GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

View previous topic View next topic Go down

isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Thu Apr 15, 2010 7:33 pm

Yesterday i was on my desktop and visited GP because of a rootkit.win32.tdss.d virus. Kaspersky said it was WINDOWS\system32\drivers\isapnp.sys. My first time to GP so I followed first time recommendations and downloaded updated Adobe Reader per the link and then when my computer went to reboot, I got the blue screen. I had also did the hijack this (before adobe reader update) and now can't access the hijack this log or anything on the desktop.

I can get to Safe Mode, but then it goes back to blue screen with the following, think I have most of it:

A problem with isapnp.sys
page fault in non paged area
stop: 0x00000050
(0x80000D4,0x00000000,0xBA8BA8B016F,0800000000)
isapnp.sys
address BA8B016base at BA8A000

Any help or advice is appreciated Smile

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by Belahzur on Thu Apr 15, 2010 7:51 pm

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Thu Apr 15, 2010 8:01 pm

Thank you for replying. I am on another computer, can I download that link to a flash drive and take to the problem computer? Thank you


[You must be registered and logged in to see this link.] wrote:Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by Belahzur on Thu Apr 15, 2010 8:12 pm

Yes, sure.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Thu Apr 15, 2010 9:03 pm

I d/l that program to flash drive and took to other computer, tried to change boot to usb device, but it didn't work.

Sad tearing

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Fri Apr 16, 2010 12:00 am

I used Last Know Settings That Worked at the startup screen and got my old desktop back, no more blue screen!
I will try to download the oldtimer link.

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Fri Apr 16, 2010 12:23 am

OTL logfile created on: 4/15/2010 5:08:37 PM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = I:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1728 3456 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 259.39 Gb Free Space | 87.02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 533.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 5.46 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 1.90 Gb Total Space | 0.02 Gb Free Space | 0.82% Space Free | Partition Type: FAT

Computer Name: KERRY-ZDAF543BN
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/15 13:41:30 | 000,561,664 | ---- | M] (OldTimer Tools) -- I:\OTL.exe
PRC - [2010/01/21 12:12:42 | 000,078,104 | ---- | M] (iWin Inc.) -- C:\Program Files\iWin Games\iWinTrusted.exe
PRC - [2009/11/19 11:26:54 | 000,455,944 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2009/10/10 14:32:18 | 000,203,264 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2009/09/28 10:42:50 | 000,109,056 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/03/08 04:31:54 | 000,013,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msfeedssync.exe
PRC - [2008/10/30 14:16:42 | 000,282,624 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
PRC - [2008/10/08 17:25:49 | 000,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
PRC - [2008/10/07 13:30:26 | 000,656,896 | ---- | M] (j2 Global Communications, Inc.) -- C:\Program Files\eFax Messenger 4.4\J2GTray.exe
PRC - [2008/10/07 13:25:48 | 000,095,744 | ---- | M] (j2 Global Communications, Inc.) -- C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
PRC - [2008/09/10 03:15:24 | 000,676,520 | ---- | M] () -- C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
PRC - [2008/09/10 03:15:21 | 000,025,256 | ---- | M] () -- C:\Program Files\Lexmark 7600 Series\lxdwmsdmon.exe
PRC - [2008/05/16 08:33:10 | 000,594,600 | ---- | M] ( ) -- C:\WINDOWS\system32\lxdwcoms.exe
PRC - [2008/05/16 08:32:56 | 000,098,984 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdwserv.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/07 19:10:30 | 000,210,200 | ---- | M] (Yahoo!, Inc.) -- C:\Program Files\Yahoo!\browser\ycommon.exe
PRC - [2007/02/09 16:47:20 | 004,603,904 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\U3\0000188C3675D2C2\LaunchPad.exe
PRC - [2007/01/04 14:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/07/21 16:19:46 | 000,129,536 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\browser\ybrwicon.exe
PRC - [2003/06/11 01:52:26 | 000,122,880 | ---- | M] (Visual Networks) -- C:\Program Files\Visual Networks\Visual IP InSight\SBC\ipmon32.exe
PRC - [2003/06/11 01:52:24 | 000,380,928 | ---- | M] (Visual Networks) -- C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
PRC - [2002/09/10 21:26:26 | 000,368,706 | ---- | M] () -- C:\Program Files\BroadJump\Client Foundation\CFD.exe


========== Modules (SafeList) ==========

MOD - [2010/04/15 13:41:30 | 000,561,664 | ---- | M] (OldTimer Tools) -- I:\OTL.exe
MOD - [2009/08/25 03:39:49 | 000,109,072 | ---- | M] (Kaspersky Lab) -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\mzvkbd3.dll
MOD - [2003/06/11 01:52:24 | 000,098,304 | ---- | M] (Visual Networks) -- C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPHk2KS2.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/01/21 12:12:42 | 000,078,104 | ---- | M] (iWin Inc.) [Auto | Running] -- C:\Program Files\iWin Games\iWinTrusted.exe -- (iWinTrusted)
SRV - [2009/11/19 11:26:54 | 000,455,944 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2009/09/28 10:42:50 | 000,109,056 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/07/21 03:02:15 | 000,208,616 | ---- | M] (Kaspersky Lab) [Auto | Running] -- C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe -- (AVP)
SRV - [2008/12/10 00:10:14 | 000,024,636 | ---- | M] (Apache Software Foundation) [On_Demand | Stopped] -- c:\wamp\bin\apache\apache2.2.11\bin\httpd.exe -- (wampapache)
SRV - [2008/11/15 06:53:14 | 006,447,744 | ---- | M] () [On_Demand | Stopped] -- c:\wamp\bin\mysql\mysql5.1.30\bin\mysqld.exe -- (wampmysqld)
SRV - [2008/10/08 17:25:49 | 000,611,664 | ---- | M] (Lavasoft) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice)
SRV - [2008/05/16 08:33:10 | 000,594,600 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxdwcoms.exe -- (lxdw_device)
SRV - [2008/05/16 08:32:56 | 000,098,984 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdwserv.exe -- (lxdwCATSCustConnectService)
SRV - [2007/01/04 14:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)


========== Driver Services (SafeList) ==========

DRV - [2010/04/14 14:41:37 | 000,037,248 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\isapnp.sys -- (isapnp)
DRV - [2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2009/06/05 10:49:01 | 000,226,832 | ---- | M] (Kaspersky Lab) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2009/06/05 10:49:01 | 000,033,808 | ---- | M] (Kaspersky Lab) [File_System | Boot | Running] -- C:\WINDOWS\system32\drivers\klbg.sys -- (klbg)
DRV - [2008/07/21 17:34:36 | 000,121,872 | ---- | M] (Kaspersky Lab) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\kl1.sys -- (kl1)
DRV - [2008/04/30 17:06:48 | 000,024,592 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\klim5.sys -- (klim5)
DRV - [2008/04/13 11:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2003/11/17 15:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 15:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 15:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/06/30 18:11:52 | 000,043,136 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = [You must be registered and logged in to see this link.]

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\CNNSI, = search.sportsillustrated.cnn.com/pages/search.jsp?query=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Dictionary, = dictionary.reference.com/search?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Google, = google.com/search?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleGroups, = groups-beta.google.com/groups?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleImages, = images.google.com/images?hl=en&lr=&q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\GoogleNews, = news.google.com/news?tab=gn&hl=en&ie=UTF-8&q=%s&btnG=Search+News
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\KB, = support.microsoft.com/search/default.aspx?query=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\KBDLL, = support.microsoft.com/dllhelp/default.aspx?dlltype=file&l=55&alpha=%s&S=1
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Movies, = fandango.com/my_box_office.asp?searchby=2&txtCityZip=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\MSN, = search.msn.com/results.asp?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Thesaurus, = thesaurus.reference.com/search?q=%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Weather, = weather.com/weather/local/%s
IE - HKCU\Software\Microsoft\Internet Explorer\SearchURL\Yahoo, = search.yahoo.com/search?p=%s
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.defaulturl: "http://search.yahoo.com/search?fr=ffsp1&p="
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.search.update: false
FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com"
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:1.2.1
FF - prefs.js..extensions.enabledItems: [You must be registered and logged in to see this link.]:7
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=ffds1&p="

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Components: C:\Documents and Settings\Owner\My Documents\Old HD\C\Program Files\Mozilla Firefox\components [2010/04/10 12:07:47 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.18\extensions\\Plugins: C:\Documents and Settings\Owner\My Documents\Old HD\C\Program Files\Mozilla Firefox\plugins [2010/04/14 17:15:52 | 000,000,000 | ---D | M]

[2008/10/13 15:51:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
[2009/09/14 01:12:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o2uvchp8.default\extensions
[2009/09/14 01:12:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o2uvchp8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/11/10 23:46:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\o2uvchp8.default\extensions\firebug@software.joehewitt.com
[2008/10/13 12:23:58 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/05/11 18:41:00 | 000,200,704 | ---- | M] (Ancestry.com) -- C:\Program Files\Mozilla Firefox\plugins\npImgCtl.dll

