\ControlSet003\services\PRAGMApexnmdutio infected by TDSS rootkit ... 22:55:00:593 3836 will be deleted on reboot
22:55:00:625 3836 File C:\WINDOWS\PRAGMApexnmdutio\PRAGMAd.sys infected by TDSS rootkit ... 22:55:00:625 3836 will be deleted on reboot
22:55:00:625 3836 File C:\WINDOWS\PRAGMApexnmdutio\PRAGMAc.dll infected by TDSS rootkit ... 22:55:00:625 3836 will be deleted on reboot
22:55:00:625 3836 File pragmaserf infected by TDSS rootkit ... 22:55:00:625 3836 will be deleted on reboot
22:55:00:625 3836 File pragmabbr infected by TDSS rootkit ... 22:55:00:625 3836 will be deleted on reboot
22:55:00:625 3836
22:55:00:625 3836 Scanning Kernel memory ...
22:55:00:625 3836 Devices to scan: 2
22:55:00:625 3836
22:55:00:625 3836 Driver Name: Disk
22:55:00:625 3836 IRP_MJ_CREATE : BA10EBB0
22:55:00:625 3836 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
22:55:00:625 3836 IRP_MJ_CLOSE : BA10EBB0
22:55:00:625 3836 IRP_MJ_READ : BA108D1F
22:55:00:625 3836 IRP_MJ_WRITE : BA108D1F
22:55:00:625 3836 IRP_MJ_QUERY_INFORMATION : 804F4562
22:55:00:625 3836 IRP_MJ_SET_INFORMATION : 804F4562
22:55:00:625 3836 IRP_MJ_QUERY_EA : 804F4562
22:55:00:625 3836 IRP_MJ_SET_EA : 804F4562
22:55:00:625 3836 IRP_MJ_FLUSH_BUFFERS : BA1092E2
22:55:00:625 3836 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
22:55:00:625 3836 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
22:55:00:625 3836 IRP_MJ_DIRECTORY_CONTROL : 804F4562
22:55:00:625 3836 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
22:55:00:625 3836 IRP_MJ_DEVICE_CONTROL : BA1093BB
22:55:00:625 3836 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
22:55:00:625 3836 IRP_MJ_SHUTDOWN : BA1092E2
22:55:00:625 3836 IRP_MJ_LOCK_CONTROL : 804F4562
22:55:00:625 3836 IRP_MJ_CLEANUP : 804F4562
22:55:00:625 3836 IRP_MJ_CREATE_MAILSLOT : 804F4562
22:55:00:625 3836 IRP_MJ_QUERY_SECURITY : 804F4562
22:55:00:625 3836 IRP_MJ_SET_SECURITY : 804F4562
22:55:00:625 3836 IRP_MJ_POWER : BA10AC82
22:55:00:625 3836 IRP_MJ_SYSTEM_CONTROL : BA10F99E
22:55:00:625 3836 IRP_MJ_DEVICE_CHANGE : 804F4562
22:55:00:625 3836 IRP_MJ_QUERY_QUOTA : 804F4562
22:55:00:625 3836 IRP_MJ_SET_QUOTA : 804F4562
22:55:00:671 3836 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:55:00:671 3836
22:55:00:671 3836 Driver Name: iaStor
22:55:00:671 3836 IRP_MJ_CREATE : 89CEAEE4
22:55:00:671 3836 IRP_MJ_CREATE_NAMED_PIPE : 89CEAEE4
22:55:00:671 3836 IRP_MJ_CLOSE : 89CEAEE4
22:55:00:671 3836 IRP_MJ_READ : 89CEAEE4
22:55:00:671 3836 IRP_MJ_WRITE : 89CEAEE4
22:55:00:671 3836 IRP_MJ_QUERY_INFORMATION : 89CEAEE4
22:55:00:671 3836 IRP_MJ_SET_INFORMATION : 89CEAEE4
22:55:00:671 3836 IRP_MJ_QUERY_EA : 89CEAEE4
22:55:00:671 3836 IRP_MJ_SET_EA : 89CEAEE4
22:55:00:671 3836 IRP_MJ_FLUSH_BUFFERS : 89CEAEE4
22:55:00:671 3836 IRP_MJ_QUERY_VOLUME_INFORMATION : 89CEAEE4
22:55:00:671 3836 IRP_MJ_SET_VOLUME_INFORMATION : 89CEAEE4
22:55:00:671 3836 IRP_MJ_DIRECTORY_CONTROL : 89CEAEE4
22:55:00:671 3836 IRP_MJ_FILE_SYSTEM_CONTROL : 89CEAEE4
22:55:00:671 3836 IRP_MJ_DEVICE_CONTROL : 89CEAEE4
22:55:00:671 3836 IRP_MJ_INTERNAL_DEVICE_CONTROL : 89CEAEE4
22:55:00:671 3836 IRP_MJ_SHUTDOWN : 89CEAEE4
22:55:00:671 3836 IRP_MJ_LOCK_CONTROL : 89CEAEE4
22:55:00:671 3836 IRP_MJ_CLEANUP : 89CEAEE4
22:55:00:671 3836 IRP_MJ_CREATE_MAILSLOT : 89CEAEE4
22:55:00:671 3836 IRP_MJ_QUERY_SECURITY : 89CEAEE4
22:55:00:671 3836 IRP_MJ_SET_SECURITY : 89CEAEE4
22:55:00:671 3836 IRP_MJ_POWER : 89CEAEE4
22:55:00:671 3836 IRP_MJ_SYSTEM_CONTROL : 89CEAEE4
22:55:00:671 3836 IRP_MJ_DEVICE_CHANGE : 89CEAEE4
22:55:00:671 3836 IRP_MJ_QUERY_QUOTA : 89CEAEE4
22:55:00:671 3836 IRP_MJ_SET_QUOTA : 89CEAEE4
22:55:00:671 3836 Driver "iaStor" infected by TDSS rootkit!
22:55:00:718 3836 C:\WINDOWS\system32\DRIVERS\iaStor.sys - Verdict: 1
22:55:00:718 3836 File "C:\WINDOWS\system32\DRIVERS\iaStor.sys" infected by TDSS rootkit ... 22:55:00:718 3836 Processing driver file: C:\WINDOWS\system32\DRIVERS\iaStor.sys
22:55:00:718 3836 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
22:55:00:859 3836 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
22:55:01:812 3836 !fdfb7
22:55:01:828 3836 vfvi6
22:55:01:906 3836 !dsvbh1
22:55:02:046 3836 dsvbh2
22:55:02:046 3836 Backup copy2 found, using it..
22:55:02:062 3836 will be cured on next reboot
22:55:02:062 3836 Reboot required for cure complete..
22:55:02:062 3836 Cure on reboot scheduled successfully
22:55:02:062 3836
22:55:02:062 3836 Completed
22:55:02:062 3836
22:55:02:062 3836 Results:
22:55:02:062 3836 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
22:55:02:062 3836 Registry objects infected / cured / cured on reboot: 2 / 0 / 2
22:55:02:062 3836 File objects infected / cured / cured on reboot: 5 / 0 / 5
22:55:02:062 3836
22:55:02:062 3836 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
22:55:02:062 3836 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
22:55:02:078 3836 UnloadDriverW: NtUnloadDriver error 1
22:55:02:078 3836 KLMD(ARK) unloaded successfully


___________________________________________________________________________________

Malwarebytes Log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4105

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/15/2010 11:06:42 PM
mbam-log-2010-05-15 (23-06-42).txt

Scan type: Quick scan
Objects scanned: 122215
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Data Protection (Rogue.DataProtection) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\PRAGMApexnmdutio (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\Data Protection (Rogue.DataProtection) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\chemwapuwa\Local Settings\temp\asd6.tmp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\temp\asd7.tmp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\temp\asd8.tmp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\temp\dmadmin.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\temp\kernel64xp.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\temp\PRAGMAa161.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\temp\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\Temporary Internet Files\Content.IE5\6TKI1INM\update[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\Temporary Internet Files\Content.IE5\AO64AOWZ\391-direct[1].ex (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMApexnmdutio\pragmabbr.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMApexnmdutio\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMApexnmdutio\pragmaserf.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMApexnmdutio\PRAGMAsrcr.dat (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.


______________________________________________________________________________

OTL Results
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,320 posts
  • MVP
Run TDSSKiller again and post the new log.

Ron
  • 0

#5
Chemwapuwa

Chemwapuwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Ron here is everything you wanted me to do should i still do the tdskiller scan

TDSKiller Log

22:55:00:468 3836 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
22:55:00:468 3836 ================================================================================
22:55:00:468 3836 SystemInfo:

22:55:00:468 3836 OS Version: 5.1.2600 ServicePack: 3.0
22:55:00:468 3836 Product type: Workstation
22:55:00:468 3836 ComputerName: CHEMWAPU-3E99BA
22:55:00:468 3836 UserName: chemwapuwa
22:55:00:468 3836 Windows directory: C:\WINDOWS
22:55:00:468 3836 Processor architecture: Intel x86
22:55:00:468 3836 Number of processors: 2
22:55:00:468 3836 Page size: 0x1000
22:55:00:468 3836 Boot type: Normal boot
22:55:00:468 3836 ================================================================================
22:55:00:468 3836 UnloadDriverW: NtUnloadDriver error 2
22:55:00:468 3836 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
22:55:00:500 3836 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
22:55:00:500 3836 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:55:00:500 3836 wfopen_ex: Trying to KLMD file open
22:55:00:500 3836 wfopen_ex: File opened ok (Flags 2)
22:55:00:500 3836 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
22:55:00:500 3836 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:55:00:500 3836 wfopen_ex: Trying to KLMD file open
22:55:00:500 3836 wfopen_ex: File opened ok (Flags 2)
22:55:00:500 3836 Initialize success
22:55:00:500 3836
22:55:00:500 3836 Scanning Services ...
22:55:00:578 3836 Raw services enum returned 340 services
22:55:00:593 3836 Suspicious serv PRAGMApexnmdutio (h: 1, b: 0)
22:55:00:593 3836 Heur detect PRAGMApexnmdutio
22:55:00:593 3836 RegNode HKLM\SYSTEM\ControlSet001\services\PRAGMApexnmdutio infected by TDSS rootkit ... 22:55:00:593 3836 will be deleted on reboot
22:55:00:593 3836 RegNode HKLM\SYSTEM\ControlSet003\services\PRAGMApexnmdutio infected by TDSS rootkit ... 22:55:00:593 3836 will be deleted on reboot
22:55:00:625 3836 File C:\WINDOWS\PRAGMApexnmdutio\PRAGMAd.sys infected by TDSS rootkit ... 22:55:00:625 3836 will be deleted on reboot
22:55:00:625 3836 File C:\WINDOWS\PRAGMApexnmdutio\PRAGMAc.dll infected by TDSS rootkit ... 22:55:00:625 3836 will be deleted on reboot
22:55:00:625 3836 File pragmaserf infected by TDSS rootkit ... 22:55:00:625 3836 will be deleted on reboot
22:55:00:625 3836 File pragmabbr infected by TDSS rootkit ... 22:55:00:625 3836 will be deleted on reboot
22:55:00:625 3836
22:55:00:625 3836 Scanning Kernel memory ...
22:55:00:625 3836 Devices to scan: 2
22:55:00:625 3836
22:55:00:625 3836 Driver Name: Disk
22:55:00:625 3836 IRP_MJ_CREATE : BA10EBB0
22:55:00:625 3836 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
22:55:00:625 3836 IRP_MJ_CLOSE : BA10EBB0
22:55:00:625 3836 IRP_MJ_READ : BA108D1F
22:55:00:625 3836 IRP_MJ_WRITE : BA108D1F
22:55:00:625 3836 IRP_MJ_QUERY_INFORMATION : 804F4562
22:55:00:625 3836 IRP_MJ_SET_INFORMATION : 804F4562
22:55:00:625 3836 IRP_MJ_QUERY_EA : 804F4562
22:55:00:625 3836 IRP_MJ_SET_EA : 804F4562
22:55:00:625 3836 IRP_MJ_FLUSH_BUFFERS : BA1092E2
22:55:00:625 3836 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
22:55:00:625 3836 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
22:55:00:625 3836 IRP_MJ_DIRECTORY_CONTROL : 804F4562
22:55:00:625 3836 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
22:55:00:625 3836 IRP_MJ_DEVICE_CONTROL : BA1093BB
22:55:00:625 3836 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
22:55:00:625 3836 IRP_MJ_SHUTDOWN : BA1092E2
22:55:00:625 3836 IRP_MJ_LOCK_CONTROL : 804F4562
22:55:00:625 3836 IRP_MJ_CLEANUP : 804F4562
22:55:00:625 3836 IRP_MJ_CREATE_MAILSLOT : 804F4562
22:55:00:625 3836 IRP_MJ_QUERY_SECURITY : 804F4562
22:55:00:625 3836 IRP_MJ_SET_SECURITY : 804F4562
22:55:00:625 3836 IRP_MJ_POWER : BA10AC82
22:55:00:625 3836 IRP_MJ_SYSTEM_CONTROL : BA10F99E
22:55:00:625 3836 IRP_MJ_DEVICE_CHANGE : 804F4562
22:55:00:625 3836 IRP_MJ_QUERY_QUOTA : 804F4562
22:55:00:625 3836 IRP_MJ_SET_QUOTA : 804F4562
22:55:00:671 3836 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:55:00:671 3836
22:55:00:671 3836 Driver Name: iaStor
22:55:00:671 3836 IRP_MJ_CREATE : 89CEAEE4
22:55:00:671 3836 IRP_MJ_CREATE_NAMED_PIPE : 89CEAEE4
22:55:00:671 3836 IRP_MJ_CLOSE : 89CEAEE4
22:55:00:671 3836 IRP_MJ_READ : 89CEAEE4
22:55:00:671 3836 IRP_MJ_WRITE : 89CEAEE4
22:55:00:671 3836 IRP_MJ_QUERY_INFORMATION : 89CEAEE4
22:55:00:671 3836 IRP_MJ_SET_INFORMATION : 89CEAEE4
22:55:00:671 3836 IRP_MJ_QUERY_EA : 89CEAEE4
22:55:00:671 3836 IRP_MJ_SET_EA : 89CEAEE4
22:55:00:671 3836 IRP_MJ_FLUSH_BUFFERS : 89CEAEE4
22:55:00:671 3836 IRP_MJ_QUERY_VOLUME_INFORMATION : 89CEAEE4
22:55:00:671 3836 IRP_MJ_SET_VOLUME_INFORMATION : 89CEAEE4
22:55:00:671 3836 IRP_MJ_DIRECTORY_CONTROL : 89CEAEE4
22:55:00:671 3836 IRP_MJ_FILE_SYSTEM_CONTROL : 89CEAEE4
22:55:00:671 3836 IRP_MJ_DEVICE_CONTROL : 89CEAEE4
22:55:00:671 3836 IRP_MJ_INTERNAL_DEVICE_CONTROL : 89CEAEE4
22:55:00:671 3836 IRP_MJ_SHUTDOWN : 89CEAEE4
22:55:00:671 3836 IRP_MJ_LOCK_CONTROL : 89CEAEE4
22:55:00:671 3836 IRP_MJ_CLEANUP : 89CEAEE4
22:55:00:671 3836 IRP_MJ_CREATE_MAILSLOT : 89CEAEE4
22:55:00:671 3836 IRP_MJ_QUERY_SECURITY : 89CEAEE4
22:55:00:671 3836 IRP_MJ_SET_SECURITY : 89CEAEE4
22:55:00:671 3836 IRP_MJ_POWER : 89CEAEE4
22:55:00:671 3836 IRP_MJ_SYSTEM_CONTROL : 89CEAEE4
22:55:00:671 3836 IRP_MJ_DEVICE_CHANGE : 89CEAEE4
22:55:00:671 3836 IRP_MJ_QUERY_QUOTA : 89CEAEE4
22:55:00:671 3836 IRP_MJ_SET_QUOTA : 89CEAEE4
22:55:00:671 3836 Driver "iaStor" infected by TDSS rootkit!
22:55:00:718 3836 C:\WINDOWS\system32\DRIVERS\iaStor.sys - Verdict: 1
22:55:00:718 3836 File "C:\WINDOWS\system32\DRIVERS\iaStor.sys" infected by TDSS rootkit ... 22:55:00:718 3836 Processing driver file: C:\WINDOWS\system32\DRIVERS\iaStor.sys
22:55:00:718 3836 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
22:55:00:859 3836 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
22:55:01:812 3836 !fdfb7
22:55:01:828 3836 vfvi6
22:55:01:906 3836 !dsvbh1
22:55:02:046 3836 dsvbh2
22:55:02:046 3836 Backup copy2 found, using it..
22:55:02:062 3836 will be cured on next reboot
22:55:02:062 3836 Reboot required for cure complete..
22:55:02:062 3836 Cure on reboot scheduled successfully
22:55:02:062 3836
22:55:02:062 3836 Completed
22:55:02:062 3836
22:55:02:062 3836 Results:
22:55:02:062 3836 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
22:55:02:062 3836 Registry objects infected / cured / cured on reboot: 2 / 0 / 2
22:55:02:062 3836 File objects infected / cured / cured on reboot: 5 / 0 / 5
22:55:02:062 3836
22:55:02:062 3836 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
22:55:02:062 3836 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
22:55:02:078 3836 UnloadDriverW: NtUnloadDriver error 1
22:55:02:078 3836 KLMD(ARK) unloaded successfully


___________________________________________________________________________________

Malwarebytes Log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4105

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/15/2010 11:06:42 PM
mbam-log-2010-05-15 (23-06-42).txt

Scan type: Quick scan
Objects scanned: 122215
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Data Protection (Rogue.DataProtection) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\PRAGMApexnmdutio (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Program Files\Data Protection (Rogue.DataProtection) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\chemwapuwa\Local Settings\temp\asd6.tmp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\temp\asd7.tmp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\temp\asd8.tmp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\temp\dmadmin.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\temp\kernel64xp.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\temp\PRAGMAa161.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\temp\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\Temporary Internet Files\Content.IE5\6TKI1INM\update[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\Temporary Internet Files\Content.IE5\AO64AOWZ\391-direct[1].ex (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMApexnmdutio\pragmabbr.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMApexnmdutio\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMApexnmdutio\pragmaserf.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMApexnmdutio\PRAGMAsrcr.dat (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\chemwapuwa\Local Settings\temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.


______________________________________________________________________________

OTL Results


OTL logfile created on: 5/15/2010 11:24:41 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\chemwapuwa\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 267.89 Gb Free Space | 89.87% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CHEMWAPU-3E99BA
Current User Name: chemwapuwa
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/15 22:48:17 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\chemwapuwa\Desktop\OTL.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/02/18 13:23:54 | 000,265,728 | ---- | M] (Livescribe) -- C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
PRC - [2010/02/11 15:36:12 | 000,300,400 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
PRC - [2010/02/08 12:09:00 | 001,634,304 | ---- | M] (Eastman Kodak Company) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
PRC - [2009/09/28 10:42:50 | 000,109,056 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/01 16:00:50 | 000,794,624 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/11/01 15:40:04 | 001,183,744 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2007/11/01 15:35:40 | 000,483,328 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2007/09/28 13:24:36 | 000,156,976 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Maxtor\Sync\SyncServices.exe
PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe


========== Modules (SafeList) ==========

MOD - [2010/05/15 22:48:17 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\chemwapuwa\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare9)
SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/02/18 13:23:54 | 000,265,728 | ---- | M] (Livescribe) [Auto | Running] -- C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe -- (PenCommService)
SRV - [2010/02/11 15:36:12 | 000,300,400 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe -- (Kodak AiO Network Discovery Service)
SRV - [2009/11/13 16:13:04 | 000,238,328 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/09/28 10:42:50 | 000,109,056 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2007/11/01 16:00:50 | 000,794,624 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2007/11/01 15:40:04 | 001,183,744 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2007/11/01 15:35:40 | 000,483,328 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2007/09/28 13:24:36 | 000,156,976 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync Service)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2005/03/14 13:05:02 | 000,069,632 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2010/05/15 22:55:52 | 000,250,368 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2009/11/17 14:46:28 | 000,020,096 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PulseUsb.sys -- (PulseUsb)
DRV - [2009/07/13 16:51:12 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2008/04/13 12:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/15 15:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/12/06 11:51:00 | 000,285,952 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2007/10/31 12:23:20 | 002,236,544 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2007/08/27 13:10:36 | 000,012,288 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/05/03 14:37:08 | 000,022,152 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2006/09/27 20:26:00 | 000,893,952 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2006/08/22 14:39:14 | 001,177,864 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/WiHome
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/04/29 18:56:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
FF - HKLM\software\mozilla\SeaMonkey 2.0.4\extensions\\Components: C:\Program Files\SeaMonkey\components [2010/04/29 19:00:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\SeaMonkey 2.0.4\extensions\\Plugins: C:\Program Files\SeaMonkey\plugins [2010/04/29 18:59:05 | 000,000,000 | ---D | M]

[2010/05/10 20:59:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Mozilla\Extensions
[2010/04/29 19:00:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\chemwapuwa\Application Data\Mozilla\Extensions\{92650c4d-4b8e-4d2a-b7eb-24ecf4f6b63a}
[2010/04/29 19:00:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Mozilla\SeaMonkey\Profiles\fb2a3ruj.default\extensions