O1 HOSTS File: ([2003/07/16 13:29:34 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O2 - BHO: (StumbleUpon Launcher) - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll File not found
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (IEVkbdBHO Class) - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll (Kaspersky Lab)
O2 - BHO: (Yahoo! IE Suggest) - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll (Yahoo! Inc.)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (IEHlprObj Class) - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\Program Files\iWin Games\iWinGamesHookIE.dll (iWin Inc.)
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKLM\..\Toolbar: (StumbleUpon Toolbar) - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll File not found
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKCU\..\Toolbar\ShellBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [AVP] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe (Kaspersky Lab)
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe ()
O4 - HKLM..\Run: [IPInSightLAN 01] C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe (Visual Networks)
O4 - HKLM..\Run: [IPInSightMonitor 01] C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe (Visual Networks)
O4 - HKLM..\Run: [Lexmark 7600 Series Fax Server] C:\Program Files\Lexmark 7600 Series\fm3032.exe ()
O4 - HKLM..\Run: [lxdwamon] C:\Program Files\Lexmark 7600 Series\lxdwamon.exe ()
O4 - HKLM..\Run: [lxdwmon.exe] C:\Program Files\Lexmark 7600 Series\lxdwmon.exe ()
O4 - HKLM..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [eFax 4.4] C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe (j2 Global Communications, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\pmremind.exe (Broderbund Properties LLC)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe (Eastman Kodak Company)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\eFax 4.4.lnk = C:\Program Files\eFax Messenger 4.4\J2GTray.exe (j2 Global Communications, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll (Kaspersky Lab)
O9 - Extra Button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} [You must be registered and logged in to see this link.] (iPIX ActiveX Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} [You must be registered and logged in to see this link.] (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} [You must be registered and logged in to see this link.] (MySpace Uploader Control)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} [You must be registered and logged in to see this link.] (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} [You must be registered and logged in to see this link.] (WUWebControl Class)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [You must be registered and logged in to see this link.] (MUWebControl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} [You must be registered and logged in to see this link.] (Facebook Photo Uploader 5 Control)
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} [You must be registered and logged in to see this link.] (Verizon Wireless Media Upload)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {C52439A0-2693-4E40-B141-9F9AD5257241} [You must be registered and logged in to see this link.] (Lexmark eDiagnostics Class)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [You must be registered and logged in to see this link.] (Java Plug-in 1.6.0_17)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O20 - AppInit_DLLs: (C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll) - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\mzvkbd3.dll (Kaspersky Lab)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxsrvc.dll - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\klogon: DllName - C:\WINDOWS\system32\klogon.dll - C:\WINDOWS\system32\klogon.dll (Kaspersky Lab)
O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/10/07 20:00:27 | 000,000,000 | -HS- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2003/07/16 13:55:09 | 000,000,110 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2007/02/12 12:53:42 | 000,000,277 | R--- | M] () - H:\autorun.inf -- [ CDFS ]
O33 - MountPoints2\{dc8ff1ba-8e87-11de-8138-000f1f4dd85b}\Shell - "" = AutoRun
O33 - MountPoints2\{dc8ff1ba-8e87-11de-8138-000f1f4dd85b}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{dc8ff1ba-8e87-11de-8138-000f1f4dd85b}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- [2007/02/12 18:33:37 | 001,110,016 | R--- | M] ()
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/14 17:15:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9 Installer
[2010/04/14 17:05:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/04/14 17:02:13 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/04/14 14:14:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2010/04/14 12:36:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple Computer
[2010/04/14 11:44:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes
[2010/04/14 11:44:49 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/14 11:44:47 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/14 11:44:47 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/14 11:44:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/04/13 11:39:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Apple Computer
[2010/04/12 16:59:23 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/04/12 16:59:23 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/04/12 16:59:23 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/04/12 13:38:04 | 000,000,000 | ---D | C] -- C:\Program Files\FileZilla FTP Client
[2010/04/12 11:48:57 | 000,036,488 | ---- | C] (Kaspersky Lab, SLA) -- C:\WINDOWS\System32\drivers\klmdb.sys
[2010/04/12 11:48:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\tdsskiller
[2010/04/12 01:05:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/04/11 18:53:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/04/11 18:53:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/04/11 18:16:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/11 18:16:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/11 18:15:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/09 19:43:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\TB
[2010/04/08 23:46:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\WMV
[2010/04/05 17:46:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\DaveWheeler
[2010/04/05 12:08:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\slider-images
[2010/04/05 12:08:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\nggGalleryview
[2010/04/05 12:08:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\monoslideshow212
[2010/04/05 12:08:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\kimili-flash-embed.2.1.2
[2010/04/05 12:08:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\imagerotator-licensed
[2010/04/05 12:08:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\smooth-slider.2.2
[2010/04/01 23:21:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Atahualpa
[2010/03/30 14:27:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\pdf995
[2010/03/30 14:22:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2010/03/30 14:22:54 | 000,249,856 | ---- | C] (TODO: ) -- C:\WINDOWS\System32\pdfmona.dll
[2010/03/26 10:49:15 | 000,000,000 | ---D | C] -- C:\shop3
[2010/03/25 11:53:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\eshop.4.3.2
[2010/03/21 22:35:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Sky Project Video
[2010/03/21 22:09:45 | 000,000,000 | ---D | C] -- C:\Program Files\3ivx
[2010/03/21 22:09:33 | 000,000,000 | ---D | C] -- C:\Program Files\Flip Video
[2010/03/21 22:09:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Flip Video
[2010/03/18 14:13:51 | 000,000,000 | ---D | C] -- C:\Program Files\DeductionPro 2009
[2010/03/18 14:11:54 | 000,000,000 | ---D | C] -- C:\Program Files\HRBlock2009
[2010/03/18 14:11:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\HRBlock
[2010/03/18 14:05:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Screenshots
[2009/12/01 18:57:14 | 015,203,738 | ---- | C] (Any-Audio-Converter.com ) -- C:\Program Files\any-audio-converter.exe
[2009/12/01 18:49:19 | 015,386,889 | ---- | C] (Any-Video-Converter.com ) -- C:\Program Files\avc-free.exe
[2009/10/26 10:06:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2009/08/07 12:57:02 | 001,069,056 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwserv.dll
[2009/08/07 12:57:02 | 000,851,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwusb1.dll
[2009/08/07 12:57:02 | 000,438,272 | ---- | C] ( ) -- C:\WINDOWS\System32\LXDWhcp.dll
[2009/08/07 12:57:02 | 000,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwinpa.dll
[2009/08/07 12:57:02 | 000,339,968 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwiesc.dll
[2009/08/07 12:57:01 | 000,679,936 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwhbn3.dll
[2009/08/07 12:57:01 | 000,651,264 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwpmui.dll
[2009/08/07 12:57:01 | 000,577,536 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwlmpm.dll
[2009/08/07 12:57:00 | 000,765,952 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomc.dll
[2009/08/07 12:57:00 | 000,376,832 | ---- | C] ( ) -- C:\WINDOWS\System32\lxdwcomm.dll
[2009/06/05 10:40:25 | 038,709,280 | ---- | C] (Kaspersky Lab) -- C:\Program Files\kav8.0.0.506en.exe
[2009/05/22 13:15:15 | 000,434,832 | ---- | C] (NCH Software) -- C:\Program Files\switchsetup.exe
[2009/05/14 11:15:47 | 000,140,800 | ---- | C] (Microsoft Corporation) -- C:\Program Files\ODMediaConsoleSetup.exe
[2009/05/05 16:12:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009/05/05 16:11:02 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009/05/05 16:11:02 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009/03/02 00:43:51 | 026,699,048 | ---- | C] (Apple Inc.) -- C:\Program Files\SafariSetup.exe
[2008/11/04 11:53:34 | 005,166,072 | ---- | C] (j2 Global) -- C:\Program Files\msgrplus.exe
[2008/10/20 22:49:09 | 067,167,528 | ---- | C] (Apple Inc.) -- C:\Program Files\iTunes801Setup.exe
[2008/10/15 13:40:18 | 001,851,544 | ---- | C] (Adobe Systems Incorporated) -- C:\Program Files\install_flash_player.exe
[2008/10/08 17:27:25 | 050,689,960 | ---- | C] (AVG Technologies) -- C:\Program Files\avg_free_stf_en_8_173a1373.exe
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[35 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp -> ]
[20 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[12 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/15 17:02:39 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Microsoft Office Outlook 2003 (2).lnk
[2010/04/15 17:01:01 | 000,000,234 | ---- | M] () -- C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
[2010/04/15 17:01:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{54802705-6404-494B-8E69-3EC5B0EF9994}.job
[2010/04/15 16:58:28 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/15 16:57:04 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/04/15 16:57:03 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/14 17:17:00 | 007,132,192 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2010/04/14 17:17:00 | 001,253,408 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.dat
[2010/04/14 17:17:00 | 000,056,800 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2010/04/14 17:17:00 | 000,005,364 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox2.idx
[2010/04/14 17:16:37 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Owner\ntuser.ini
[2010/04/14 17:16:36 | 009,437,184 | -H-- | M] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2010/04/14 17:16:29 | 006,475,818 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2010/04/14 17:15:53 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/14 14:48:00 | 000,037,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\isapnp.sys
[2010/04/14 14:48:00 | 000,037,248 | ---- | M] () -- C:\WINDOWS\isapnp.old
[2010/04/14 14:41:37 | 000,037,248 | ---- | M] () -- C:\WINDOWS\System32\drivers\isapnp.sys
[2010/04/14 11:44:52 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/13 09:56:03 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/12 13:58:04 | 000,000,017 | ---- | M] () -- C:\WINDOWS\WS_FTP.EXT
[2010/04/12 13:58:04 | 000,000,000 | ---- | M] () -- C:\WINDOWS\WS_FTP.CNV
[2010/04/12 13:36:30 | 004,169,301 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\FileZilla_3.3.2.1_win32-setup.exe
[2010/04/12 11:48:57 | 000,036,488 | ---- | M] (Kaspersky Lab, SLA) -- C:\WINDOWS\System32\drivers\klmdb.sys
[2010/04/12 10:47:54 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\tdsskiller.zip
[2010/04/12 01:09:50 | 000,000,755 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/12 01:09:50 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/12 01:09:50 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/04/11 18:16:29 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/08 23:31:45 | 000,048,128 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/08 23:00:49 | 020,998,853 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Sky Stone Video Project 4-2010.wmv
[2010/04/08 10:41:10 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/04/06 17:21:38 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\antigone essay.doc
[2010/04/05 19:43:49 | 000,000,783 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\FileZilla (2).lnk
[2010/04/04 10:13:12 | 000,000,281 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\simdata.asp
[2010/04/01 13:31:03 | 000,116,300 | -H-- | M] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/03/30 14:27:08 | 000,000,028 | ---- | M] () -- C:\WINDOWS\pdf995.ini
[2010/03/30 14:22:54 | 000,249,856 | ---- | M] (TODO: ) -- C:\WINDOWS\System32\pdfmona.dll
[2010/03/30 14:22:54 | 000,051,716 | ---- | M] () -- C:\WINDOWS\System32\pdf995mon.dll
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/25 11:53:31 | 000,239,585 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\eshop.4.3.2.zip
[2010/03/25 10:28:48 | 000,099,933 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\maintenance-mode_4-4.zip
[2010/03/21 23:34:49 | 000,000,819 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\FlipShare.lnk
[2010/03/21 22:31:33 | 000,512,960 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/21 22:31:33 | 000,435,260 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/21 22:31:33 | 000,068,156 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/20 18:36:56 | 001,519,616 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mbb
[2010/03/20 18:36:56 | 000,855,040 | R--- | M] () -- C:\Documents and Settings\All Users\Documents\ESBK.mb
[2010/03/19 10:25:12 | 000,001,793 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Dream Day Wedding Bella Italia.lnk
[2010/03/18 14:14:00 | 000,001,479 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\DeductionPro 2009.lnk
[2010/03/18 14:13:04 | 000,001,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\H&R Block 2009.lnk
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[20 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[12 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/14 17:15:53 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/14 14:41:38 | 000,037,248 | ---- | C] () -- C:\WINDOWS\System32\drivers\isapnp.sys
[2010/04/14 11:44:52 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/12 13:58:04 | 000,000,017 | ---- | C] () -- C:\WINDOWS\WS_FTP.EXT
[2010/04/12 13:58:04 | 000,000,000 | ---- | C] () -- C:\WINDOWS\WS_FTP.CNV
[2010/04/12 13:36:21 | 004,169,301 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\FileZilla_3.3.2.1_win32-setup.exe
[2010/04/12 10:47:53 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\tdsskiller.zip
[2010/04/11 18:16:29 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/11 18:16:29 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/11 17:52:33 | 000,000,030 | ---- | C] () -- C:\Documents and Settings\Owner\DeductionPro2009.log
[2010/04/08 22:54:03 | 020,998,853 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Sky Stone Video Project 4-2010.wmv
[2010/04/06 17:21:37 | 000,022,528 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\antigone essay.doc
[2010/04/05 19:43:49 | 000,000,783 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\FileZilla (2).lnk
[2010/04/05 12:08:19 | 000,521,126 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\monoslideshow212.zip
[2010/03/30 14:27:08 | 000,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2010/03/30 14:22:55 | 000,000,142 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2010/03/30 14:22:54 | 000,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2010/03/25 11:53:30 | 000,239,585 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\eshop.4.3.2.zip
[2010/03/25 10:28:48 | 000,099,933 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\maintenance-mode_4-4.zip
[2010/03/22 13:04:05 | 000,000,071 | ---- | C] () -- C:\Documents and Settings\All Users\lxdw.log
[2010/03/21 23:34:49 | 000,000,819 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\FlipShare.lnk
[2010/03/19 10:25:12 | 000,001,793 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Dream Day Wedding Bella Italia.lnk
[2010/03/18 14:14:00 | 000,001,479 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\DeductionPro 2009.lnk
[2010/03/18 14:13:04 | 000,001,682 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\H&R Block 2009.lnk
[2009/09/30 15:00:52 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/09/30 15:00:51 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/09/30 15:00:48 | 000,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/09/30 15:00:48 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/08/12 17:12:17 | 000,000,187 | ---- | C] () -- C:\Documents and Settings\All Users\lxdwDiagnostics.log
[2009/08/10 19:11:26 | 000,063,526 | ---- | C] () -- C:\Documents and Settings\All Users\lxdwJSW.log
[2009/08/07 13:01:16 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxdwvs.dll
[2009/08/07 13:01:15 | 000,360,448 | ---- | C] () -- C:\WINDOWS\System32\lxdwcoin.dll
[2009/08/07 13:00:35 | 001,036,288 | ---- | C] () -- C:\WINDOWS\System32\lxdwdrs.dll
[2009/08/07 13:00:35 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\lxdwcaps.dll
[2009/08/07 13:00:35 | 000,069,632 | ---- | C] () -- C:\WINDOWS\System32\lxdwcnv4.dll
[2009/08/07 13:00:13 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\LXDWPMON.DLL
[2009/08/07 13:00:13 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXDWFXPU.DLL
[2009/08/07 12:59:53 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\lxdwoem.dll
[2009/08/07 12:58:02 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\lxdwrwrd.ini
[2009/08/07 12:57:03 | 000,389,120 | ---- | C] () -- C:\WINDOWS\System32\LXDWinst.dll
[2009/08/07 12:57:01 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxdwgrd.dll
[2009/08/07 12:55:55 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\UpdaterLog.txt
[2009/08/02 22:40:13 | 000,061,440 | ---- | C] () -- C:\WINDOWS\System32\dlbkcnv5.dll
[2009/08/02 22:40:13 | 000,039,899 | ---- | C] () -- C:\WINDOWS\System32\rtsicis.ini
[2009/07/11 20:03:09 | 000,000,022 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\kodakpcd.ini
[2009/05/09 12:17:19 | 000,001,536 | ---- | C] () -- C:\WINDOWS\EyeCand3.INI
[2009/03/31 16:46:13 | 000,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2009/02/22 15:20:52 | 000,000,090 | ---- | C] () -- C:\Documents and Settings\Owner\DeductionPro2008.log
[2009/02/03 04:59:54 | 000,001,226 | ---- | C] () -- C:\Program Files\setup.reg
[2008/11/23 18:35:20 | 000,000,103 | ---- | C] () -- C:\Documents and Settings\Owner\WS_FTP.LOG
[2008/11/23 18:06:00 | 000,000,030 | ---- | C] () -- C:\Documents and Settings\Owner\.htaccess
[2008/11/14 02:52:32 | 000,041,937 | ---- | C] () -- C:\Program Files\release_notes_kav8.0cf2_en.html
[2008/11/13 10:23:12 | 040,375,808 | ---- | C] () -- C:\Program Files\kav.en.msi
[2008/11/02 11:48:30 | 000,000,049 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2008/10/30 19:26:07 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/10/30 19:26:07 | 000,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/10/28 10:25:00 | 000,283,843 | ---- | C] () -- C:\Program Files\youmurdererbb_tt.zip
[2008/10/21 19:17:12 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CastleMalloy.INI
[2008/10/14 09:13:14 | 000,048,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/10 10:45:14 | 000,000,324 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2008/10/09 13:01:03 | 000,000,000 | ---- | C] () -- C:\Program Files\temp01
[2008/10/08 17:22:56 | 019,153,264 | ---- | C] () -- C:\Program Files\aaw2008.exe
[2008/10/08 16:28:21 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2008/10/08 15:50:51 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/10/07 20:05:49 | 009,437,184 | -H-- | C] () -- C:\Documents and Settings\Owner\NTUSER.DAT
[2008/10/07 20:05:49 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\Owner\ntuser.dat.LOG
[2008/10/07 20:05:49 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\Owner\ntuser.ini
[2008/02/18 23:33:34 | 000,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Alternate Data Streams ==========