O1 HOSTS File: ([2006/02/28 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O4 - HKLM..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe (Eastman Kodak Company)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} http://intel-drv-cdn...reqlab_srlx.cab (System Requirements Lab Class)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.aka...vex-2.2.5.0.cab (DLM Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1253146200484 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1255835661312 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2....re/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} http://support.gatew...rvest/gwCID.CAB (compid Class)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} http://mobileapps.bl...re/AxLoader.cab (RIM AxLoader)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Web-Based Email Tools http://email01.secur...et/Download.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 65.175.128.46 65.175.128.47
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/19 20:08:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/05/15 22:58:47 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/15 22:58:46 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/15 22:58:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/15 22:51:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Desktop\tdsskiller
[2010/05/15 22:49:47 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/15 22:48:13 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\chemwapuwa\Desktop\OTL.exe
[2010/05/15 19:47:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/05/15 02:00:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/05/15 02:00:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/05/11 15:34:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/05/11 14:54:38 | 002,131,808 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\chemwapuwa\Desktop\avg_free_stb_all_9_114_cnet.exe
[2010/05/10 23:08:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2010/05/10 21:27:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\Threat Expert
[2010/05/10 21:18:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/05/10 20:37:32 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/10 20:32:45 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/10 20:32:45 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/10 20:32:45 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/10 20:32:45 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/10 20:32:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/10 20:32:06 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/10 20:19:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Application Data\Malwarebytes
[2010/05/10 20:19:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/10 19:57:41 | 006,153,384 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\chemwapuwa\Desktop\mbam-setup.exe
[2010/05/09 16:08:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/09 16:08:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/05 20:19:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\My Documents\Downloads
[2010/04/29 19:00:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\Mozilla
[2010/04/29 19:00:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Application Data\Mozilla
[2010/04/29 18:59:04 | 000,000,000 | ---D | C] -- C:\Program Files\SeaMonkey
[2010/04/29 18:56:47 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Thunderbird
[2010/04/29 17:57:54 | 000,000,000 | ---D | C] -- C:\i3dthemes
[2010/04/29 17:48:44 | 000,000,000 | ---D | C] -- C:\Program Files\Starfield
[2010/04/29 17:27:15 | 000,000,000 | ---D | C] -- C:\Program Files\LTMOD
[2010/04/29 17:25:35 | 000,000,000 | ---D | C] -- C:\FrontPage Tools
[2010/04/29 17:25:20 | 000,720,896 | ---- | C] (Indigo Rose Corporation) -- C:\WINDOWS\iun6002.exe
[2010/04/29 17:25:17 | 000,000,000 | ---D | C] -- C:\Program Files\NetPlugin Tags
[2010/04/29 17:24:32 | 000,313,856 | ---- | C] (Softuarium) -- C:\WINDOWS\System32\xwebpic.ocx
[2010/04/29 17:24:32 | 000,073,728 | ---- | C] (DPA Software) -- C:\WINDOWS\System32\DPARTL.dll
[2010/04/29 17:24:32 | 000,049,152 | ---- | C] (DPA Software) -- C:\WINDOWS\System32\DPAMenu.dll
[2010/04/29 17:24:32 | 000,000,000 | ---D | C] -- C:\Program Files\DPA Software
[2010/04/29 17:05:57 | 000,000,000 | ---D | C] -- C:\FPTemplates
[2010/04/29 17:04:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Desktop\websuits
[2010/04/29 16:58:47 | 000,000,000 | --SD | C] -- C:\Documents and Settings\chemwapuwa\My Documents\My Webs
[2010/04/26 14:21:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Desktop\comp
[2010/04/24 18:47:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
[2010/04/24 18:46:18 | 000,000,000 | ---D | C] -- C:\Program Files\Canon
[2010/04/23 11:05:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Desktop\shendee
[2010/04/21 23:49:24 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/21 23:49:20 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/04/21 23:49:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/21 23:47:14 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/04/21 23:45:21 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/04/18 20:59:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\HuluDesktop
[2010/04/18 20:59:42 | 000,888,928 | ---- | C] (Hulu) -- C:\Documents and Settings\chemwapuwa\Desktop\HuluDesktopSetup.exe
[2010/04/17 11:08:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\kodak
[2010/04/17 11:06:20 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2010/04/17 10:17:20 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache
[2010/03/28 21:54:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Application Data\Google
[2010/03/28 21:32:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\Temp
[2010/03/28 21:32:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/03/28 21:28:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Application Data\skypePM
[2010/03/28 21:27:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/03/28 21:27:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\Google
[2010/03/28 21:27:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Application Data\Skype
[2010/03/28 21:27:14 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2010/03/28 21:26:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010/03/28 21:26:50 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2010/03/28 21:26:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/03/28 21:22:04 | 000,000,000 | ---D | C] -- C:\Program Files\Code Laboratories
[2010/03/25 21:23:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Application Data\Alawar
[2010/03/25 21:21:55 | 000,000,000 | ---D | C] -- C:\Program Files\WildGames
[2010/03/25 21:15:33 | 034,512,784 | ---- | C] (WildTangent) -- C:\Documents and Settings\chemwapuwa\My Documents\hyperballoidthenextchallenge-setup.exe
[2010/03/25 18:24:00 | 000,000,000 | ---D | C] -- C:\Program Files\Livescribe
[2010/03/22 13:34:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\Help
[2010/03/22 13:34:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Application Data\Help
[2010/03/22 13:28:51 | 000,317,952 | ---- | C] (Blue Sky Software Corporation.) -- C:\WINDOWS\Roboex32.dll
[2010/03/22 13:26:42 | 000,000,000 | ---D | C] -- C:\Program Files\ALK Technologies
[2010/03/22 10:43:42 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\chemwapuwa\Desktop\TDSSKiller.exe
[2010/03/16 19:08:42 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Streets & Trips
[2010/03/16 19:08:42 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Location Finder
[2010/03/16 17:06:34 | 014,506,016 | ---- | C] (WildTangent) -- C:\Documents and Settings\chemwapuwa\My Documents\strikeball2-setup.exe
[2010/02/27 13:08:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Application Data\Canon
[2010/02/27 13:07:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\CANON_INC
[2010/02/21 15:22:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Canon
[2010/02/20 00:45:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/05/15 23:25:12 | 004,194,304 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\ntuser.dat
[2010/05/15 23:10:36 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/15 23:10:34 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/15 23:09:35 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\chemwapuwa\ntuser.ini
[2010/05/15 22:58:50 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/15 22:56:25 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/15 22:51:50 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\chemwapuwa\Desktop\TDSSKiller.exe
[2010/05/15 22:48:17 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\chemwapuwa\Desktop\OTL.exe
[2010/05/15 22:47:44 | 006,153,384 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\chemwapuwa\Desktop\mbam-setup.exe
[2010/05/15 22:44:18 | 000,464,491 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\RootRepeal.zip
[2010/05/15 22:43:19 | 003,689,423 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\george.exe
[2010/05/15 22:29:27 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\tdsskiller.zip
[2010/05/15 22:25:54 | 000,000,638 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/15 22:25:54 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/05/15 22:25:54 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/15 22:11:51 | 000,000,432 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{6D05B59C-29A6-4B50-929C-E9CB78A9A916}.job
[2010/05/15 02:12:38 | 000,000,173 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/11 14:54:50 | 002,131,808 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\chemwapuwa\Desktop\avg_free_stb_all_9_114_cnet.exe
[2010/05/09 16:12:57 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/05/08 16:13:10 | 000,264,478 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\bingo may2010.pdf
[2010/05/05 21:50:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/29 19:03:58 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/04/29 18:59:07 | 000,001,564 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SeaMonkey.lnk
[2010/04/29 18:56:49 | 000,001,668 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Thunderbird.lnk
[2010/04/29 17:25:08 | 000,720,896 | ---- | M] (Indigo Rose Corporation) -- C:\WINDOWS\iun6002.exe
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 13:27:00 | 000,000,440 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\001_02.jpg
[2010/04/28 13:27:00 | 000,000,350 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\bullet_03.jpg
[2010/04/27 16:29:08 | 000,205,824 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/24 18:47:18 | 000,000,923 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ZoomBrowser EX.lnk
[2010/04/24 18:47:01 | 000,000,762 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Picture Style Editor.lnk
[2010/04/24 18:46:37 | 000,000,732 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\EOS Utility.lnk
[2010/04/24 18:46:19 | 000,000,797 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Digital Photo Professional.lnk
[2010/04/23 19:57:12 | 000,346,112 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2010/04/23 12:59:20 | 000,057,312 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/04/21 23:49:45 | 000,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/21 23:47:23 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/04/18 20:59:54 | 000,002,014 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\Hulu Desktop.lnk
[2010/04/18 20:59:47 | 000,888,928 | ---- | M] (Hulu) -- C:\Documents and Settings\chemwapuwa\Desktop\HuluDesktopSetup.exe
[2010/04/17 11:11:53 | 000,275,760 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/17 11:10:00 | 000,000,775 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk
[2010/04/17 11:03:53 | 000,072,480 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/16 20:15:20 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/16 12:59:51 | 000,048,253 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\jobsearch0301-0312.pdf
[2010/04/12 15:07:55 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\123 L 123 2007 tax audit.doc
[2010/03/28 21:28:26 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/03/28 21:26:52 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/03/28 21:23:10 | 000,000,899 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\CL-Eye Test.lnk
[2010/03/28 21:23:08 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01009.Wdf
[2010/03/28 21:23:01 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2010/03/28 21:22:06 | 000,074,752 | ---- | M] () -- C:\WINDOWS\System32\CLEyeDevices.dll
[2010/03/28 16:18:18 | 004,292,024 | -H-- | M] () -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\IconCache.db
[2010/03/25 21:22:31 | 000,001,791 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Play Strike Ball 2.lnk
[2010/03/25 21:18:52 | 034,512,784 | ---- | M] (WildTangent) -- C:\Documents and Settings\chemwapuwa\My Documents\hyperballoidthenextchallenge-setup.exe
[2010/03/25 21:04:27 | 014,506,016 | ---- | M] (WildTangent) -- C:\Documents and Settings\chemwapuwa\My Documents\strikeball2-setup.exe
[2010/03/25 18:24:03 | 000,000,927 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Livescribe Desktop.lnk
[2010/03/23 12:36:23 | 000,013,824 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\trip locas.xls
[2010/03/22 13:28:54 | 000,001,775 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PCMILER 20 Guided Tour.lnk
[2010/03/22 13:28:54 | 000,001,768 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PCMILER 20 User's Guide.lnk
[2010/03/22 13:28:54 | 000,000,899 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PCMILER 20.lnk
[2010/03/22 13:00:32 | 000,510,584 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/22 13:00:32 | 000,435,828 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/22 13:00:32 | 000,068,558 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/20 10:11:21 | 001,886,106 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\bingo_calendar_march_2010.pdf
[2010/03/16 20:14:32 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\pt chrt.xls
[2010/03/16 19:08:20 | 000,030,720 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\2007 tax audit.xls
[2010/03/16 16:42:35 | 000,372,785 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\Hard_Mazes_Set_6.pdf
[2010/03/16 16:41:42 | 000,048,894 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\Easy_Mazes_Set_4.pdf
[2010/03/16 16:41:05 | 000,048,809 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\Easy_Mazes_Set_3.pdf
[2010/03/16 16:08:24 | 000,644,395 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\Difficult_Mazes_Set_1.pdf
[2010/03/16 11:37:00 | 001,217,552 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\p1542--2008.pdf
[2010/03/16 11:35:47 | 001,152,673 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\p1542--2007.pdf
[2010/03/15 20:07:57 | 010,232,486 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\round maze.bmp
[2010/03/15 19:23:14 | 000,004,859 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\maze50.png
[2010/03/15 19:21:40 | 000,039,888 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\maze1.jpg
[2010/03/15 14:16:07 | 000,058,222 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\Snapshot 2010-03-14 23-30-28.tiff
[2010/03/15 01:46:10 | 000,064,876 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\attachments_2010_03_15.zip
[2010/03/14 22:46:00 | 001,367,262 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\Snapshot 2010-03-14 23-30-28dx.tiff
[2010/03/10 11:51:02 | 000,039,424 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\123 L.doc
[2010/03/05 18:07:36 | 000,104,148 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\t123 AIG Stubs 122709 - 021310.zip
[2010/03/05 18:06:29 | 000,081,511 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\t123 AIG Stubs 122709 - 021310.pdf
[2010/03/04 11:51:46 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\To whom it may concern.doc
[2010/03/02 11:56:41 | 000,109,058 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\TaxReturn123.pdf
[2010/02/28 20:47:09 | 000,078,336 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\hand and foot.doc
[2010/02/21 19:16:06 | 006,758,756 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\bessanlisa income info.tif
[2010/02/21 19:15:51 | 001,323,393 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\bessanlisa income info.pdf
[2010/02/20 02:38:40 | 003,274,140 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\sead ggoyrds.pdf
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/15 22:58:50 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/15 22:44:16 | 000,464,491 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\RootRepeal.zip
[2010/05/15 22:43:08 | 003,689,423 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\george.exe
[2010/05/15 22:29:24 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\tdsskiller.zip
[2010/05/15 02:12:38 | 000,000,173 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/10 20:37:36 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/05/10 20:37:32 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/10 20:32:45 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/10 20:32:45 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/10 20:32:45 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/10 20:32:45 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/10 20:32:45 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/08 16:13:10 | 000,264,478 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\bingo may2010.pdf
[2010/05/05 18:17:26 | 004,194,304 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\ntuser.dat
[2010/04/29 19:03:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/04/29 18:59:07 | 000,001,564 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SeaMonkey.lnk
[2010/04/29 18:56:49 | 000,001,668 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Thunderbird.lnk
[2010/04/28 13:28:33 | 000,000,350 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\bullet_03.jpg
[2010/04/28 13:28:27 | 000,000,440 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\001_02.jpg
[2010/04/24 18:47:18 | 000,000,923 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ZoomBrowser EX.lnk
[2010/04/24 18:47:01 | 000,000,762 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Picture Style Editor.lnk
[2010/04/24 18:46:37 | 000,000,732 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\EOS Utility.lnk
[2010/04/24 18:46:19 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Digital Photo Professional.lnk
[2010/04/23 12:59:20 | 000,057,312 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/04/21 23:49:45 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/21 23:47:23 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/04/18 20:59:54 | 000,002,014 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\Hulu Desktop.lnk
[2010/04/17 11:10:00 | 000,000,775 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk
[2010/04/16 12:59:48 | 000,048,253 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\jobsearch0301-0312.pdf
[2010/04/08 15:59:40 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\123 L 123 2007 tax audit.doc
[2010/03/28 21:28:26 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/03/28 21:26:52 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/03/28 21:23:10 | 000,000,899 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\CL-Eye Test.lnk
[2010/03/28 21:23:08 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01009.Wdf
[2010/03/28 21:23:01 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2010/03/28 21:22:04 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\CLEyeDevices.dll
[2010/03/25 21:22:31 | 000,001,791 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Play Strike Ball 2.lnk
[2010/03/25 18:24:03 | 000,000,927 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Livescribe Desktop.lnk
[2010/03/23 12:36:23 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\trip locas.xls
[2010/03/22 13:28:54 | 000,001,775 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PCMILER 20 Guided Tour.lnk
[2010/03/22 13:28:54 | 000,001,768 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PCMILER 20 User's Guide.lnk
[2010/03/22 13:28:54 | 000,000,899 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PCMILER 20.lnk
[2010/03/20 10:11:21 | 001,886,106 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\bingo_calendar_march_2010.pdf
[2010/03/16 19:32:05 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\pt chrt.xls
[2010/03/16 16:42:32 | 000,372,785 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\Hard_Mazes_Set_6.pdf
[2010/03/16 16:41:41 | 000,048,894 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\Easy_Mazes_Set_4.pdf
[2010/03/16 16:41:05 | 000,048,809 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\Easy_Mazes_Set_3.pdf
[2010/03/16 16:08:19 | 000,644,395 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\Difficult_Mazes_Set_1.pdf
[2010/03/16 11:37:12 | 000,030,720 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\2007 tax audit.xls
[2010/03/16 11:37:00 | 001,217,552 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\p1542--2008.pdf
[2010/03/16 11:35:47 | 001,152,673 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\p1542--2007.pdf
[2010/03/15 20:07:57 | 010,232,486 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\round maze.bmp
[2010/03/15 19:23:54 | 000,004,859 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\maze50.png
[2010/03/15 19:22:25 | 000,039,888 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\maze1.jpg
[2010/03/15 01:46:31 | 001,367,262 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\Snapshot 2010-03-14 23-30-28dx.tiff
[2010/03/15 01:46:31 | 000,058,222 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\Snapshot 2010-03-14 23-30-28.tiff
[2010/03/15 01:46:10 | 000,064,876 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\attachments_2010_03_15.zip
[2010/03/10 11:51:01 | 000,039,424 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\123 L.doc
[2010/03/05 18:07:35 | 000,104,148 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\t123123 AIG Stubs 122709 - 021310.zip
[2010/03/05 18:06:29 | 000,081,511 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\t123 AIG Stubs 122709 - 021310.pdf
[2010/03/05 17:56:08 | 000,052,068 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\c4u.log
[2010/03/04 11:51:46 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\To whom it may concern.doc
[2010/03/02 11:56:41 | 000,109,058 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\TaxReturn123.pdf
[2010/02/21 19:16:05 | 006,758,756 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\bessanlisa income info.tif
[2010/02/21 19:15:51 | 001,323,393 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\bessanlisa income info.pdf
[2010/02/20 02:38:40 | 003,274,140 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\sead ggoyrds.pdf
[2009/12/16 20:18:10 | 000,225,280 | ---- | C] () -- C:\WINDOWS\System32\net_rim_plazmic_flint_dialog.dll
[2009/11/24 23:51:41 | 000,343,040 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2009/11/24 23:51:41 | 000,116,736 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2009/11/16 20:56:28 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2009/10/19 19:58:53 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/10/18 13:12:23 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/05/10 09:58:56 | 000,147,456 | ---- | C] () -- C:\WINDOWS\pcmgrfx.dll
[2006/05/09 10:36:24 | 000,151,552 | ---- | C] () -- C:\WINDOWS\pmwssrv.dll
[2006/05/09 10:36:24 | 000,151,552 | ---- | C] () -- C:\WINDOWS\pcmsrv32.dll
[2003/03/09 22:31:04 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/06 17:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2009/12/09 12:45:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Eastman Kodak Company
[2009/12/09 13:49:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\kds_kodak
[2009/12/09 11:22:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Livescribe, Inc
[2009/11/16 18:15:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor
[2009/10/15 19:27:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2010/05/10 22:04:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/11/24 22:27:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2010/04/21 23:49:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/11/23 22:18:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/03/25 21:23:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Alawar
[2010/02/27 13:08:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Canon
[2010/03/25 18:11:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Downloaded Installations
[2009/11/18 03:29:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Image Zone Express
[2009/12/16 20:18:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Research In Motion
[2009/11/15 15:56:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Skinux
[2010/04/28 12:10:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Temp
[2009/11/24 22:25:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\WildTangent
[2010/05/15 22:11:51 | 000,000,432 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{6D05B59C-29A6-4B50-929C-E9CB78A9A916}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2009/04/19 20:08:14 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/10/15 21:41:57 | 000,000,057 | ---- | M] () -- C:\BIOSID.TXT
[2010/05/09 16:12:57 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/05/15 22:25:54 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/03 23:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2009/04/19 20:08:14 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009/11/20 12:27:58 | 000,000,395 | -H-- | M] () -- C:\hpothb07.dat
[2009/11/17 23:19:47 | 000,900,122 | -H-- | M] () -- C:\hpothb07.tif
[2009/04/19 20:08:14 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/04/19 20:08:14 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2006/02/28 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/09/16 20:42:14 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/15 23:10:25 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 06:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 06:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/04/20 01:56:46 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/04/20 01:56:46 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/04/20 01:56:46 | 000,888,832 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/05/15 22:55:52 | 000,250,368 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\iaStor.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/24 09:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >


OTL Extras logfile created on: 5/15/2010 11:24:41 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\chemwapuwa\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 76.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 92.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 267.89 Gb Free Space | 89.87% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CHEMWAPU-3E99BA
Current User Name: chemwapuwa
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Digital Photo Professional] -- C:\Program Files\Canon\Digital Photo Professional\DPPViewer.exe /path "%1" (CANON INC.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"9322:TCP" = 9322:TCP:*:Enabled:EKDiscovery

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{007B37D9-0C45-4202-834B-DD5FAAE99D63}" = ArcSoft Print Creations - Slimline Card
"{03EDED24-8375-407D-A721-4643D9768BE1}" = kgchlwn
"{04768D41-C373-4818-AD68-DA987D9F1D83}" = BlackBerry Smartphone Simulators 4.5.0.66 (8330)
"{0645A454-AD44-4F0D-99CF-6B762735AD1F}" = aioprnt
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{10934A28-0CC6-4B98-A14F-76B3546003AF}" = ksDIP
"{11F3F858-4131-4FFA-A560-3FE282933B6E}" = kgchday
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{23B35809-5E4A-4F14-8332-1CDEDDFAC089}" = CP_Package_Variety2
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{48B41C3A-9A92-4B81-B653-C97FEB85C910}" = C4USelfUpdater
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{522D1D79-9C0A-4361-91F8-2AFF8EC6C2E1}" = CP_Package_Variety1
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book
"{56BA241F-580C-43D2-8403-947241AAE633}" = center
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}" = fflink
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{64DD099E-1DCF-44DC-B1B5-0E45AC551772}" = PageTools 2.5
"{6522C636-B04C-4333-9BEB-9E0C0B6350D6}" = The Sims™ 2 Kitchen & Bath Interior Design Stuff
"{693C08A7-9E76-43FF-B11E-9A58175474C4}" = kgckids
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{7B57819C-B479-463D-97CE-F46F12386765}" = PC*MILER 20
"{7C32C567-DC0F-4C80-B06C-7873850A2E06}" = The Sims Unleashed
"{81A34902-9D0B-4920-A25C-4CDC5D14B328}" = Jasc Paint Shop Pro 8
"{829CD169-E692-48E8-9BDE-A3E8D8B65538}" = mSCfg
"{86B32074-0F48-4CF9-BA4B-529B470FB47F}" = BlackBerry Desktop Software 5.0
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A8664E1-84C8-4936-891C-BC1F07797549}" = kgcvday
"{8AB8D458-939E-403F-0097-9BA1C1F013D5}" = The Sims 2
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{8C6BB412-D3A8-4AAE-A01B-35B681789D68}" = mHelp
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90170409-6000-11D3-8CFE-0050048383C9}" = Microsoft FrontPage 2002
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{91A10409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office OneNote 2003
"{91E30409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{94824ADD-8F26-43D2-84DB-22E11F377E5E}" = Microsoft English TTS Engine
"{9591C049-5CAE-4E89-A8D9-191F1899628B}" = ArcSoft Print Creations - Funhouse
"{97D0C0A1-7E64-4B05-A2EE-61D2CE23F154}" = TTS Wrapper
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BD54685-1496-46A5-AB62-357CD140ED8B}" = kgcinvt
"{9CDBC303-3EED-40b0-8E41-A7C65AA96C26}" = The Sims 2 Glamour Life Stuff
"{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}" = mDriver
"{A1588373-1D86-4D44-86C9-78ABD190F9CC}" = kgcmove
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.3
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B0D83FCD-9D42-43ED-8315-250326AADA02}" = ArcSoft Print Creations - Scrapbook
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{B57F2FF0-5A25-4332-B503-4592B370C02F}" = CP_Package_Variety3
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{BA2898D6-6270-4B00-AA32-4E82867973CF}" = BlackBerry Smartphone Simulators 4.7.0.75 (9530-Verizon)
"{BB3AB664-D92B-4CB5-8B3E-D841841F4E68}" = Canon Camera WIA Driver
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C82185E8-C27B-4EF4-2007-4444BC2C2B6D}" = Microsoft Streets & Trips 2007
"{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
"{CAE8A0F1-B498-4C23-95FA-55047E730C8F}" = ArcSoft Print Creations
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{D1337876-6370-48F5-B0DD-2ADD32298FF8}" = Livescribe Desktop
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D61F7835-65DF-4662-9A71-CD51F8FC0CE4}" = Desktop Notifier
"{DA5BDB2A-12F0-4343-8351-21AAEB293990}" = PreReq
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DE6B7599-D3EF-4436-8836-BAA0B0D7768D}" = aiofw
"{E0F274B7-592B-4669-8FB8-8D9825A09858}" = KODAK AiO Home Center
"{E18B549C-5D15-45DA-8D8F-8FD2BD946344}" = kgcbaby
"{E6B4117F-AC59-4B13-9274-EB136E8897EE}" = ArcSoft Print Creations - Album Page
"{E81667C6-2856-46D6-ABEA-6A2F42166779}" = mCore
"{ED01D958-AEDC-40C8-93FD-0C08E8AA9530}" = Maxtor Manager
"{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F2A69CA0-8BBF-4404-BA68-DB79A3548E34}" = PCStitch
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"{FE24086F-3B0C-4C47-A874-97A7B8E2FBBE}" = aioscnnr
"1ECD657E4445D4F72EB15751A07E4215BA450674" = Windows Driver Package - Livescribe (PulseUsb) DigitalPen (07/22/2009 2.1.6.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"BlackBerry Theme Studio 5.0" = BlackBerry Theme Studio 5.0
"BlackBerry_{86B32074-0F48-4CF9-BA4B-529B470FB47F}" = BlackBerry Desktop Software 5.0
"Bricks of Egypt_is1" = Bricks of Egypt
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
"CameraWindowLauncher" = Canon Utilities CameraWindow
"Chameleon Sampler" = Chameleon Sampler
"CL-Eye Driver" = CL-Eye Driver
"CSCLIB" = Canon Camera Support Core Library
"DPP" = Canon Utilities Digital Photo Professional 3.4
"EOS Utility" = Canon Utilities EOS Utility
"FrontLook S1" = FrontLook S1 Uninstall
"FrontLookFX 1 Files" = FrontLook Page Effects ( Sampler ) Files
"FrontLookFX Core Files" = FrontLook Page Effects Core Files
"Gateway Drivers and Applications Recovery" = Gateway Drivers and Applications Recovery
"HDMI" = Intel® Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"InstallShield_{BB3AB664-D92B-4CB5-8B3E-D841841F4E68}" = Canon EOS 5D WIA Driver
"InstallShield_{ED01D958-AEDC-40C8-93FD-0C08E8AA9530}" = Maxtor Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Thunderbird (3.0.4)" = Mozilla Thunderbird (3.0.4)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyCamera" = Canon Utilities MyCamera
"NetPlugin Tags1.1" = NetPlugin Tags
"Network Play System (Patching)" = Network Play System (Patching)
"Original Data Security Tools" = Canon Utilities Original Data Security Tools
"PhotoStitch" = Canon Utilities PhotoStitch
"Picture Style Editor" = Canon Utilities Picture Style Editor
"Prism" = Prism Video Converter
"ProInst" = Intel® PROSet/Wireless Software
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon Utilities RemoteCapture Task for ZoomBrowser EX
"SeaMonkey (2.0.4)" = SeaMonkey (2.0.4)
"SMSERIAL" = Motorola SM56 Data Fax Modem
"SystemRequirementsLab" = System Requirements Lab
"TOSHIBA Game Console" = TOSHIBA Game Console
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"WFTK" = Canon Utilities WFT-E1/E2/E3 Utility
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"winusb0200" = Microsoft WinUsb 2.0
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WT013423" = Hyperballoid the Complete Edition
"WT014776" = Blasterball 2 Holidays (Free with TOSHIBA Game Console)
"WT026359" = Strike Ball 2
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"HuluDesktop" = Hulu Desktop

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/9/2009 1:45:06 PM | Computer Name = CHEMWAPU-3E99BA | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 8.0.6001.18702, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 12/9/2009 1:45:13 PM | Computer Name = CHEMWAPU-3E99BA | Source = Application Hang | ID = 1001
Description = Fault bucket 1180947459.

Error - 12/20/2009 8:25:12 PM | Computer Name = CHEMWAPU-3E99BA | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download....uthrootstl.cab>
with error: An internal certificate chaining error has occurred.

Error - 12/27/2009 9:37:19 PM | Computer Name = CHEMWAPU-3E99BA | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft FrontPage 2002 -- Error 1706. Setup cannot find
the required files. Check your connection to the network, or CD-ROM drive. For
other potential solutions to this problem, see C:\Program Files\Microsoft Office\Office10\1033\SETUP.HLP.

Error - 12/27/2009 9:37:20 PM | Computer Name = CHEMWAPU-3E99BA | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft FrontPage 2002 - Update '{DA256408-A2E7-41A5-8AD6-62ACB86A0FD7}'
could not be installed. Error code 1603. Windows Installer can create logs to help
troubleshoot issues with installing software packages. Use the following link for
instructions on turning on logging support: http://go.microsoft....k/?LinkId=23127

Error - 1/9/2010 11:42:54 PM | Computer Name = CHEMWAPU-3E99BA | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module iedvtool.dll, version 8.0.6001.18702, fault address 0x0004fcaa.

Error - 1/15/2010 2:44:17 PM | Computer Name = CHEMWAPU-3E99BA | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft FrontPage 2002 -- Error 1706. Setup cannot find
the required files. Check your connection to the network, or CD-ROM drive. For
other potential solutions to this problem, see C:\Program Files\Microsoft Office\Office10\1033\SETUP.HLP.

Error - 1/15/2010 2:44:18 PM | Computer Name = CHEMWAPU-3E99BA | Source = MsiInstaller | ID = 1024
Description = Product: Microsoft FrontPage 2002 - Update '{DA256408-A2E7-41A5-8AD6-62ACB86A0FD7}'
could not be installed. Error code 1603. Windows Installer can create logs to help
troubleshoot issues with installing software packages. Use the following link for
instructions on turning on logging support: http://go.microsoft....k/?LinkId=23127

[ System Events ]
Error - 5/11/2010 2:44:59 PM | Computer Name = CHEMWAPU-3E99BA | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 5/11/2010 2:44:59 PM | Computer Name = CHEMWAPU-3E99BA | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 5/11/2010 2:44:59 PM | Computer Name = CHEMWAPU-3E99BA | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 5/11/2010 2:44:59 PM | Computer Name = CHEMWAPU-3E99BA | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 5/11/2010 2:44:59 PM | Computer Name = CHEMWAPU-3E99BA | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 5/11/2010 2:44:59 PM | Computer Name = CHEMWAPU-3E99BA | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 5/11/2010 2:44:59 PM | Computer Name = CHEMWAPU-3E99BA | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 5/11/2010 2:45:00 PM | Computer Name = CHEMWAPU-3E99BA | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 5/11/2010 2:45:00 PM | Computer Name = CHEMWAPU-3E99BA | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 5/15/2010 10:56:52 PM | Computer Name = CHEMWAPU-3E99BA | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.


< End of report >


___________________

combofix

ComboFix 10-05-15.01 - chemwapuwa 05/15/2010 23:43:43.6.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1662 [GMT -4:00]
Running from: c:\documents and settings\chemwapuwa\Desktop\george.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\acpiec.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))
.