@Alternate Data Stream - 98 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:561B1D2B
@Alternate Data Stream - 97 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3C282BEA
@Alternate Data Stream - 97 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:17C48B08
@Alternate Data Stream - 94 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EE39C93C
@Alternate Data Stream - 224 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D055FC10
@Alternate Data Stream - 221 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FAFEC4B9
@Alternate Data Stream - 221 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C22674B6
@Alternate Data Stream - 219 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:614F17D3
@Alternate Data Stream - 214 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6425A235
@Alternate Data Stream - 214 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:55F44B88
@Alternate Data Stream - 212 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F67AAFC5
@Alternate Data Stream - 211 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D48500F8
@Alternate Data Stream - 208 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC3B090
@Alternate Data Stream - 208 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:848CC150
@Alternate Data Stream - 208 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:53DF59D1
@Alternate Data Stream - 207 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2F141B68
@Alternate Data Stream - 207 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:13AA281B
@Alternate Data Stream - 204 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:61AF2B29
@Alternate Data Stream - 204 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3B812EE0
@Alternate Data Stream - 203 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CB16385F
@Alternate Data Stream - 203 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:94878DD7
@Alternate Data Stream - 199 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:569CEE83
@Alternate Data Stream - 194 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:52641FBE
@Alternate Data Stream - 189 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:60A4BB64
@Alternate Data Stream - 173 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FB1B13D8
@Alternate Data Stream - 165 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D6BEA85D
@Alternate Data Stream - 161 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:354E094D
@Alternate Data Stream - 153 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2CEFEABF
@Alternate Data Stream - 139 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:91FFEC32
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C5CE2DF6
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:42EF7FC8
@Alternate Data Stream - 132 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3C6E4889
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B06385AA
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F84B8DB5
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EF5B3572
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B4980368
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:90865A6D
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5BC73C48
@Alternate Data Stream - 123 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:27790C06
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CEE4A457
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9398DBB4
@Alternate Data Stream - 119 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:225CD7D5
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DE47A3DA
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E5F85065
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:C07A6A6B
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:80B291A7
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:22313216
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C6EBC69
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E80802C7
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:164FA86E
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8DF68137
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3E06C78F
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F42B5B0E
@Alternate Data Stream - 106 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:40D8F125
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:55E1514E
@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4F8B72C9
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:FB97DB91
@Alternate Data Stream - 100 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5070F1A6
< End of report >