2010-05-16 02:58 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-16 02:58 . 2010-05-16 02:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-16 02:58 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-15 23:47 . 2010-05-16 02:20 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-15 06:00 . 2010-05-15 06:00 -------- d-----w- c:\program files\Common Files\Java
2010-05-15 05:59 . 2010-05-15 05:59 503808 ----a-w- c:\documents and settings\chemwapuwa\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-11c81698-n\msvcp71.dll
2010-05-15 05:59 . 2010-05-15 05:59 499712 ----a-w- c:\documents and settings\chemwapuwa\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-11c81698-n\jmc.dll
2010-05-15 05:59 . 2010-05-15 05:59 348160 ----a-w- c:\documents and settings\chemwapuwa\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-11c81698-n\msvcr71.dll
2010-05-15 05:59 . 2010-05-15 05:59 61440 ----a-w- c:\documents and settings\chemwapuwa\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-79fceed8-n\decora-sse.dll
2010-05-15 05:59 . 2010-05-15 05:59 12800 ----a-w- c:\documents and settings\chemwapuwa\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-79fceed8-n\decora-d3d.dll
2010-05-15 05:59 . 2010-05-15 05:59 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-11 01:27 . 2010-05-11 01:27 -------- d-----w- c:\documents and settings\chemwapuwa\Local Settings\Application Data\Threat Expert
2010-05-11 01:18 . 2010-05-11 02:04 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-11 00:19 . 2010-05-11 00:19 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Malwarebytes
2010-05-11 00:19 . 2010-05-11 00:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-09 20:09 . 2010-05-09 20:09 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-29 23:03 . 2010-04-29 23:03 0 ----a-w- c:\windows\nsreg.dat
2010-04-29 23:00 . 2010-04-29 23:00 -------- d-----w- c:\documents and settings\chemwapuwa\Local Settings\Application Data\Mozilla
2010-04-29 22:59 . 2010-04-29 23:00 -------- d-----w- c:\program files\SeaMonkey
2010-04-29 22:56 . 2010-04-29 22:56 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-04-29 21:57 . 2010-04-29 21:57 -------- d-----w- C:\i3dthemes
2010-04-29 21:48 . 2010-04-29 21:48 -------- d-----w- c:\program files\Starfield
2010-04-29 21:27 . 2010-04-29 21:27 -------- d-----w- c:\program files\LTMOD
2010-04-29 21:25 . 2010-04-29 21:25 -------- d-----w- C:\FrontPage Tools
2010-04-29 21:25 . 2010-04-29 21:25 720896 ----a-w- c:\windows\iun6002.exe
2010-04-29 21:25 . 2010-04-29 21:25 -------- d-----w- c:\program files\NetPlugin Tags
2010-04-29 21:24 . 2010-04-29 21:27 -------- d-----w- c:\program files\DPA Software
2010-04-29 21:24 . 2003-03-27 17:16 49152 ----a-w- c:\windows\system32\DPAMenu.dll
2010-04-29 21:24 . 2003-03-26 22:21 73728 ----a-w- c:\windows\system32\DPARTL.dll
2010-04-29 21:05 . 2010-05-05 02:41 -------- d-----w- C:\FPTemplates
2010-04-24 22:47 . 2010-04-24 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-04-24 22:46 . 2010-04-24 22:48 -------- d-----w- c:\program files\Canon
2010-04-23 16:59 . 2010-04-23 16:59 57312 ---ha-w- c:\windows\system32\mlfcache.dat
2010-04-22 03:49 . 2010-04-22 03:49 -------- d-----w- c:\program files\iPod
2010-04-22 03:49 . 2010-04-22 03:49 -------- d-----w- c:\program files\iTunes
2010-04-22 03:49 . 2010-04-22 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-22 03:47 . 2010-04-22 03:47 -------- d-----w- c:\program files\QuickTime
2010-04-22 03:45 . 2010-04-22 03:45 -------- d-----w- c:\program files\Bonjour
2010-04-22 03:42 . 2010-04-22 03:42 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-19 00:59 . 2010-04-19 01:00 -------- d-----w- c:\documents and settings\chemwapuwa\Local Settings\Application Data\HuluDesktop
2010-04-17 15:08 . 2010-04-17 15:08 -------- d-----w- c:\windows\system32\kodak
2010-04-17 15:06 . 2010-04-17 15:06 -------- d-----w- c:\program files\MSXML 6.0
2010-04-17 15:04 . 2010-02-22 16:01 53248 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Serializable.XmlSerializers.dll
2010-04-17 15:04 . 2010-02-22 16:01 19968 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Serializable.dll
2010-04-17 15:04 . 2010-02-22 16:01 36864 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\Installer\Interop.WindowsInstaller.dll
2010-04-17 14:17 . 2010-04-17 14:17 -------- d-----w- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-16 03:42 . 2009-11-15 19:41 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-05-16 03:42 . 2009-11-15 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-05-16 02:55 . 2009-03-09 05:04 250368 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-05-11 03:08 . 2010-03-29 01:27 -------- d-----w- c:\program files\Google
2010-05-11 01:38 . 2010-03-29 01:27 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Skype
2010-04-28 16:10 . 2009-12-09 15:44 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Temp
2010-04-24 00:13 . 2009-11-18 07:29 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Apple Computer
2010-04-22 03:49 . 2009-11-24 02:16 -------- d-----w- c:\program files\Common Files\Apple
2010-04-17 15:10 . 2009-11-15 19:39 -------- d-----w- c:\program files\Kodak
2010-04-17 15:03 . 2009-10-15 23:28 72480 ----a-w- c:\documents and settings\chemwapuwa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-29 01:28 . 2010-03-29 01:28 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-03-29 01:28 . 2010-03-29 01:28 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\skypePM
2010-03-29 01:27 . 2010-03-29 01:26 -------- d-----r- c:\program files\Skype
2010-03-29 01:26 . 2010-03-29 01:26 -------- d-----w- c:\program files\Common Files\Skype
2010-03-29 01:26 . 2010-03-29 01:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-29 01:23 . 2010-03-29 01:23 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2010-03-29 01:23 . 2010-03-29 01:23 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-03-29 01:22 . 2010-03-29 01:22 851176 ----a-w- c:\windows\system32\WinUSBCoInstaller2.dll
2010-03-29 01:22 . 2010-03-29 01:22 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2010-03-29 01:22 . 2010-03-29 01:22 74752 ----a-w- c:\windows\system32\CLEyeDevices.dll
2010-03-29 01:22 . 2010-03-29 01:22 -------- d-----w- c:\program files\Code Laboratories
2010-03-26 01:23 . 2010-03-26 01:23 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Alawar
2010-03-26 01:21 . 2010-03-26 01:21 -------- d-----w- c:\program files\WildGames
2010-03-25 22:24 . 2009-12-09 15:21 -------- d-----w- c:\program files\Common Files\Livescribe
2010-03-25 22:24 . 2010-03-25 22:24 -------- d-----w- c:\program files\Livescribe
2010-03-25 22:11 . 2009-12-09 15:18 -------- d-----w- c:\documents and settings\chemwapuwa\Application Data\Downloaded Installations
2010-03-22 17:26 . 2009-10-15 23:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-22 17:26 . 2010-03-22 17:26 -------- d-----w- c:\program files\ALK Technologies
2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2006-02-28 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-20 04:38 . 2010-02-20 04:38 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-02-16 14:08 . 2006-02-28 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( [email protected]_00.51.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 06:19 . 2007-11-07 06:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 10:07 . 2008-07-29 10:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 10:07 . 2008-07-29 10:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2010-05-16 03:42 . 2010-05-16 03:42 16384 c:\windows\temp\Perflib_Perfdata_79c.dat
+ 2009-10-18 17:19 . 2010-05-15 06:12 23040 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-10-18 17:19 . 2010-04-17 00:13 23040 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-10-18 17:19 . 2010-05-15 06:12 61440 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2009-10-18 17:19 . 2010-04-17 00:13 61440 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2009-10-18 17:19 . 2010-04-17 00:13 27136 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-10-18 17:19 . 2010-05-15 06:12 27136 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-10-18 17:19 . 2010-04-17 00:13 11264 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-10-18 17:19 . 2010-05-15 06:12 11264 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-10-18 17:19 . 2010-05-15 06:12 86016 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2009-10-18 17:19 . 2010-04-17 00:13 86016 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2009-10-18 17:19 . 2010-05-15 06:12 12288 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2009-10-18 17:19 . 2010-04-17 00:13 12288 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-10-18 17:19 . 2010-05-15 06:12 4096 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2009-10-18 17:19 . 2010-04-17 00:13 4096 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-07-12 04:02 . 2009-07-12 04:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2010-05-15 05:59 . 2010-05-15 05:59 153376 c:\windows\system32\javaws.exe
- 2009-11-28 00:25 . 2009-11-28 00:25 145184 c:\windows\system32\javaw.exe
+ 2010-05-15 05:59 . 2010-05-15 05:59 145184 c:\windows\system32\javaw.exe
- 2009-11-28 00:25 . 2009-11-28 00:25 145184 c:\windows\system32\java.exe
+ 2010-05-15 05:59 . 2010-05-15 05:59 145184 c:\windows\system32\java.exe
+ 2009-04-20 00:06 . 2010-01-29 15:01 691712 c:\windows\system32\inetcomm.dll
- 2009-04-20 00:06 . 2008-04-11 19:04 691712 c:\windows\system32\inetcomm.dll
+ 2009-09-17 00:22 . 2010-01-29 15:01 691712 c:\windows\system32\dllcache\inetcomm.dll
- 2009-09-17 00:22 . 2008-04-11 19:04 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2010-05-11 01:19 . 2010-05-11 01:19 228352 c:\windows\Installer\f6147.msi
+ 2010-05-15 06:00 . 2010-05-15 06:00 180224 c:\windows\Installer\6d01d.msi
+ 2010-05-15 05:59 . 2010-05-15 05:59 576000 c:\windows\Installer\6d018.msi
+ 2010-05-15 06:10 . 2010-05-15 06:10 195584 c:\windows\Installer\112b09.msi
- 2009-10-18 17:19 . 2010-04-17 00:13 409600 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-10-18 17:19 . 2010-05-15 06:12 409600 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-10-18 17:19 . 2010-05-15 06:12 286720 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2009-10-18 17:19 . 2010-04-17 00:13 286720 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-10-18 17:19 . 2010-05-15 06:12 249856 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2009-10-18 17:19 . 2010-04-17 00:13 249856 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-10-18 17:19 . 2010-05-15 06:12 794624 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-10-18 17:19 . 2010-04-17 00:13 794624 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2009-10-18 17:19 . 2010-05-15 06:12 135168 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2009-10-18 17:19 . 2010-04-17 00:13 135168 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-10-18 17:19 . 2010-05-15 06:12 593920 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2009-10-18 17:19 . 2010-04-17 00:13 593920 c:\windows\Installer\{91E30409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-07-29 12:05 . 2008-07-29 12:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 12:05 . 2008-07-29 12:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2009-09-17 00:22 . 2010-01-29 15:01 1315328 c:\windows\system32\dllcache\msoe.dll
- 2009-09-17 00:22 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2009-10-16 22:07 . 2009-10-16 22:07 6115328 c:\windows\Installer\112b32.msp
+ 2010-04-21 21:46 . 2010-04-21 21:46 5522432 c:\windows\Installer\112b1d.msp
+ 2009-09-17 01:38 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 07:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2009-10-10 18:32 203264 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]
2008-04-14 00:12 27648 ----a-w- c:\windows\system32\conime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2010-02-08 16:09 1634304 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-02-15 18:46 159744 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-02-15 18:46 135168 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2007-11-01 19:47 1101824 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2007-11-01 19:51 995328 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxomssmenu]
2007-09-06 19:53 169264 ----a-w- c:\program files\Maxtor\OneTouch Status\MaxMenuMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-15 18:46 131072 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2006-08-22 18:33 303104 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-03-09 14:02 26100520 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
2006-09-28 00:26 573440 ----a-w- c:\program files\Motorola\SMSERIAL\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wben]
2009-09-24 18:51 338456 ----a-w- c:\program files\Starfield\Desktop Notifier\wben.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [2/11/2010 3:36 PM 300400]
R2 PenCommService;Livescribe Pulse Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [2/18/2010 1:23 PM 265728]
S3 PulseUsb;Livescribe Pulse Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [12/9/2009 11:21 AM 20096]
.
Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-16 c:\windows\Tasks\User_Feed_Synchronization-{6D05B59C-29A6-4B50-929C-E9CB78A9A916}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.netflix.com/WiHome
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
DPF: Web-Based Email Tools - hxxp://email01.secureserver.net/Download.CAB
DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} - hxxp://mobileapps.blackberry.com/devicesoftware/AxLoader.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-dmadmin - c:\docume~1\CHEMWA~1\LOCALS~1\Temp\dmadmin.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-15 23:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D03EE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f19852
\Driver\iaStor -> iaStor.sys @ 0xb9e64184
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d5abb0
PacketIndicateHandler -> NDIS.sys @ 0xb9d67a21
SendHandler -> NDIS.sys @ 0xb9d4587b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\WININET.dll
c:\windows\system32\netprovcredman.dll

- - - - - - - > 'lsass.exe'(724)
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-15 23:54:51
ComboFix-quarantined-files.txt 2010-05-16 03:54
ComboFix2.txt 2010-05-11 08:02
ComboFix3.txt 2010-05-11 02:25
ComboFix4.txt 2010-05-11 01:15
ComboFix5.txt 2010-05-11 19:17

Pre-Run: 287,621,451,776 bytes free
Post-Run: 287,718,309,888 bytes free

- - End Of File - - 5E0213E2B4A0E04B95CCA2BA775A9843
________________________


ESET info

C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\acpiec.sys.vir Win32/Olmarik.ZC trojan cleaned - quarantined


___________________________________________

bitdefender

BitDefender Online Scanner
 
 
Scan report generated at: Sun, May 16, 2010 - 04:11:33
 
 
 
Scan path: C:\;D:\;
 
 
 
 
 
Statistics
Time
01:07:27
Files
409224
Folders
13024
Boot Sectors
0
Archives
5980
Packed Files
18891
 
 
Results
Identified Viruses
1
Infected Files
6
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
6
 
 
Engines Info
Virus Definitions
5895530
Engine build
AVCORE v2.1 Windows/i386 11.0.0.33 (Feb 25 2010)
Scan plugins
17
Archive plugins
43
Unpack plugins
10
E-mail plugins
6
System plugins
4
 
 
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
 
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
 
 
 
Scanned File
 Status
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP148\A0019417.sys
Infected with: Rootkit.Patched.TDSS.Gen
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP148\A0019417.sys
Disinfection failed
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP148\A0019417.sys
Deleted
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP148\A0019651.sys
Infected with: Rootkit.Patched.TDSS.Gen
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP148\A0019651.sys
Disinfection failed
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP148\A0019651.sys
Deleted
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP148\A0020053.sys
Infected with: Rootkit.Patched.TDSS.Gen
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP148\A0020053.sys
Disinfection failed
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP148\A0020053.sys
Deleted
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP149\A0020364.sys
Infected with: Rootkit.Patched.TDSS.Gen
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP149\A0020364.sys
Disinfection failed
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP149\A0020364.sys
Deleted
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP151\A0020781.sys
Infected with: Rootkit.Patched.TDSS.Gen
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP151\A0020781.sys
Disinfection failed
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP151\A0020781.sys
Deleted
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP154\A0021072.sys
Infected with: Rootkit.Patched.TDSS.Gen
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP154\A0021072.sys
Disinfection failed
C:\System Volume Information\_restore{4D66BDA4-7121-4608-8E1E-054875715CEF}\RP154\A0021072.sys
Deleted

__________________________________

rootrepeal info

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/05/16 04:28
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xBA0C8000 Size: 57344 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xB9F79000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: ACPIEC.sys
Image Path: ACPIEC.sys
Address: 0xBA4C4000 Size: 11648 File Visible: - Signed: -
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0x9AD74000 Size: 19296 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xA7471000 Size: 138496 File Visible: - Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xBA238000 Size: 60800 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9F13000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBA6B3000 Size: 3072 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xBA4C0000 Size: 16384 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBA602000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBA4B8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: catchme.sys
Image Path: C:\DOCUME~1\CHEMWA~1\LOCALS~1\Temp\catchme.sys
Address: 0xBA480000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0x9B448000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xB939C000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA108000 Size: 53248 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xB9CFB000 Size: 13952 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xBA4BC000 Size: 10240 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA0F8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBA2D8000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9A772000 Size: 753664 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0x9B33D000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0x9ABCD000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xB942C000 Size: 44544 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xB9E3B000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBA600000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xB9F2B000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Address: 0xBA390000 Size: 21120 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000 Size: 134400 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB87B0000 Size: 163840 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0x99FB2000 Size: 265728 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xB93BC000 Size: 52480 File Visible: - Signed: -
Status: -

Name: iaStor.sys
Image Path: iaStor.sys
Address: 0xB9E5B000 Size: 753664 File Visible: - Signed: -
Status: -

Name: igxpdv32.DLL
Image Path: C:\WINDOWS\System32\igxpdv32.DLL
Address: 0xBF04F000 Size: 1671168 File Visible: - Signed: -
Status: -

Name: igxpdx32.DLL
Image Path: C:\WINDOWS\System32\igxpdx32.DLL
Address: 0xBF1E7000 Size: 2699264 File Visible: - Signed: -
Status: -

Name: igxpgd32.dll
Image Path: C:\WINDOWS\System32\igxpgd32.dll
Address: 0xBF024000 Size: 176128 File Visible: - Signed: -
Status: -

Name: igxpmp32.sys
Image Path: C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
Address: 0xB87EC000 Size: 5854752 File Visible: - Signed: -
Status: -

Name: igxprd32.dll
Image Path: C:\WINDOWS\System32\igxprd32.dll
Address: 0xBF012000 Size: 73728 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xB93AC000 Size: 42112 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xB93CC000 Size: 36352 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xA7493000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xA753A000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA0A8000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBA4A8000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBA5A8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB8546000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xB9E12000 Size: 92928 File Visible: - Signed: -
Status: -

Name: mbr.sys
Image Path: C:\DOCUME~1\CHEMWA~1\LOCALS~1\Temp\mbr.sys
Address: 0x9ADA4000 Size: 20864 File Visible: No Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBA604000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xBA3A8000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBA4B0000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA0D8000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0x9A6F5000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xA73D6000 Size: 455680 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xA7774000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBA288000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBA57C000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xB9D2B000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xB9D45000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xB8D96000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xA1666000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB852F000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBA2A8000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xBA228000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xA74B9000 Size: 162816 File Visible: - Signed: -
Status: -

Name: NETw4x32.sys
Image Path: C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
Address: 0xB858D000 Size: 2236544 File Visible: - Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xBA128000 Size: 61824 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xA776C000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xB9D72000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBA68A000 Size: 2944 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xBA0B8000 Size: 61696 File Visible: - Signed: -
Status: -

Name: OPRGHDLR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Address: 0xBA671000 Size: 4096 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBA330000 Size: 19712 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xB9F68000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBA670000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBA328000 Size: 28672 File Visible: - Signed: -
Status: -

Name: pcmcia.sys
Image Path: pcmcia.sys
Address: 0xB9F4A000 Size: 120192 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xA82C8000 Size: 147456 File Visible: - Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xA30E8000 Size: 7872 File Visible: No Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB851E000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBA410000 Size: 17792 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xBA574000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBA258000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBA268000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBA278000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBA420000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xA7446000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBA606000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xBA248000 Size: 57600 File Visible: - Signed: -
Status: -

Name: RimSerial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\RimSerial.sys
Address: 0xBA430000 Size: 27136 File Visible: - Signed: -
Status: -

Name: RootMdm.sys
Image Path: C:\WINDOWS\System32\Drivers\RootMdm.sys
Address: 0xBA5DC000 Size: 5888 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9A23B000 Size: 49152 File Visible: No Signed: -
Status: -

Name: s24trans.sys
Image Path: C:\WINDOWS\system32\DRIVERS\s24trans.sys
Address: 0xA3F86000 Size: 12288 File Visible: - Signed: -
Status: -

Name: smserial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\smserial.sys
Address: 0xA81ED000 Size: 893952 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xB9E29000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0x9A4A3000 Size: 353792 File Visible: - Signed: -
Status: -

Name: sthda.sys
Image Path: C:\WINDOWS\system32\drivers\sthda.sys
Address: 0xA82EC000 Size: 1128512 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBA5E2000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xA1F74000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xA74E1000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBA3F0000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBA298000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB84C0000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBA5EA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBA498000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBA2C8000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB8569000 Size: 147456 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xBA468000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xA777C000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB87D8000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA0E8000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xBA218000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xBA3E0000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0x9A6E0000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xBA5AA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xB9DFF000 Size: 77568 File Visible: - Signed: -
Status: -

Edited by Chemwapuwa, 16 May 2010 - 04:18 AM.

  • 0

#6
Chemwapuwa

Chemwapuwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Here is the second tdskiller scan

06:23:10:812 2848 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
06:23:10:812 2848 ================================================================================
06:23:10:812 2848 SystemInfo:

06:23:10:812 2848 OS Version: 5.1.2600 ServicePack: 3.0
06:23:10:812 2848 Product type: Workstation
06:23:10:812 2848 ComputerName: CHEMWAPU-3E99BA
06:23:10:812 2848 UserName: chemwapuwa
06:23:10:812 2848 Windows directory: C:\WINDOWS
06:23:10:812 2848 Processor architecture: Intel x86
06:23:10:812 2848 Number of processors: 2
06:23:10:812 2848 Page size: 0x1000
06:23:10:812 2848 Boot type: Normal boot
06:23:10:812 2848 ================================================================================
06:23:10:843 2848 UnloadDriverW: NtUnloadDriver error 2
06:23:10:843 2848 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
06:23:10:875 2848 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
06:23:10:875 2848 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
06:23:10:875 2848 wfopen_ex: Trying to KLMD file open
06:23:10:875 2848 wfopen_ex: File opened ok (Flags 2)
06:23:10:875 2848 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
06:23:10:875 2848 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
06:23:10:875 2848 wfopen_ex: Trying to KLMD file open
06:23:10:875 2848 wfopen_ex: File opened ok (Flags 2)
06:23:10:875 2848 Initialize success
06:23:10:875 2848
06:23:10:875 2848 Scanning Services ...
06:23:11:000 2848 Raw services enum returned 339 services
06:23:11:000 2848
06:23:11:000 2848 Scanning Kernel memory ...
06:23:11:000 2848 Devices to scan: 2
06:23:11:000 2848
06:23:11:000 2848 Driver Name: Disk
06:23:11:000 2848 IRP_MJ_CREATE : BA10EBB0
06:23:11:000 2848 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
06:23:11:000 2848 IRP_MJ_CLOSE : BA10EBB0
06:23:11:000 2848 IRP_MJ_READ : BA108D1F
06:23:11:000 2848 IRP_MJ_WRITE : BA108D1F
06:23:11:000 2848 IRP_MJ_QUERY_INFORMATION : 804F4562
06:23:11:000 2848 IRP_MJ_SET_INFORMATION : 804F4562
06:23:11:000 2848 IRP_MJ_QUERY_EA : 804F4562
06:23:11:000 2848 IRP_MJ_SET_EA : 804F4562
06:23:11:000 2848 IRP_MJ_FLUSH_BUFFERS : BA1092E2
06:23:11:015 2848 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
06:23:11:015 2848 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
06:23:11:015 2848 IRP_MJ_DIRECTORY_CONTROL : 804F4562
06:23:11:015 2848 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
06:23:11:015 2848 IRP_MJ_DEVICE_CONTROL : BA1093BB
06:23:11:015 2848 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
06:23:11:015 2848 IRP_MJ_SHUTDOWN : BA1092E2
06:23:11:015 2848 IRP_MJ_LOCK_CONTROL : 804F4562
06:23:11:015 2848 IRP_MJ_CLEANUP : 804F4562
06:23:11:015 2848 IRP_MJ_CREATE_MAILSLOT : 804F4562
06:23:11:015 2848 IRP_MJ_QUERY_SECURITY : 804F4562
06:23:11:015 2848 IRP_MJ_SET_SECURITY : 804F4562
06:23:11:015 2848 IRP_MJ_POWER : BA10AC82
06:23:11:015 2848 IRP_MJ_SYSTEM_CONTROL : BA10F99E
06:23:11:015 2848 IRP_MJ_DEVICE_CHANGE : 804F4562
06:23:11:015 2848 IRP_MJ_QUERY_QUOTA : 804F4562
06:23:11:015 2848 IRP_MJ_SET_QUOTA : 804F4562
06:23:11:062 2848 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
06:23:11:062 2848
06:23:11:062 2848 Driver Name: iaStor
06:23:11:062 2848 IRP_MJ_CREATE : 89CE9EE4
06:23:11:062 2848 IRP_MJ_CREATE_NAMED_PIPE : 89CE9EE4
06:23:11:062 2848 IRP_MJ_CLOSE : 89CE9EE4
06:23:11:062 2848 IRP_MJ_READ : 89CE9EE4
06:23:11:062 2848 IRP_MJ_WRITE : 89CE9EE4
06:23:11:062 2848 IRP_MJ_QUERY_INFORMATION : 89CE9EE4
06:23:11:062 2848 IRP_MJ_SET_INFORMATION : 89CE9EE4
06:23:11:062 2848 IRP_MJ_QUERY_EA : 89CE9EE4
06:23:11:062 2848 IRP_MJ_SET_EA : 89CE9EE4
06:23:11:062 2848 IRP_MJ_FLUSH_BUFFERS : 89CE9EE4
06:23:11:062 2848 IRP_MJ_QUERY_VOLUME_INFORMATION : 89CE9EE4
06:23:11:062 2848 IRP_MJ_SET_VOLUME_INFORMATION : 89CE9EE4
06:23:11:062 2848 IRP_MJ_DIRECTORY_CONTROL : 89CE9EE4
06:23:11:062 2848 IRP_MJ_FILE_SYSTEM_CONTROL : 89CE9EE4
06:23:11:062 2848 IRP_MJ_DEVICE_CONTROL : 89CE9EE4
06:23:11:062 2848 IRP_MJ_INTERNAL_DEVICE_CONTROL : 89CE9EE4
06:23:11:062 2848 IRP_MJ_SHUTDOWN : 89CE9EE4
06:23:11:062 2848 IRP_MJ_LOCK_CONTROL : 89CE9EE4
06:23:11:062 2848 IRP_MJ_CLEANUP : 89CE9EE4
06:23:11:062 2848 IRP_MJ_CREATE_MAILSLOT : 89CE9EE4
06:23:11:062 2848 IRP_MJ_QUERY_SECURITY : 89CE9EE4
06:23:11:062 2848 IRP_MJ_SET_SECURITY : 89CE9EE4
06:23:11:062 2848 IRP_MJ_POWER : 89CE9EE4
06:23:11:062 2848 IRP_MJ_SYSTEM_CONTROL : 89CE9EE4
06:23:11:062 2848 IRP_MJ_DEVICE_CHANGE : 89CE9EE4
06:23:11:062 2848 IRP_MJ_QUERY_QUOTA : 89CE9EE4
06:23:11:062 2848 IRP_MJ_SET_QUOTA : 89CE9EE4
06:23:11:062 2848 Driver "iaStor" infected by TDSS rootkit!
06:23:11:109 2848 C:\WINDOWS\system32\drivers\iaStor.sys - Verdict: 1
06:23:11:109 2848 File "C:\WINDOWS\system32\drivers\iaStor.sys" infected by TDSS rootkit ... 06:23:11:109 2848 Processing driver file: C:\WINDOWS\system32\drivers\iaStor.sys
06:23:11:109 2848 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
06:23:11:234 2848 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
06:23:12:187 2848 !fdfb7
06:23:12:187 2848 vfvi6
06:23:12:296 2848 !dsvbh1
06:23:13:078 2848 dsvbh2
06:23:13:078 2848 Backup copy2 found, using it..
06:23:13:093 2848 will be cured on next reboot
06:23:13:093 2848 Reboot required for cure complete..
06:23:13:125 2848 Cure on reboot scheduled successfully
06:23:13:125 2848
06:23:13:125 2848 Completed
06:23:13:125 2848
06:23:13:125 2848 Results:
06:23:13:125 2848 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
06:23:13:125 2848 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
06:23:13:125 2848 File objects infected / cured / cured on reboot: 1 / 0 / 1
06:23:13:125 2848
06:23:13:125 2848 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
06:23:13:125 2848 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
06:23:13:125 2848 UnloadDriverW: NtUnloadDriver error 1
06:23:13:140 2848 KLMD(ARK) unloaded successfully
  • 0

#7
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,320 posts
  • MVP
Run TDSSKiller again please and post the log.

Ron
  • 0

#8
Chemwapuwa

Chemwapuwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
ron

am i doing something wrong with the tdskiller or is repeating it all these time part of fixing things.
  • 0

#9
Chemwapuwa

Chemwapuwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
13:36:12:000 2364 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
13:36:12:000 2364 ================================================================================
13:36:12:000 2364 SystemInfo:

13:36:12:000 2364 OS Version: 5.1.2600 ServicePack: 3.0
13:36:12:000 2364 Product type: Workstation
13:36:12:015 2364 ComputerName: CHEMWAPU-3E99BA
13:36:12:015 2364 UserName: chemwapuwa
13:36:12:015 2364 Windows directory: C:\WINDOWS
13:36:12:015 2364 Processor architecture: Intel x86
13:36:12:015 2364 Number of processors: 2
13:36:12:015 2364 Page size: 0x1000
13:36:12:015 2364 Boot type: Normal boot
13:36:12:015 2364 ================================================================================
13:36:12:031 2364 UnloadDriverW: NtUnloadDriver error 2
13:36:12:031 2364 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
13:36:12:031 2364 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
13:36:12:031 2364 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:36:12:031 2364 wfopen_ex: Trying to KLMD file open
13:36:12:031 2364 wfopen_ex: File opened ok (Flags 2)
13:36:12:031 2364 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
13:36:12:031 2364 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:36:12:031 2364 wfopen_ex: Trying to KLMD file open
13:36:12:031 2364 wfopen_ex: File opened ok (Flags 2)
13:36:12:031 2364 Initialize success
13:36:12:031 2364
13:36:12:046 2364 Scanning Services ...
13:36:12:140 2364 Raw services enum returned 339 services
13:36:12:156 2364
13:36:12:156 2364 Scanning Kernel memory ...
13:36:12:156 2364 Devices to scan: 2
13:36:12:156 2364
13:36:12:156 2364 Driver Name: Disk
13:36:12:156 2364 IRP_MJ_CREATE : BA10EBB0
13:36:12:156 2364 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:36:12:156 2364 IRP_MJ_CLOSE : BA10EBB0
13:36:12:156 2364 IRP_MJ_READ : BA108D1F
13:36:12:156 2364 IRP_MJ_WRITE : BA108D1F
13:36:12:156 2364 IRP_MJ_QUERY_INFORMATION : 804F4562
13:36:12:156 2364 IRP_MJ_SET_INFORMATION : 804F4562
13:36:12:156 2364 IRP_MJ_QUERY_EA : 804F4562
13:36:12:156 2364 IRP_MJ_SET_EA : 804F4562
13:36:12:156 2364 IRP_MJ_FLUSH_BUFFERS : BA1092E2
13:36:12:156 2364 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:36:12:156 2364 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:36:12:156 2364 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:36:12:156 2364 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:36:12:156 2364 IRP_MJ_DEVICE_CONTROL : BA1093BB
13:36:12:156 2364 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28
13:36:12:156 2364 IRP_MJ_SHUTDOWN : BA1092E2
13:36:12:156 2364 IRP_MJ_LOCK_CONTROL : 804F4562
13:36:12:156 2364 IRP_MJ_CLEANUP : 804F4562
13:36:12:156 2364 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:36:12:156 2364 IRP_MJ_QUERY_SECURITY : 804F4562
13:36:12:156 2364 IRP_MJ_SET_SECURITY : 804F4562
13:36:12:156 2364 IRP_MJ_POWER : BA10AC82
13:36:12:156 2364 IRP_MJ_SYSTEM_CONTROL : BA10F99E
13:36:12:156 2364 IRP_MJ_DEVICE_CHANGE : 804F4562
13:36:12:156 2364 IRP_MJ_QUERY_QUOTA : 804F4562
13:36:12:156 2364 IRP_MJ_SET_QUOTA : 804F4562
13:36:12:218 2364 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:36:12:218 2364
13:36:12:218 2364 Driver Name: iaStor
13:36:12:218 2364 IRP_MJ_CREATE : 89D06EE4
13:36:12:218 2364 IRP_MJ_CREATE_NAMED_PIPE : 89D06EE4
13:36:12:218 2364 IRP_MJ_CLOSE : 89D06EE4
13:36:12:218 2364 IRP_MJ_READ : 89D06EE4
13:36:12:218 2364 IRP_MJ_WRITE : 89D06EE4
13:36:12:218 2364 IRP_MJ_QUERY_INFORMATION : 89D06EE4
13:36:12:218 2364 IRP_MJ_SET_INFORMATION : 89D06EE4
13:36:12:218 2364 IRP_MJ_QUERY_EA : 89D06EE4
13:36:12:218 2364 IRP_MJ_SET_EA : 89D06EE4
13:36:12:218 2364 IRP_MJ_FLUSH_BUFFERS : 89D06EE4
13:36:12:218 2364 IRP_MJ_QUERY_VOLUME_INFORMATION : 89D06EE4
13:36:12:218 2364 IRP_MJ_SET_VOLUME_INFORMATION : 89D06EE4
13:36:12:218 2364 IRP_MJ_DIRECTORY_CONTROL : 89D06EE4
13:36:12:218 2364 IRP_MJ_FILE_SYSTEM_CONTROL : 89D06EE4
13:36:12:218 2364 IRP_MJ_DEVICE_CONTROL : 89D06EE4
13:36:12:218 2364 IRP_MJ_INTERNAL_DEVICE_CONTROL : 89D06EE4
13:36:12:218 2364 IRP_MJ_SHUTDOWN : 89D06EE4
13:36:12:218 2364 IRP_MJ_LOCK_CONTROL : 89D06EE4
13:36:12:218 2364 IRP_MJ_CLEANUP : 89D06EE4
13:36:12:218 2364 IRP_MJ_CREATE_MAILSLOT : 89D06EE4
13:36:12:218 2364 IRP_MJ_QUERY_SECURITY : 89D06EE4
13:36:12:218 2364 IRP_MJ_SET_SECURITY : 89D06EE4
13:36:12:218 2364 IRP_MJ_POWER : 89D06EE4
13:36:12:218 2364 IRP_MJ_SYSTEM_CONTROL : 89D06EE4
13:36:12:218 2364 IRP_MJ_DEVICE_CHANGE : 89D06EE4
13:36:12:218 2364 IRP_MJ_QUERY_QUOTA : 89D06EE4
13:36:12:218 2364 IRP_MJ_SET_QUOTA : 89D06EE4
13:36:12:218 2364 Driver "iaStor" infected by TDSS rootkit!
13:36:12:265 2364 C:\WINDOWS\system32\drivers\iaStor.sys - Verdict: 1
13:36:12:265 2364 File "C:\WINDOWS\system32\drivers\iaStor.sys" infected by TDSS rootkit ... 13:36:12:265 2364 Processing driver file: C:\WINDOWS\system32\drivers\iaStor.sys
13:36:12:265 2364 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
13:36:12:390 2364 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
13:36:13:312 2364 !fdfb7
13:36:13:343 2364 vfvi6
13:36:13:484 2364 !dsvbh1
13:36:14:250 2364 dsvbh2
13:36:14:250 2364 Backup copy2 found, using it..
13:36:14:265 2364 will be cured on next reboot
13:36:14:265 2364 Reboot required for cure complete..
13:36:14:281 2364 Cure on reboot scheduled successfully
13:36:14:281 2364
13:36:14:281 2364 Completed
13:36:14:281 2364
13:36:14:296 2364 Results:
13:36:14:296 2364 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
13:36:14:296 2364 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
13:36:14:296 2364 File objects infected / cured / cured on reboot: 1 / 0 / 1
13:36:14:296 2364
13:36:14:296 2364 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
13:36:14:296 2364 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
13:36:14:296 2364 UnloadDriverW: NtUnloadDriver error 1
13:36:14:296 2364 KLMD(ARK) unloaded successfully
  • 0

#10
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,320 posts
  • MVP
I think this is a newer version that TDSSKiller can't really kill but it can tell us if it is still there.