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Fri Apr 16, 2010 12:24 am

OTL Extras logfile created on: 4/15/2010 5:08:37 PM - Run 1
OTL by OldTimer - Version 3.2.1.1 Folder = I:\
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 87.00% Paging File free
Paging file location(s): C:\pagefile.sys 1728 3456 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 259.39 Gb Free Space | 87.02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 533.31 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 5.46 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive I: | 1.90 Gb Total Space | 0.02 Gb Free Space | 0.82% Space Free | Partition Type: FAT

Computer Name: KERRY-ZDAF543BN
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
jsfile [edit] -- "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1" (Macromedia, Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring" = 1
"" =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\WS_FTP\WS_FTP95.exe" = C:\Program Files\WS_FTP\WS_FTP95.exe:*:Enabled:WS_FTP 95 -- (Ipswitch, Inc. 81 Hartwell Ave. Lexington, MA)
"C:\wamp\bin\apache\Apache2.2.11\bin\httpd.exe" = C:\wamp\bin\apache\Apache2.2.11\bin\httpd.exe:*:Enabled:Apache HTTP Server -- (Apache Software Foundation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader -- File not found
"C:\Program Files\AIM6\aim6.exe" = C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM -- File not found
"C:\WINDOWS\system32\LEXPPS.EXE" = C:\WINDOWS\system32\LEXPPS.EXE:*:Enabled:LEXPPS.EXE -- File not found
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Disabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe" = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare -- (Eastman Kodak Company)
"C:\WINDOWS\system32\dlbkcoms.exe" = C:\WINDOWS\system32\dlbkcoms.exe:*:Enabled:AIO Printer A920 Server -- File not found
"C:\WINDOWS\system32\lxdwcoms.exe" = C:\WINDOWS\system32\lxdwcoms.exe:*:Enabled:7600 Series Server -- ( )
"C:\Program Files\iWin Games\iWinGames.exe" = C:\Program Files\iWin Games\iWinGames.exe:*:Enabled:iWin Games application. -- (iWin Inc.)
"C:\Program Files\iWin Games\WebUpdater.exe" = C:\Program Files\iWin Games\WebUpdater.exe:*:Enabled:iWin Games updater. -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{007B37D9-0C45-4202-834B-DD5FAAE99D63}" = ArcSoft Print Creations - Slimline Card
"{03EDED24-8375-407D-A721-4643D9768BE1}" = kgchlwn
"{0837A661-FEC3-48B3-876C-91E7D32048A9}" = Macromedia Dreamweaver 8
"{097346E0-6A51-11D1-AD16-00A0C95E0503}(SBC)" = Visual IP InSight(SBC)
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
"{11F3F858-4131-4FFA-A560-3FE282933B6E}" = kgchday
"{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}" = ESSPCD
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 17
"{2BD5C305-1B27-4D41-B690-7A61172D2FEB}" = Macromedia Flash 8
"{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}" = essvatgt
"{34D6EED8-7650-4E1C-BC26-F5B2DDE185C6}" = OverDrive Media Console
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{42938595-0D83-404D-9F73-F8177FDD531A}" = ESScore
"{4537EA4B-F603-4181-89FB-2953FC695AB1}" = netbrdg
"{4E3FBA14-D996-486A-B1C0-A53452065771}" = Shopping Cart 3
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"{5316DFC9-CE99-4458-9AB3-E8726EDE0210}" = skin0001
"{53A19323-917A-4822-B27E-A57D1EF6E9FC}" = H&R Block Deluxe + Efile + State 2009
"{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}" = Macromedia Extension Manager
"{56589DFE-0C29-4DFE-8E42-887B771ECD23}" = ArcSoft Print Creations - Photo Book
"{605A4E39-613C-4A12-B56F-DEFBE6757237}" = SHASTA
"{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}" = fflink
"{61100673-2546-42E1-BF92-467B5CB2AC6D}" = DeductionPro 2008
"{643EAE81-920C-4931-9F0B-4B343B225CA6}" = ESSBrwr
"{6549AA0C-6D93-4E76-9A13-6A6A0AA4FD6D}" = TaxCut California 2008
"{6580C5A3-2336-4EC5-85F1-3448C5F6208A}" = Kaspersky Anti-Virus 2009
"{693C08A7-9E76-43FF-B11E-9A58175474C4}" = kgckids
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{86D4B82A-ABED-442A-BE86-96357B70F4FE}" = Ask Toolbar
"{8943CE61-53BD-475E-90E1-A580869E98A2}" = staticcr
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8A502E38-29C9-49FA-BCFA-D727CA062589}" = ESSTOOLS
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{8A8664E1-84C8-4936-891C-BC1F07797549}" = kgcvday
"{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}" = Macromedia Flash 8 Video Encoder
"{8E92D746-CD9F-4B90-9668-42B74C14F765}" = ESSini
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91130409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Basic Edition 2003
"{91517631-A9F3-4B7C-B482-43E0068FD55A}" = ESSgui
"{9591C049-5CAE-4E89-A8D9-191F1899628B}" = ArcSoft Print Creations - Funhouse
"{97F4D62E-5AEB-4649-BABF-4712C6EF6845}" = DeductionPro 2009
"{999D43F4-9709-4887-9B1A-83EBB15A8370}" = VPRINTOL
"{9BD54685-1496-46A5-AB62-357CD140ED8B}" = kgcinvt
"{A1588373-1D86-4D44-86C9-78ABD190F9CC}" = kgcmove
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A35C2323-3CEA-405C-9569-EF5DDE930B2F}" = PrintMaster
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A67BB21E-D419-45BB-AB86-7D87D14BBCE2}" = Safari
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}" = ESSCDBK
"{B0D83FCD-9D42-43ED-8315-250326AADA02}" = ArcSoft Print Creations - Scrapbook
"{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}" = OfotoXMI
"{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}" = CCScore
"{BBB33AD6-BCF7-4002-B6A0-6DC679AE5C18}" = TaxCut Premium + State + Efile 2008
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CA9ED5E4-1548-485B-A293-417840060158}" = ArcSoft Print Creations - Photo Calendar
"{CAE8A0F1-B498-4C23-95FA-55047E730C8F}" = ArcSoft Print Creations
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}" = Lexmark Printable Web
"{D32470A1-B10C-4059-BA53-CF0486F68EBC}" = Kodak EasyShare software
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{DB02F716-6275-42E9-B8D2-83BA2BF5100B}" = SFR
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{DF6DA606-904D-4C18-823F-A4CFC3035E53}" = eFax Messenger
"{E18B549C-5D15-45DA-8D8F-8FD2BD946344}" = kgcbaby
"{E1B2DF7C-A176-4A1D-9D32-3CEC5037A524}" = Apple Application Support
"{E6B4117F-AC59-4B13-9274-EB136E8897EE}" = ArcSoft Print Creations - Album Page
"{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}" = tooltips
"{F04F9557-81A9-4293-BC49-2C216FA325A7}" = ArcSoft Print Creations - Greeting Card
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
"{F4898C08-90A2-431C-BCE5-87866531D05B}" = H&R Block California 2009
"{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}" = SKINXSDK
"{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}" = iTunes
"{F7F23DFB-31E1-B7EC-7A6D-7668B595ADAE}" = FlipShare
"{F9593CFB-D836-49BC-BFF1-0E669A411D9F}" = WIRELESS
"{FCDB1C92-03C6-4C76-8625-371224256091}" = ESSPDock
"3ivx MPEG-4 5.0.3" = 3ivx MPEG-4 5.0.3 (remove only)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Any Audio Converter_is1" = Any Audio Converter 2.0.5
"Any DVD Converter Professional_is1" = Any DVD Converter Professional 3.7.7
"BFG-Autumn's Treasures - The Jade Coin" = Autumn's Treasures: The Jade Coin
"BFGC" = Big Fish Games: Game Manager
"BFG-Dream Chronicles - The Chosen Child" = Dream Chronicles: The Chosen Child
"BFG-Dream Day Honeymoon" = Dream Day Honeymoon
"BFG-Hidden Mysteries - Buckingham Palace" = Hidden Mysteries: Buckingham Palace ™
"BFG-Magic Encyclopedia" = Magic Encyclopedia
"BFG-Mystery Case Files - Dire Grove Collector's Edition" = Mystery Case Files®: Dire Grove™ Collector's Edition
"BFG-Mystery Case Files - Return to Ravenhearst" = Mystery Case Files: Return to Ravenhearst ™
"BFG-Nancy Drew - The Haunting of Castle Malloy" = Nancy Drew: The Haunting of Castle Malloy
"BFG-Penny Dreadfuls - Sweeney Todd Collector's Edition" = Penny Dreadfuls: Sweeney Todd Collector`s Edition
"BFG-The Serpent of Isis" = The Serpent of Isis ™
"BFG-The Treasures of Mystery Island" = The Treasures of Mystery Island
"BFG-The White House" = The White House
"BFG-Treasure Seekers - The Enchanted Canvases" = Treasure Seekers: The Enchanted Canvases
"BFG-Yard Sale Hidden Treasures - Lucky Junction" = Yard Sale Hidden Treasures: Lucky Junction
"BroadJump Client Foundation" = BroadJump Client Foundation
"ChromaticaV1.0" = Chromatica
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1" = Conexant D850 56K V.9x DFVc Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Dream Day Wedding Viva Las Vegas" = Dream Day Wedding Viva Las Vegas (remove only)
"Dream Day Wedding: Bella Italia" = Dream Day Wedding: Bella Italia (remove only)
"FileZilla Client" = FileZilla Client 3.3.2.1
"Free RAR Extract Frog" = Free RAR Extract Frog
"HijackThis" = HijackThis 2.0.2
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"InstallWIX_{6580C5A3-2336-4EC5-85F1-3448C5F6208A}" = Kaspersky Anti-Virus 2009
"iWinArcade" = iWin Games (remove only)
"Jewel Quest Mysteries: Trail of the Midnight Heart" = Jewel Quest Mysteries: Trail of the Midnight Heart (remove only)
"Jojos Fashion Show 2 Las Cruces" = Jojos Fashion Show 2 Las Cruces (remove only)
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.1.0 (Full)
"Lexmark 7600 Series" = Lexmark 7600 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.0.18)" = Mozilla Firefox (3.0.18)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Musicnotes Combined Installer_is1" = Musicnotes Software Suite 1.4.3
"Mysterious City Vegas" = Mysterious City Vegas (remove only)
"Pdf995" = Pdf995 (installed by H&R Block)
"PdfEdit995" = PdfEdit995 (installed by H&R Block)
"Shockwave" = Shockwave
"ViewpointMediaPlayer" = Viewpoint Media Player
"WampServer 2_is1" = WampServer 2.0
"WebPost" = Microsoft Web Publishing Wizard 1.52
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Applications" = AT&T Yahoo! Applications
"Yahoo! IE Suggest" = Yahoo! Search Suggest Add-on for IE7

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"309a46b1dc89b774" = Dell Driver Download Manager
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/12/2010 4:11:59 AM | Computer Name = KERRY-ZDAF543BN | Source = Microsoft Office 11 | ID = 2000
Description = Accepted Safe Mode action : Microsoft Office Outlook.

Error - 4/13/2010 2:00:56 AM | Computer Name = KERRY-ZDAF543BN | Source = EventSystem | ID = 4614
Description = The COM+ Event System detected an inconsistency in its internal state.
The assertion "GetLastError() == 122L" failed at line 162 of d:\comxp_sp3\com\com1x\src\events\shared\sectools.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 4/13/2010 12:57:25 PM | Computer Name = KERRY-ZDAF543BN | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module 3difr.x3d, version 9.0.0.0, fault address 0x0001d5ff.

Error - 4/13/2010 3:26:28 PM | Computer Name = KERRY-ZDAF543BN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000e843.

Error - 4/13/2010 4:57:04 PM | Computer Name = KERRY-ZDAF543BN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 4/13/2010 4:59:40 PM | Computer Name = KERRY-ZDAF543BN | Source = MsiInstaller | ID = 1013
Description = Product: Kaspersky Internet Security 2010 -- Your computer already
has Kaspersky Lab application installed. Please uninstall it before installing
Kaspersky Internet Security 2010.

[ Application Events ]
Error - 4/12/2010 4:11:59 AM | Computer Name = KERRY-ZDAF543BN | Source = Microsoft Office 11 | ID = 2000
Description = Accepted Safe Mode action : Microsoft Office Outlook.

Error - 4/13/2010 2:00:56 AM | Computer Name = KERRY-ZDAF543BN | Source = EventSystem | ID = 4614
Description = The COM+ Event System detected an inconsistency in its internal state.
The assertion "GetLastError() == 122L" failed at line 162 of d:\comxp_sp3\com\com1x\src\events\shared\sectools.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 4/13/2010 12:57:25 PM | Computer Name = KERRY-ZDAF543BN | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module 3difr.x3d, version 9.0.0.0, fault address 0x0001d5ff.

Error - 4/13/2010 3:26:28 PM | Computer Name = KERRY-ZDAF543BN | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.18702, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000e843.

Error - 4/13/2010 4:57:04 PM | Computer Name = KERRY-ZDAF543BN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: The connection with the server was terminated abnormally

Error - 4/13/2010 4:59:40 PM | Computer Name = KERRY-ZDAF543BN | Source = MsiInstaller | ID = 1013
Description = Product: Kaspersky Internet Security 2010 -- Your computer already
has Kaspersky Lab application installed. Please uninstall it before installing
Kaspersky Internet Security 2010.

[ System Events ]
Error - 4/12/2010 3:02:20 PM | Computer Name = KERRY-ZDAF543BN | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/12/2010 3:02:20 PM | Computer Name = KERRY-ZDAF543BN | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 4/12/2010 3:08:57 PM | Computer Name = KERRY-ZDAF543BN | Source = DCOM | ID = 10010
Description = The server {B69003B3-C55E-4B48-836C-BC5946FC3B28} did not register
with DCOM within the required timeout.

Error - 4/12/2010 3:10:57 PM | Computer Name = KERRY-ZDAF543BN | Source = DCOM | ID = 10010
Description = The server {B69003B3-C55E-4B48-836C-BC5946FC3B28} did not register
with DCOM within the required timeout.

Error - 4/12/2010 3:12:57 PM | Computer Name = KERRY-ZDAF543BN | Source = DCOM | ID = 10010
Description = The server {B69003B3-C55E-4B48-836C-BC5946FC3B28} did not register
with DCOM within the required timeout.

Error - 4/12/2010 3:14:57 PM | Computer Name = KERRY-ZDAF543BN | Source = DCOM | ID = 10010
Description = The server {B69003B3-C55E-4B48-836C-BC5946FC3B28} did not register
with DCOM within the required timeout.

Error - 4/12/2010 3:21:16 PM | Computer Name = KERRY-ZDAF543BN | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 4/12/2010 3:21:16 PM | Computer Name = KERRY-ZDAF543BN | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.

Error - 4/12/2010 3:38:42 PM | Computer Name = KERRY-ZDAF543BN | Source = Service Control Manager | ID = 7022
Description = The Server service hung on starting.