Ron
  • 0

Advertisements


#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,320 posts
  • MVP
TDSSKiller is still complaining about C:\WINDOWS\system32\drivers\iaStor.sys being infected. It thinks it can cure it on a reboot but apparently it can't.

Let's see if we can find a clean iaStor.sys file to help it out.

Copy the next three line:

/md5start
iaStor.sys
/md5stop

# Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
# Under the Custom Scan box paste in the above and then hit Quick Scan.

Once you get a log please copy and paste it into a reply.

I will not be on linefor about 4 hours. Have to do my WSU BeachWatcher thing on Indian Island.
http://www.beachwatc...su.edu/sanjuan/

Ron
  • 0

#12
Chemwapuwa

Chemwapuwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
OTL logfile created on: 5/16/2010 2:00:57 PM - Run 2
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\chemwapuwa\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 80.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.09 Gb Total Space | 267.76 Gb Free Space | 89.83% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CHEMWAPU-3E99BA
Current User Name: chemwapuwa
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/15 22:48:17 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\chemwapuwa\Desktop\OTL.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/02/18 13:23:54 | 000,265,728 | ---- | M] (Livescribe) -- C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
PRC - [2010/02/11 15:36:12 | 000,300,400 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe
PRC - [2009/09/28 10:42:50 | 000,109,056 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/11/01 16:00:50 | 000,794,624 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2007/11/01 15:40:04 | 001,183,744 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2007/11/01 15:35:40 | 000,483,328 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2007/09/28 13:24:36 | 000,156,976 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Maxtor\Sync\SyncServices.exe
PRC - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\CAL\CALMAIN.exe


========== Modules (SafeList) ==========

MOD - [2010/05/15 22:48:17 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\chemwapuwa\Desktop\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (RoxLiveShare9)
SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/02/18 13:23:54 | 000,265,728 | ---- | M] (Livescribe) [Auto | Running] -- C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe -- (PenCommService)
SRV - [2010/02/11 15:36:12 | 000,300,400 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\Program Files\Kodak\AiO\Center\ekdiscovery.exe -- (Kodak AiO Network Discovery Service)
SRV - [2009/11/13 16:13:04 | 000,238,328 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/09/28 10:42:50 | 000,109,056 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2007/11/01 16:00:50 | 000,794,624 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2007/11/01 15:40:04 | 001,183,744 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2007/11/01 15:35:40 | 000,483,328 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2007/09/28 13:24:36 | 000,156,976 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Maxtor\Sync\SyncServices.exe -- (Maxtor Sync Service)
SRV - [2007/01/31 14:55:42 | 000,096,370 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2005/03/14 13:05:02 | 000,069,632 | ---- | M] (HP) [On_Demand | Stopped] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


========== Driver Services (SafeList) ==========

DRV - [2010/05/16 13:36:55 | 000,250,368 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\iaStor.sys -- (iaStor)
DRV - [2009/11/17 14:46:28 | 000,020,096 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PulseUsb.sys -- (PulseUsb)
DRV - [2009/07/13 16:51:12 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
DRV - [2008/04/13 12:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 12:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/02/15 15:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2007/12/06 11:51:00 | 000,285,952 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2007/10/31 12:23:20 | 002,236,544 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®
DRV - [2007/08/27 13:10:36 | 000,012,288 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/05/03 14:37:08 | 000,022,152 | ---- | M] (Maxtor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mxopswd.sys -- (MXOPSWD)
DRV - [2006/09/27 20:26:00 | 000,893,952 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2006/08/22 14:39:14 | 001,177,864 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/WiHome
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/04/29 18:56:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.4\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins
FF - HKLM\software\mozilla\SeaMonkey 2.0.4\extensions\\Components: C:\Program Files\SeaMonkey\components [2010/04/29 19:00:33 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\SeaMonkey 2.0.4\extensions\\Plugins: C:\Program Files\SeaMonkey\plugins [2010/04/29 18:59:05 | 000,000,000 | ---D | M]

[2010/05/10 20:59:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Mozilla\Extensions
[2010/04/29 19:00:33 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\chemwapuwa\Application Data\Mozilla\Extensions\{92650c4d-4b8e-4d2a-b7eb-24ecf4f6b63a}
[2010/04/29 19:00:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Mozilla\SeaMonkey\Profiles\fb2a3ruj.default\extensions