Error - 4/12/2010 3:38:42 PM | Computer Name = KERRY-ZDAF543BN | Source = Service Control Manager | ID = 7001
Description = The Computer Browser service depends on the Server service which failed
to start because of the following error: %%1070


< End of report >

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by Belahzur on Fri Apr 16, 2010 8:20 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Fri Apr 16, 2010 9:14 pm

ComboFix 10-04-15.05 - Owner 04/16/2010 13:43:33.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.719 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\iWin Games\iWinGamesHookIE.dll
c:\windows\Fonts\a.zip

.
((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-15 00:07 . 2010-04-15 00:07 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-04-15 00:05 . 2010-04-15 00:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-14 21:41 . 2010-04-14 21:41 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-04-14 19:36 . 2010-04-14 19:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-14 18:44 . 2010-04-14 18:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-14 18:44 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 18:44 . 2010-04-14 20:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 18:44 . 2010-04-14 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-14 18:44 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 18:39 . 2010-04-13 18:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-04-12 20:38 . 2010-04-12 20:38 -------- d-----w- c:\program files\FileZilla FTP Client
2010-04-12 18:48 . 2010-04-12 18:48 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-12 05:43 . 2010-04-12 05:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-12 01:27 . 2010-04-12 01:27 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-12 01:16 . 2010-04-13 16:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-12 01:16 . 2010-04-12 01:16 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-12 01:16 . 2010-04-12 01:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-30 21:27 . 2010-03-30 21:27 -------- d-----w- c:\documents and settings\Owner\Application Data\pdf995
2010-03-30 21:22 . 2010-04-12 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-03-30 21:22 . 2007-08-24 18:13 142 ----a-w- c:\windows\wpd99.drv
2010-03-30 21:22 . 2010-03-30 21:22 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2010-03-30 21:22 . 2010-03-30 21:22 249856 ----a-w- c:\windows\system32\pdfmona.dll
2010-03-26 17:49 . 2010-03-26 17:49 -------- d-----w- C:\shop3
2010-03-22 05:09 . 2010-03-22 05:09 -------- d-----w- c:\program files\3ivx
2010-03-22 05:09 . 2010-03-22 05:09 -------- d-----w- c:\program files\Flip Video
2010-03-22 05:09 . 2010-03-22 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2010-03-18 21:13 . 2010-04-12 00:52 -------- d-----w- c:\program files\DeductionPro 2009
2010-03-18 21:11 . 2010-03-18 21:12 -------- d-----w- c:\program files\HRBlock2009

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 20:53 . 2009-07-12 02:50 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-04-16 20:51 . 2009-05-05 23:20 7132192 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-16 20:51 . 2009-05-05 23:20 56800 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-16 20:51 . 2009-05-05 23:20 5392 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-16 20:51 . 2009-05-05 23:20 1261600 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-16 20:49 . 2009-06-13 23:49 -------- d-----w- c:\program files\iWin Games
2010-04-16 19:47 . 2009-05-05 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-16 04:56 . 2009-08-28 23:53 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-04-16 04:55 . 2009-08-28 23:55 110592 ----a-w- c:\documents and settings\Owner\Application Data\U3\temp\cleanup.exe
2010-04-16 04:55 . 2009-08-28 23:53 3096576 ---ha-w- c:\documents and settings\Owner\Application Data\U3\temp\Launchpad Removal.exe
2010-04-15 23:57 . 2008-10-10 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-15 00:15 . 2008-10-10 19:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-15 00:13 . 2010-04-15 00:13 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-04-14 23:01 . 2010-01-04 23:23 -------- d-----w- c:\documents and settings\Owner\Application Data\FileZilla
2010-04-14 21:46 . 2010-04-14 21:46 37248 ----a-w- c:\windows\system32\drivers\OLD76.tmp
2010-04-14 21:45 . 2010-04-14 21:44 37248 ----a-w- c:\windows\system32\drivers\OLD73.tmp
2010-04-14 21:44 . 2010-04-14 21:44 37248 ----a-w- c:\windows\system32\drivers\OLD70.tmp
2010-04-14 21:42 . 2010-04-14 21:42 37248 ----a-w- c:\windows\system32\drivers\OLD6C.tmp
2010-04-14 21:40 . 2010-04-14 21:40 37248 ----a-w- c:\windows\system32\drivers\OLD65.tmp
2010-04-14 21:39 . 2010-04-14 21:39 37248 ----a-w- c:\windows\system32\drivers\OLD61.tmp
2010-04-14 21:36 . 2010-04-14 21:36 37248 ----a-w- c:\windows\system32\drivers\OLD5A.tmp
2010-04-14 21:34 . 2010-04-14 21:34 37248 ----a-w- c:\windows\system32\drivers\OLD56.tmp
2010-04-14 21:33 . 2010-04-14 21:33 37248 ----a-w- c:\windows\system32\drivers\OLD52.tmp
2010-04-14 21:30 . 2010-04-14 21:30 37248 ----a-w- c:\windows\system32\drivers\OLD4B.tmp
2010-04-14 21:27 . 2010-04-14 21:27 37248 ----a-w- c:\windows\system32\drivers\OLD47.tmp
2010-04-14 21:23 . 2010-04-14 21:23 37248 ----a-w- c:\windows\system32\drivers\OLD40.tmp
2010-04-14 21:22 . 2010-04-14 21:22 37248 ----a-w- c:\windows\system32\drivers\OLD3B.tmp
2010-04-14 21:20 . 2010-04-14 21:20 37248 ----a-w- c:\windows\system32\drivers\OLD33.tmp
2010-04-14 21:18 . 2010-04-14 21:18 37248 ----a-w- c:\windows\system32\drivers\OLD2E.tmp
2010-04-14 21:16 . 2010-04-14 21:16 37248 ----a-w- c:\windows\system32\drivers\OLD22.tmp
2010-04-14 21:14 . 2010-04-14 21:14 37248 ----a-w- c:\windows\system32\drivers\OLD1B.tmp
2010-04-14 18:44 . 2010-04-14 21:41 37248 ----a-w- c:\windows\system32\drivers\OLD69.tmp
2010-04-14 18:44 . 2010-04-14 21:17 37248 ----a-w- c:\windows\system32\drivers\OLD27.tmp
2010-04-12 23:59 . 2009-05-05 18:57 -------- d-----w- c:\program files\Java
2010-04-12 23:57 . 2010-04-12 23:57 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-04-12 23:56 . 2009-12-01 11:31 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-12 18:48 . 2010-04-12 18:48 96512 ----a-w- c:\windows\system32\drivers\tskC.tmp
2010-04-12 00:33 . 2009-02-22 22:21 -------- d-----w- c:\documents and settings\Owner\Application Data\TaxCut
2010-04-10 19:26 . 2009-03-02 07:44 -------- d-----w- c:\program files\Safari
2010-04-10 19:24 . 2008-10-21 05:50 -------- d-----w- c:\program files\Common Files\Apple
2010-04-09 06:47 . 2008-10-09 20:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 18:18 . 2009-12-02 01:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Any Audio Converter
2010-04-01 20:31 . 2009-05-31 17:30 116300 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-30 21:22 . 2009-02-22 22:15 -------- d-----w- c:\program files\PDF995
2010-03-22 19:27 . 2010-03-22 19:27 3743944 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockCA.exe
2010-03-19 17:24 . 2009-06-08 16:16 -------- d-----w- c:\program files\iWin.com
2010-03-18 21:15 . 2010-03-18 21:14 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe
2010-03-18 21:13 . 2008-10-08 03:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-18 21:06 . 2009-02-22 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2010-03-13 02:14 . 2010-03-13 02:14 20 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\bases\apu\ForDiff\apu0001.dat.exe
2010-03-12 18:50 . 2010-03-12 18:50 114330 ----a-w- c:\documents and settings\All Users\SPLD.tmp
2010-03-12 18:37 . 2010-03-12 18:37 115562 ----a-w- c:\documents and settings\All Users\SPL3ED3.tmp
2010-03-10 06:15 . 2003-07-16 20:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 19:26 . 2009-09-27 01:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Any DVD Converter Professional
2010-03-04 11:00 . 2010-03-04 11:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-02-28 00:26 . 2010-02-28 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes
2010-02-28 00:15 . 2008-10-08 04:35 147584 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-28 00:15 . 2010-02-28 00:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Sibelius Software
2010-02-28 00:15 . 2010-02-28 00:14 -------- d-----w- c:\program files\Musicnotes
2010-02-28 00:07 . 2008-10-09 20:00 -------- d-----w- c:\program files\Games
2010-02-27 23:49 . 2008-10-09 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2010-02-25 06:24 . 2003-07-16 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 18:13 . 2008-10-13 19:24 -------- d-----w- c:\program files\WS_FTP
2010-02-24 13:11 . 2003-07-16 20:34 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-21 03:10 . 2010-02-21 03:10 13664 ----a-w- c:\documents and settings\All Users\SPL6B4.tmp
2010-02-17 16:10 . 2003-07-16 20:39 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2003-07-16 20:23 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2003-07-16 20:47 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-01 01:45 . 2010-04-15 00:05 38784 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-02-01 01:45 . 2010-04-15 00:05 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-12-02 01:57 . 2009-12-02 01:57 15203738 ----a-w- c:\program files\any-audio-converter.exe
2009-12-02 01:49 . 2009-12-02 01:49 15386889 ----a-w- c:\program files\avc-free.exe
2009-06-05 17:40 . 2009-06-05 17:40 38709280 ----a-w- c:\program files\kav8.0.0.506en.exe
2009-05-22 20:15 . 2009-05-22 20:15 434832 ----a-w- c:\program files\switchsetup.exe
2009-05-14 18:15 . 2009-05-14 18:15 140800 ----a-w- c:\program files\ODMediaConsoleSetup.exe
2009-03-02 07:43 . 2009-03-02 07:43 26699048 ----a-w- c:\program files\SafariSetup.exe
2009-02-03 11:59 . 2009-02-03 11:59 1226 ----a-w- c:\program files\setup.reg
2008-11-14 09:52 . 2008-11-14 09:52 41937 ----a-w- c:\program files\release_notes_kav8.0cf2_en.html
2008-11-13 17:23 . 2008-11-13 17:23 40375808 ----a-w- c:\program files\kav.en.msi
2008-11-04 18:53 . 2008-11-04 18:53 5166072 ----a-w- c:\program files\msgrplus.exe
2008-10-28 17:25 . 2008-10-28 17:25 283843 ----a-w- c:\program files\youmurdererbb_tt.zip
2008-10-21 05:49 . 2008-10-21 05:49 67167528 ----a-w- c:\program files\iTunes801Setup.exe
2008-10-17 20:37 . 2008-10-15 20:40 1851544 ----a-w- c:\program files\install_flash_player.exe
2008-10-09 20:01 . 2008-10-09 20:01 0 ----a-w- c:\program files\temp01
2008-10-09 00:27 . 2008-10-09 00:27 50689960 ----a-w- c:\program files\avg_free_stf_en_8_173a1373.exe
2008-10-09 00:22 . 2008-10-09 00:22 19153264 ----a-w- c:\program files\aaw2008.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-07-11 00:28 1174920 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-11 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-07-11 1174920]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-10-02 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-10-02 118784]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"IPInSightLAN 01"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 380928]
"IPInSightMonitor 01"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 122880]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-21 208616]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2008-09-10 676520]
"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2008-09-10 16040]
"Lexmark 7600 Series Fax Server"="c:\program files\Lexmark 7600 Series\fm3032.exe" [2008-09-10 311976]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-14 113664]
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\pmremind.exe [2009-2-17 331776]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [1/21/2010 12:12 PM 78104]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [8/7/2009 1:01 PM 98984]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/19/2009 10:32 PM 24652]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
S3 klmd21;klmd21;c:\windows\system32\drivers\klmd.sys --> c:\windows\system32\drivers\klmd.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder

2010-04-16 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-07-11 00:29]

2010-04-16 c:\windows\Tasks\User_Feed_Synchronization-{54802705-6404-494B-8E69-3EC5B0EF9994}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmd21.sys
AddRemove-ChromaticaV1.0 - c:\win32app\Photoshp\Plugins\Photoshop\DeIsL1.isu
AddRemove-HijackThis - c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O8MZD3GF\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-16 13:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-115176313-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2168)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\docume~1\Owner\LOCALS~1\Temp\catchme.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\program files\Lexmark 7600 Series\lxdwMsdMon.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdwcoms.exe
.
**************************************************************************
.
Completion time: 2010-04-16 14:00:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-16 20:59

Pre-Run: 278,961,709,056 bytes free
Post-Run: 279,885,266,944 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 0256B4AD4FEB8EAAD2381C2578885660

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by Belahzur on Sat Apr 17, 2010 12:37 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Ask Toolbar
    Viewpoint Media Player
    Viewpoint Manager

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Sat Apr 17, 2010 4:43 pm

I didn't see View Point Manager, but removed Ask Toolbar and View Point Media Player. (computer seems much faster)

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit quick scan 2010-04-17 09:40:32
Windows 5.1.2600 Service Pack 3
Running: hp924d7t.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kgtyqpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xB1C1C0A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xB1C1C110]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- EOF - GMER 1.0.15 ----

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Sat Apr 17, 2010 7:11 pm

I will be back later today. Smile

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by Belahzur on Sat Apr 17, 2010 7:20 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    FileLook::
    c:\windows\system32\drivers\isapnp.sys
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Sun Apr 18, 2010 3:27 am

ComboFix 10-04-15.05 - Owner 04/17/2010 19:57:07.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.661 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-15 00:13 . 2010-04-15 00:13 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-04-15 00:07 . 2010-04-15 00:07 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-04-15 00:05 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-04-15 00:05 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-04-15 00:05 . 2010-04-15 00:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-14 21:41 . 2010-04-14 21:41 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-04-14 19:36 . 2010-04-14 19:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-14 18:44 . 2010-04-14 18:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-14 18:44 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 18:44 . 2010-04-14 20:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 18:44 . 2010-04-14 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-14 18:44 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 18:39 . 2010-04-13 18:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-04-12 23:57 . 2010-04-12 23:57 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-04-12 20:38 . 2010-04-12 20:38 -------- d-----w- c:\program files\FileZilla FTP Client
2010-04-12 18:48 . 2010-04-12 18:48 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-12 05:43 . 2010-04-12 05:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-12 01:27 . 2010-04-12 01:27 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-12 01:16 . 2010-04-13 16:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-12 01:16 . 2010-04-12 01:16 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-12 01:16 . 2010-04-12 01:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-30 21:27 . 2010-03-30 21:27 -------- d-----w- c:\documents and settings\Owner\Application Data\pdf995
2010-03-30 21:22 . 2010-04-12 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-03-30 21:22 . 2007-08-24 18:13 142 ----a-w- c:\windows\wpd99.drv
2010-03-30 21:22 . 2010-03-30 21:22 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2010-03-30 21:22 . 2010-03-30 21:22 249856 ----a-w- c:\windows\system32\pdfmona.dll
2010-03-26 17:49 . 2010-03-26 17:49 -------- d-----w- C:\shop3
2010-03-22 19:27 . 2010-03-22 19:27 3743944 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockCA.exe
2010-03-22 05:09 . 2010-03-22 05:09 -------- d-----w- c:\program files\3ivx
2010-03-22 05:09 . 2010-03-22 05:09 -------- d-----w- c:\program files\Flip Video
2010-03-22 05:09 . 2010-03-22 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-17 16:35 . 2009-04-20 05:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-17 16:29 . 2009-05-05 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-17 16:12 . 2009-07-12 02:50 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-04-16 23:53 . 2009-05-05 23:20 7132192 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-16 23:53 . 2009-05-05 23:20 56800 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-16 23:53 . 2009-05-05 23:20 5420 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-16 23:53 . 2009-05-05 23:20 1269792 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-16 20:49 . 2009-06-13 23:49 -------- d-----w- c:\program files\iWin Games
2010-04-16 04:56 . 2009-08-28 23:53 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-04-16 04:55 . 2009-08-28 23:55 110592 ----a-w- c:\documents and settings\Owner\Application Data\U3\temp\cleanup.exe
2010-04-16 04:55 . 2009-08-28 23:53 3096576 ---ha-w- c:\documents and settings\Owner\Application Data\U3\temp\Launchpad Removal.exe
2010-04-15 23:57 . 2008-10-10 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-15 00:15 . 2008-10-10 19:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-14 23:01 . 2010-01-04 23:23 -------- d-----w- c:\documents and settings\Owner\Application Data\FileZilla
2010-04-14 21:46 . 2010-04-14 21:46 37248 ----a-w- c:\windows\system32\drivers\OLD76.tmp
2010-04-14 21:45 . 2010-04-14 21:44 37248 ----a-w- c:\windows\system32\drivers\OLD73.tmp
2010-04-14 21:44 . 2010-04-14 21:44 37248 ----a-w- c:\windows\system32\drivers\OLD70.tmp
2010-04-14 21:42 . 2010-04-14 21:42 37248 ----a-w- c:\windows\system32\drivers\OLD6C.tmp
2010-04-14 21:40 . 2010-04-14 21:40 37248 ----a-w- c:\windows\system32\drivers\OLD65.tmp
2010-04-14 21:39 . 2010-04-14 21:39 37248 ----a-w- c:\windows\system32\drivers\OLD61.tmp
2010-04-14 21:36 . 2010-04-14 21:36 37248 ----a-w- c:\windows\system32\drivers\OLD5A.tmp
2010-04-14 21:34 . 2010-04-14 21:34 37248 ----a-w- c:\windows\system32\drivers\OLD56.tmp
2010-04-14 21:33 . 2010-04-14 21:33 37248 ----a-w- c:\windows\system32\drivers\OLD52.tmp
2010-04-14 21:30 . 2010-04-14 21:30 37248 ----a-w- c:\windows\system32\drivers\OLD4B.tmp
2010-04-14 21:27 . 2010-04-14 21:27 37248 ----a-w- c:\windows\system32\drivers\OLD47.tmp
2010-04-14 21:23 . 2010-04-14 21:23 37248 ----a-w- c:\windows\system32\drivers\OLD40.tmp
2010-04-14 21:22 . 2010-04-14 21:22 37248 ----a-w- c:\windows\system32\drivers\OLD3B.tmp
2010-04-14 21:20 . 2010-04-14 21:20 37248 ----a-w- c:\windows\system32\drivers\OLD33.tmp
2010-04-14 21:18 . 2010-04-14 21:18 37248 ----a-w- c:\windows\system32\drivers\OLD2E.tmp
2010-04-14 21:16 . 2010-04-14 21:16 37248 ----a-w- c:\windows\system32\drivers\OLD22.tmp
2010-04-14 21:14 . 2010-04-14 21:14 37248 ----a-w- c:\windows\system32\drivers\OLD1B.tmp
2010-04-14 18:44 . 2010-04-14 21:41 37248 ----a-w- c:\windows\system32\drivers\OLD69.tmp
2010-04-14 18:44 . 2010-04-14 21:17 37248 ----a-w- c:\windows\system32\drivers\OLD27.tmp
2010-04-12 23:59 . 2009-05-05 18:57 -------- d-----w- c:\program files\Java
2010-04-12 23:56 . 2009-12-01 11:31 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-12 18:48 . 2010-04-12 18:48 96512 ----a-w- c:\windows\system32\drivers\tskC.tmp
2010-04-12 00:52 . 2010-03-18 21:13 -------- d-----w- c:\program files\DeductionPro 2009
2010-04-12 00:33 . 2009-02-22 22:21 -------- d-----w- c:\documents and settings\Owner\Application Data\TaxCut
2010-04-10 19:26 . 2009-03-02 07:44 -------- d-----w- c:\program files\Safari
2010-04-10 19:24 . 2008-10-21 05:50 -------- d-----w- c:\program files\Common Files\Apple
2010-04-09 06:47 . 2008-10-09 20:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 18:18 . 2009-12-02 01:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Any Audio Converter
2010-04-01 20:31 . 2009-05-31 17:30 116300 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-30 21:22 . 2009-02-22 22:15 -------- d-----w- c:\program files\PDF995
2010-03-19 17:24 . 2009-06-08 16:16 -------- d-----w- c:\program files\iWin.com
2010-03-18 21:15 . 2010-03-18 21:14 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe
2010-03-18 21:13 . 2008-10-08 03:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-18 21:12 . 2010-03-18 21:11 -------- d-----w- c:\program files\HRBlock2009
2010-03-18 21:06 . 2009-02-22 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2010-03-13 02:14 . 2010-03-13 02:14 20 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\bases\apu\ForDiff\apu0001.dat.exe
2010-03-12 18:50 . 2010-03-12 18:50 114330 ----a-w- c:\documents and settings\All Users\SPLD.tmp
2010-03-12 18:37 . 2010-03-12 18:37 115562 ----a-w- c:\documents and settings\All Users\SPL3ED3.tmp
2010-03-10 06:15 . 2003-07-16 20:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 19:26 . 2009-09-27 01:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Any DVD Converter Professional
2010-03-04 11:00 . 2010-03-04 11:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-02-28 00:26 . 2010-02-28 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes
2010-02-28 00:15 . 2008-10-08 04:35 147584 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-28 00:15 . 2010-02-28 00:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Sibelius Software
2010-02-28 00:15 . 2010-02-28 00:14 -------- d-----w- c:\program files\Musicnotes
2010-02-28 00:07 . 2008-10-09 20:00 -------- d-----w- c:\program files\Games
2010-02-27 23:49 . 2008-10-09 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2010-02-25 06:24 . 2003-07-16 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 18:13 . 2008-10-13 19:24 -------- d-----w- c:\program files\WS_FTP
2010-02-24 13:11 . 2003-07-16 20:34 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-21 03:10 . 2010-02-21 03:10 13664 ----a-w- c:\documents and settings\All Users\SPL6B4.tmp
2010-02-17 16:10 . 2003-07-16 20:39 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2003-07-16 20:23 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2003-07-16 20:47 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-12-02 01:57 . 2009-12-02 01:57 15203738 ----a-w- c:\program files\any-audio-converter.exe
2009-12-02 01:49 . 2009-12-02 01:49 15386889 ----a-w- c:\program files\avc-free.exe
2009-06-05 17:40 . 2009-06-05 17:40 38709280 ----a-w- c:\program files\kav8.0.0.506en.exe
2009-05-22 20:15 . 2009-05-22 20:15 434832 ----a-w- c:\program files\switchsetup.exe
2009-05-14 18:15 . 2009-05-14 18:15 140800 ----a-w- c:\program files\ODMediaConsoleSetup.exe
2009-03-02 07:43 . 2009-03-02 07:43 26699048 ----a-w- c:\program files\SafariSetup.exe
2009-02-03 11:59 . 2009-02-03 11:59 1226 ----a-w- c:\program files\setup.reg
2008-11-14 09:52 . 2008-11-14 09:52 41937 ----a-w- c:\program files\release_notes_kav8.0cf2_en.html
2008-11-13 17:23 . 2008-11-13 17:23 40375808 ----a-w- c:\program files\kav.en.msi
2008-11-04 18:53 . 2008-11-04 18:53 5166072 ----a-w- c:\program files\msgrplus.exe
2008-10-28 17:25 . 2008-10-28 17:25 283843 ----a-w- c:\program files\youmurdererbb_tt.zip
2008-10-21 05:49 . 2008-10-21 05:49 67167528 ----a-w- c:\program files\iTunes801Setup.exe
2008-10-17 20:37 . 2008-10-15 20:40 1851544 ----a-w- c:\program files\install_flash_player.exe
2008-10-09 20:01 . 2008-10-09 20:01 0 ----a-w- c:\program files\temp01
2008-10-09 00:27 . 2008-10-09 00:27 50689960 ----a-w- c:\program files\avg_free_stf_en_8_173a1373.exe
2008-10-09 00:22 . 2008-10-09 00:22 19153264 ----a-w- c:\program files\aaw2008.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\drivers\isapnp.sys ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 37248
Created time: 2010-04-14 21:41
Modified time: 2010-04-14 21:41
MD5: A1CB15AB32964320AD96FAB749D30BD4
SHA1: D8E29A451EA55547EB05B92941270F8507EEAEAD


((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-17 16:13 . 2010-04-17 16:13 16384 c:\windows\Temp\Perflib_Perfdata_24c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-10-02 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-10-02 118784]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"IPInSightLAN 01"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 380928]
"IPInSightMonitor 01"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 122880]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-21 208616]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2008-09-10 676520]
"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2008-09-10 16040]
"Lexmark 7600 Series Fax Server"="c:\program files\Lexmark 7600 Series\fm3032.exe" [2008-09-10 311976]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-14 113664]
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\pmremind.exe [2009-2-17 331776]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [1/21/2010 12:12 PM 78104]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [8/7/2009 1:01 PM 98984]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
S3 klmd21;klmd21;c:\windows\system32\drivers\klmd.sys --> c:\windows\system32\drivers\klmd.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KGTYQPOB
*Deregistered* - IPVNMon
*Deregistered* - kgtyqpob
.
Contents of the 'Scheduled Tasks' folder

2010-04-17 c:\windows\Tasks\User_Feed_Synchronization-{54802705-6404-494B-8E69-3EC5B0EF9994}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-17 20:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-115176313-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(660)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-17 20:09:44
ComboFix-quarantined-files.txt 2010-04-18 03:09
ComboFix2.txt 2010-04-16 21:10

Pre-Run: 279,855,607,808 bytes free
Post-Run: 279,810,387,968 bytes free

- - End Of File - - C3DF4C43869B78239D06D54DF55EBA36

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by Belahzur on Sun Apr 18, 2010 4:44 pm

Submit a file for analysis.

  1. Please visit this website: [You must be registered and logged in to see this link.]
  2. Press the "Browse" button and locate the following file in bold:
    C:\WINDOWS\system32\drivers\isapnp.sys
  3. Press the "Submit File button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Sun Apr 18, 2010 5:18 pm

I'm sorry I wasn't sure what to copy, but here goes:

2010-04-18 Found nothing 2010-04-16 Found nothing
2010-04-18 Found nothing 2010-04-18 Win32:Alureon-FZ
2010-04-18 Win32:Alureon-FZ 2010-04-18 Found nothing
2010-04-18 Found nothing 2010-04-18 Found nothing
2010-04-16 Found nothing 2010-04-18 Found nothing
2010-04-18 Found nothing 2010-04-18 Found nothing
2010-04-18 Found nothing 2010-04-16 Found nothing
2010-04-18 Found nothing 2010-04-18 Found nothing
2010-04-18 Found nothing 2010-04-16 Found nothing
2010-04-17 Found nothing 2010-04-18 Found nothing

Filename: isapnp.sys
Status: Scan finished. 2 out of 20 scanners reported malware.

Additional Info:
File size: 37248 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: a1cb15ab32964320ad96fab749d30bd4
SHA1: d8e29a451ea55547eb05b92941270f8507eeaead
Packer (Kaspersky): PE_Patch

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by Belahzur on Sun Apr 18, 2010 5:32 pm

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    isapnp.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Sun Apr 18, 2010 6:07 pm

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:02 on 18/04/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "isapnp.sys"
C:\WINDOWS\ServicePackFiles\i386\isapnp.sys ------ 37248 bytes [04:21 08/10/2008] [18:36 13/04/2008] 05A299EC56E52649B1CF2FC52D20F2D7
C:\WINDOWS\system32\dllcache\isapnp.sys --a--c 37248 bytes [03:12 08/10/2008] [21:48 14/04/2010] 05A299EC56E52649B1CF2FC52D20F2D7
C:\WINDOWS\system32\drivers\isapnp.sys --a--- 37248 bytes [21:41 14/04/2010] [21:41 14/04/2010] A1CB15AB32964320AD96FAB749D30BD4
C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\isapnp.sys --a--- 35840 bytes [03:12 08/10/2008] [20:30 16/07/2003] E504F706CCB699C2596E9A3DA1596E87