O1 HOSTS File: ([2006/02/28 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} http://intel-drv-cdn...reqlab_srlx.cab (System Requirements Lab Class)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.aka...vex-2.2.5.0.cab (DLM Control)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1253146200484 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1255835661312 (MUWebControl Class)
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} https://h20436.www2....re/HPDEXAXO.cab (HP Download Manager)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (OnlineScanner Control)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebo...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} http://support.gatew...rvest/gwCID.CAB (compid Class)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DAF7E6E6-D53A-439A-B28D-12271406B8A9} http://mobileapps.bl...re/AxLoader.cab (RIM AxLoader)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Web-Based Email Tools http://email01.secur...et/Download.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 65.175.128.46 65.175.128.47
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/19 20:08:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/05/16 13:49:38 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/16 04:33:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\Yahoo!
[2010/05/16 04:24:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Desktop\RootRepeal
[2010/05/16 02:55:35 | 000,000,000 | ---D | C] -- C:\WINDOWS\BDOSCAN8
[2010/05/16 00:01:48 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/05/15 22:58:47 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/15 22:58:46 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/15 22:58:46 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/15 22:51:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Desktop\tdsskiller
[2010/05/15 22:48:13 | 000,570,880 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\chemwapuwa\Desktop\OTL.exe
[2010/05/15 19:47:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/05/15 02:00:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/05/15 02:00:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/05/11 15:34:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/05/11 14:54:38 | 002,131,808 | ---- | C] (AVG Technologies) -- C:\Documents and Settings\chemwapuwa\Desktop\avg_free_stb_all_9_114_cnet.exe
[2010/05/10 23:08:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2010/05/10 21:27:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\Threat Expert
[2010/05/10 21:18:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/05/10 20:37:32 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/05/10 20:32:45 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/05/10 20:32:45 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/05/10 20:32:45 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/05/10 20:32:45 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/05/10 20:32:30 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/10 20:32:06 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/10 20:19:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Application Data\Malwarebytes
[2010/05/10 20:19:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/10 19:57:41 | 006,153,384 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\chemwapuwa\Desktop\mbam-setup.exe
[2010/05/09 16:08:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/05/09 16:08:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/05/05 20:19:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\My Documents\Downloads
[2010/04/29 19:00:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\Mozilla
[2010/04/29 19:00:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Application Data\Mozilla
[2010/04/29 18:59:04 | 000,000,000 | ---D | C] -- C:\Program Files\SeaMonkey
[2010/04/29 18:56:47 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Thunderbird
[2010/04/29 17:57:54 | 000,000,000 | ---D | C] -- C:\i3dthemes
[2010/04/29 17:48:44 | 000,000,000 | ---D | C] -- C:\Program Files\Starfield
[2010/04/29 17:27:15 | 000,000,000 | ---D | C] -- C:\Program Files\LTMOD
[2010/04/29 17:25:35 | 000,000,000 | ---D | C] -- C:\FrontPage Tools
[2010/04/29 17:25:20 | 000,720,896 | ---- | C] (Indigo Rose Corporation) -- C:\WINDOWS\iun6002.exe
[2010/04/29 17:25:17 | 000,000,000 | ---D | C] -- C:\Program Files\NetPlugin Tags
[2010/04/29 17:24:32 | 000,313,856 | ---- | C] (Softuarium) -- C:\WINDOWS\System32\xwebpic.ocx
[2010/04/29 17:24:32 | 000,073,728 | ---- | C] (DPA Software) -- C:\WINDOWS\System32\DPARTL.dll
[2010/04/29 17:24:32 | 000,049,152 | ---- | C] (DPA Software) -- C:\WINDOWS\System32\DPAMenu.dll
[2010/04/29 17:24:32 | 000,000,000 | ---D | C] -- C:\Program Files\DPA Software
[2010/04/29 17:05:57 | 000,000,000 | ---D | C] -- C:\FPTemplates
[2010/04/29 17:04:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Desktop\websuits
[2010/04/29 16:58:47 | 000,000,000 | --SD | C] -- C:\Documents and Settings\chemwapuwa\My Documents\My Webs
[2010/04/26 14:21:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Desktop\comp
[2010/04/24 18:47:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\ZoomBrowser
[2010/04/24 18:46:18 | 000,000,000 | ---D | C] -- C:\Program Files\Canon
[2010/04/23 11:05:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Desktop\shendee
[2010/04/21 23:49:24 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/21 23:49:20 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/04/21 23:49:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/21 23:47:14 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/04/21 23:45:21 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/04/18 20:59:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\HuluDesktop
[2010/04/18 20:59:42 | 000,888,928 | ---- | C] (Hulu) -- C:\Documents and Settings\chemwapuwa\Desktop\HuluDesktopSetup.exe
[2010/04/17 11:08:09 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\kodak
[2010/04/17 11:06:20 | 000,000,000 | ---D | C] -- C:\Program Files\MSXML 6.0
[2010/04/17 10:17:20 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache
[2010/03/28 21:54:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Application Data\Google
[2010/03/28 21:32:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\Temp
[2010/03/28 21:32:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/03/28 21:28:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Application Data\skypePM
[2010/03/28 21:27:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2010/03/28 21:27:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\Google
[2010/03/28 21:27:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Application Data\Skype
[2010/03/28 21:27:14 | 000,000,000 | ---D | C] -- C:\Program Files\Google
[2010/03/28 21:26:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2010/03/28 21:26:50 | 000,000,000 | R--D | C] -- C:\Program Files\Skype
[2010/03/28 21:26:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Skype
[2010/03/28 21:22:04 | 000,000,000 | ---D | C] -- C:\Program Files\Code Laboratories
[2010/03/25 21:23:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Application Data\Alawar
[2010/03/25 21:21:55 | 000,000,000 | ---D | C] -- C:\Program Files\WildGames
[2010/03/25 21:15:33 | 034,512,784 | ---- | C] (WildTangent) -- C:\Documents and Settings\chemwapuwa\My Documents\hyperballoidthenextchallenge-setup.exe
[2010/03/25 18:24:00 | 000,000,000 | ---D | C] -- C:\Program Files\Livescribe
[2010/03/22 13:34:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\Help
[2010/03/22 13:34:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Application Data\Help
[2010/03/22 13:28:51 | 000,317,952 | ---- | C] (Blue Sky Software Corporation.) -- C:\WINDOWS\Roboex32.dll
[2010/03/22 13:26:42 | 000,000,000 | ---D | C] -- C:\Program Files\ALK Technologies
[2010/03/22 10:43:42 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\chemwapuwa\Desktop\TDSSKiller.exe
[2010/03/16 19:08:42 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Streets & Trips
[2010/03/16 19:08:42 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Location Finder
[2010/03/16 17:06:34 | 014,506,016 | ---- | C] (WildTangent) -- C:\Documents and Settings\chemwapuwa\My Documents\strikeball2-setup.exe
[2010/02/27 13:08:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Application Data\Canon
[2010/02/27 13:07:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\CANON_INC
[2010/02/21 15:22:35 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Canon
[2010/02/20 00:45:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/05/16 13:59:55 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/16 13:59:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/16 13:59:02 | 004,194,304 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\ntuser.dat
[2010/05/16 13:59:02 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\chemwapuwa\ntuser.ini
[2010/05/16 13:58:55 | 000,000,638 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/16 13:58:55 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/05/16 13:58:55 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/16 13:55:12 | 000,027,957 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\AIG Stubs 122709 - 021310.zip
[2010/05/16 13:31:17 | 000,000,432 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{6D05B59C-29A6-4B50-929C-E9CB78A9A916}.job
[2010/05/16 04:27:31 | 000,000,015 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\settings.dat
[2010/05/16 04:24:46 | 000,472,064 | ---- | M] ( ) -- C:\Documents and Settings\chemwapuwa\Desktop\RootRepeal.exe
[2010/05/16 04:11:33 | 000,021,949 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\bitdefender.html
[2010/05/15 22:58:50 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/15 22:56:25 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/15 22:51:50 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\chemwapuwa\Desktop\TDSSKiller.exe
[2010/05/15 22:48:17 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\chemwapuwa\Desktop\OTL.exe
[2010/05/15 22:47:44 | 006,153,384 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\chemwapuwa\Desktop\mbam-setup.exe
[2010/05/15 22:44:18 | 000,464,491 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\RootRepeal.zip
[2010/05/15 22:43:19 | 003,689,423 | R--- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\george.exe
[2010/05/15 22:29:27 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\tdsskiller.zip
[2010/05/15 02:12:38 | 000,000,173 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/11 14:54:50 | 002,131,808 | ---- | M] (AVG Technologies) -- C:\Documents and Settings\chemwapuwa\Desktop\avg_free_stb_all_9_114_cnet.exe
[2010/05/09 16:12:57 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/05/08 16:13:10 | 000,264,478 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\bingo may2010.pdf
[2010/05/05 21:50:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/29 19:03:58 | 000,000,000 | ---- | M] () -- C:\WINDOWS\nsreg.dat
[2010/04/29 18:59:07 | 000,001,564 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SeaMonkey.lnk
[2010/04/29 18:56:49 | 000,001,668 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Thunderbird.lnk
[2010/04/29 17:25:08 | 000,720,896 | ---- | M] (Indigo Rose Corporation) -- C:\WINDOWS\iun6002.exe
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 13:27:00 | 000,000,440 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\001_02.jpg
[2010/04/28 13:27:00 | 000,000,350 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\bullet_03.jpg
[2010/04/27 16:29:08 | 000,205,824 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2010/04/26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/04/24 18:47:18 | 000,000,923 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ZoomBrowser EX.lnk
[2010/04/24 18:47:01 | 000,000,762 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Picture Style Editor.lnk
[2010/04/24 18:46:37 | 000,000,732 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\EOS Utility.lnk
[2010/04/24 18:46:19 | 000,000,797 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Digital Photo Professional.lnk
[2010/04/23 19:57:12 | 000,346,112 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2010/04/23 12:59:20 | 000,057,312 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/04/21 23:49:45 | 000,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/21 23:47:23 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/04/18 20:59:54 | 000,002,014 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\Hulu Desktop.lnk
[2010/04/18 20:59:47 | 000,888,928 | ---- | M] (Hulu) -- C:\Documents and Settings\chemwapuwa\Desktop\HuluDesktopSetup.exe
[2010/04/17 11:11:53 | 000,275,760 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/17 11:10:00 | 000,000,775 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk
[2010/04/17 11:03:53 | 000,072,480 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/16 20:15:20 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/16 12:59:51 | 000,048,253 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\jobsearch0301-0312.pdf
[2010/04/12 15:07:55 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\tax audit.doc
[2010/03/28 21:28:26 | 000,000,056 | -H-- | M] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/03/28 21:26:52 | 000,001,878 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/03/28 21:23:10 | 000,000,899 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\CL-Eye Test.lnk
[2010/03/28 21:23:08 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01009.Wdf
[2010/03/28 21:23:01 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2010/03/28 21:22:06 | 000,074,752 | ---- | M] () -- C:\WINDOWS\System32\CLEyeDevices.dll
[2010/03/28 16:18:18 | 004,292,024 | -H-- | M] () -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\IconCache.db
[2010/03/25 21:22:31 | 000,001,791 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Play Strike Ball 2.lnk
[2010/03/25 21:18:52 | 034,512,784 | ---- | M] (WildTangent) -- C:\Documents and Settings\chemwapuwa\My Documents\hyperballoidthenextchallenge-setup.exe
[2010/03/25 21:04:27 | 014,506,016 | ---- | M] (WildTangent) -- C:\Documents and Settings\chemwapuwa\My Documents\strikeball2-setup.exe
[2010/03/25 18:24:03 | 000,000,927 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Livescribe Desktop.lnk
[2010/03/23 12:36:23 | 000,013,824 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\trip locas.xls
[2010/03/22 13:28:54 | 000,001,775 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PCMILER 20 Guided Tour.lnk
[2010/03/22 13:28:54 | 000,001,768 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PCMILER 20 User's Guide.lnk
[2010/03/22 13:28:54 | 000,000,899 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PCMILER 20.lnk
[2010/03/22 13:00:32 | 000,510,584 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/22 13:00:32 | 000,435,828 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/22 13:00:32 | 000,068,558 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/20 10:11:21 | 001,886,106 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\bingo_calendar_march_2010.pdf
[2010/03/16 20:14:32 | 000,016,384 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\pt chrt.xls
[2010/03/16 19:08:20 | 000,030,720 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\2007 tax audit.xls
[2010/03/16 16:42:35 | 000,372,785 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\Hard_Mazes_Set_6.pdf
[2010/03/16 16:41:42 | 000,048,894 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\Easy_Mazes_Set_4.pdf
[2010/03/16 16:41:05 | 000,048,809 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\Easy_Mazes_Set_3.pdf
[2010/03/16 16:08:24 | 000,644,395 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\Difficult_Mazes_Set_1.pdf
[2010/03/16 11:37:00 | 001,217,552 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\p1542--2008.pdf
[2010/03/16 11:35:47 | 001,152,673 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\p1542--2007.pdf
[2010/03/15 20:07:57 | 010,232,486 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\round maze.bmp
[2010/03/15 19:23:14 | 000,004,859 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\maze50.png
[2010/03/15 19:21:40 | 000,039,888 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\maze1.jpg
[2010/03/15 14:16:07 | 000,058,222 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\Snapshot 2010-03-14 23-30-28.tiff
[2010/03/15 01:46:10 | 000,064,876 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\attachments_2010_03_15.zip
[2010/03/14 22:46:00 | 001,367,262 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\Snapshot 2010-03-14 23-30-28dx.tiff
[2010/03/10 11:51:02 | 000,039,424 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\Tina L.doc
[2010/03/05 18:06:29 | 000,081,511 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\AIG Stubs 122709 - 021310.pdf
[2010/03/04 11:51:46 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\To whom it may concern.doc
[2010/03/02 11:56:41 | 000,109,058 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\TaxReturnfrank.pdf
[2010/02/28 20:47:09 | 000,078,336 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\Desktop\hand and foot.doc
[2010/02/21 19:16:06 | 006,758,756 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\bessanlisa income info.tif
[2010/02/21 19:15:51 | 001,323,393 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\bessanlisa income info.pdf
[2010/02/20 02:38:40 | 003,274,140 | ---- | M] () -- C:\Documents and Settings\chemwapuwa\My Documents\sead ggoyrds.pdf
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/16 04:25:13 | 000,000,015 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\settings.dat
[2010/05/16 04:20:24 | 000,021,949 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\bitdefender.html
[2010/05/15 22:58:50 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/15 22:44:16 | 000,464,491 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\RootRepeal.zip
[2010/05/15 22:43:08 | 003,689,423 | R--- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\george.exe
[2010/05/15 22:29:24 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\tdsskiller.zip
[2010/05/15 02:12:38 | 000,000,173 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/10 20:37:36 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/05/10 20:37:32 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/05/10 20:32:45 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/05/10 20:32:45 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/05/10 20:32:45 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/05/10 20:32:45 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/05/10 20:32:45 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/05/08 16:13:10 | 000,264,478 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\bingo may2010.pdf
[2010/05/05 18:17:26 | 004,194,304 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\ntuser.dat
[2010/04/29 19:03:58 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2010/04/29 18:59:07 | 000,001,564 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SeaMonkey.lnk
[2010/04/29 18:56:49 | 000,001,668 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Thunderbird.lnk
[2010/04/28 13:28:33 | 000,000,350 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\bullet_03.jpg
[2010/04/28 13:28:27 | 000,000,440 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\001_02.jpg
[2010/04/24 18:47:18 | 000,000,923 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\ZoomBrowser EX.lnk
[2010/04/24 18:47:01 | 000,000,762 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Picture Style Editor.lnk
[2010/04/24 18:46:37 | 000,000,732 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\EOS Utility.lnk
[2010/04/24 18:46:19 | 000,000,797 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Digital Photo Professional.lnk
[2010/04/23 12:59:20 | 000,057,312 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/04/21 23:49:45 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/21 23:47:23 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2010/04/18 20:59:54 | 000,002,014 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\Hulu Desktop.lnk
[2010/04/17 11:10:00 | 000,000,775 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\KODAK AiO Home Center.lnk
[2010/04/16 12:59:48 | 000,048,253 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\jobsearch0301-0312.pdf
[2010/04/08 15:59:40 | 000,026,112 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\tax audit.doc
[2010/03/28 21:28:26 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010/03/28 21:26:52 | 000,001,878 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/03/28 21:23:10 | 000,000,899 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\CL-Eye Test.lnk
[2010/03/28 21:23:08 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01009.Wdf
[2010/03/28 21:23:01 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2010/03/28 21:22:04 | 000,074,752 | ---- | C] () -- C:\WINDOWS\System32\CLEyeDevices.dll
[2010/03/25 21:22:31 | 000,001,791 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Play Strike Ball 2.lnk
[2010/03/25 18:24:03 | 000,000,927 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Livescribe Desktop.lnk
[2010/03/23 12:36:23 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\trip locas.xls
[2010/03/22 13:28:54 | 000,001,775 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PCMILER 20 Guided Tour.lnk
[2010/03/22 13:28:54 | 000,001,768 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PCMILER 20 User's Guide.lnk
[2010/03/22 13:28:54 | 000,000,899 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PCMILER 20.lnk
[2010/03/20 10:11:21 | 001,886,106 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\bingo_calendar_march_2010.pdf
[2010/03/16 19:32:05 | 000,016,384 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\pt chrt.xls
[2010/03/16 16:42:32 | 000,372,785 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\Hard_Mazes_Set_6.pdf
[2010/03/16 16:41:41 | 000,048,894 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\Easy_Mazes_Set_4.pdf
[2010/03/16 16:41:05 | 000,048,809 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\Easy_Mazes_Set_3.pdf
[2010/03/16 16:08:19 | 000,644,395 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\Difficult_Mazes_Set_1.pdf
[2010/03/16 11:37:12 | 000,030,720 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\2007 tax audit.xls
[2010/03/16 11:37:00 | 001,217,552 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\p1542--2008.pdf
[2010/03/16 11:35:47 | 001,152,673 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\p1542--2007.pdf
[2010/03/15 20:07:57 | 010,232,486 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\round maze.bmp
[2010/03/15 19:23:54 | 000,004,859 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\maze50.png
[2010/03/15 19:22:25 | 000,039,888 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\maze1.jpg
[2010/03/15 01:46:31 | 001,367,262 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\Snapshot 2010-03-14 23-30-28dx.tiff
[2010/03/15 01:46:31 | 000,058,222 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\Snapshot 2010-03-14 23-30-28.tiff
[2010/03/15 01:46:10 | 000,064,876 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\attachments_2010_03_15.zip
[2010/03/10 11:51:01 | 000,039,424 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\Tina L.doc
[2010/03/05 18:07:35 | 000,027,957 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\AIG Stubs 122709 - 021310.zip
[2010/03/05 18:06:29 | 000,081,511 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Desktop\AIG Stubs 122709 - 021310.pdf
[2010/03/05 17:56:08 | 000,052,068 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\Local Settings\Application Data\c4u.log
[2010/03/04 11:51:46 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\To whom it may concern.doc
[2010/03/02 11:56:41 | 000,109,058 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\TaxReturnfrank.pdf
[2010/02/21 19:16:05 | 006,758,756 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\bessanlisa income info.tif
[2010/02/21 19:15:51 | 001,323,393 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\bessanlisa income info.pdf
[2010/02/20 02:38:40 | 003,274,140 | ---- | C] () -- C:\Documents and Settings\chemwapuwa\My Documents\sead ggoyrds.pdf
[2009/12/16 20:18:10 | 000,225,280 | ---- | C] () -- C:\WINDOWS\System32\net_rim_plazmic_flint_dialog.dll
[2009/11/24 23:51:41 | 000,343,040 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2009/11/24 23:51:41 | 000,116,736 | ---- | C] () -- C:\WINDOWS\System32\lfkodak.dll
[2009/11/16 20:56:28 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2009/10/19 19:58:53 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2009/10/18 13:12:23 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/05 15:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2006/05/10 09:58:56 | 000,147,456 | ---- | C] () -- C:\WINDOWS\pcmgrfx.dll
[2006/05/09 10:36:24 | 000,151,552 | ---- | C] () -- C:\WINDOWS\pmwssrv.dll
[2006/05/09 10:36:24 | 000,151,552 | ---- | C] () -- C:\WINDOWS\pcmsrv32.dll
[2003/03/09 22:31:04 | 000,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
[2003/01/07 17:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/07/06 17:30:00 | 000,003,399 | ---- | C] () -- C:\WINDOWS\System32\hptcpmon.ini

========== LOP Check ==========

[2009/12/09 12:45:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Eastman Kodak Company
[2009/12/09 13:49:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\kds_kodak
[2009/12/09 11:22:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Livescribe, Inc
[2009/11/16 18:15:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Maxtor
[2009/10/15 19:27:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2010/05/10 22:04:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/11/24 22:27:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2010/04/21 23:49:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/11/23 22:18:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2010/03/25 21:23:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Alawar
[2010/02/27 13:08:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Canon
[2010/03/25 18:11:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Downloaded Installations
[2009/11/18 03:29:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Image Zone Express
[2009/12/16 20:18:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Research In Motion
[2009/11/15 15:56:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Skinux
[2010/04/28 12:10:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\Temp
[2009/11/24 22:25:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\chemwapuwa\Application Data\WildTangent
[2010/05/16 13:31:17 | 000,000,432 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{6D05B59C-29A6-4B50-929C-E9CB78A9A916}.job

========== Purity Check ==========



========== Custom Scans ==========



< MD5 for: IASTOR.SYS >
[2009/03/09 01:04:07 | 000,495,896 | ---- | M] (Intel Corporation) MD5=C212BE4F068A02E54EB0CF6F5B23569B -- C:\WINDOWS\NLDRV\001\iastor.sys
[2009/03/09 01:04:25 | 000,250,368 | ---- | M] (Intel Corporation) MD5=E9F704CA833BD24BFAA3B4A59707633A -- C:\WINDOWS\NLDRV\002\iastor.sys
[2010/05/16 13:36:55 | 000,250,368 | ---- | M] (Intel Corporation) MD5=E9F704CA833BD24BFAA3B4A59707633A -- C:\WINDOWS\system32\drivers\iaStor.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >
  • 0

#13
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,320 posts
  • MVP
Copy the text between the lines of stars by highlighting and Ctrl + c
***************************************************************************************************

:Files
C:\WINDOWS\system32\drivers\iaStor.sys|C:\WINDOWS\NLDRV\002\iastor.sys /replace


:commands
[Reboot]

*******************************************************************

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done.

Let's run GMER per step 4 of http://www.geekstogo...uide-t2852.html

Please post the log.

Ron
  • 0

#14
Chemwapuwa

Chemwapuwa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-16 18:02:36
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\CHEMWA~1\LOCALS~1\Temp\axwcrkod.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\ACPIEC.sys entry point in ".rsrc" section [0xBA4C6194]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:\WINDOWS\System32\svchost.exe[1004] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0237000A
.text C:\WINDOWS\System32\svchost.exe[1004] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0236000A
.text C:\WINDOWS\Explorer.EXE[2332] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[2332] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[2332] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\system32\wuauclt.exe[2916] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\wuauclt.exe[2916] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\wuauclt.exe[2916] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C0000C

---- Devices - GMER 1.0.15 ----

Device -> \Driver\iaStor \Device\Harddisk0\DR0 89D05EE4

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ACPIEC.sys suspicious modification
File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----
  • 0

#15
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,320 posts
  • MVP
Appears that the File that Combofix claimed it fixed got unfixed.

Let's see if we can find another copy.

Copy the next 4 lines:

/md5start
ACPIEC.sys
iaStor.sys
/md5stop

# Double click on the OTL icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
# Under the Custom Scan box paste in the above and then hit Quick Scan.

Once you get a log please copy and paste it into a reply.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP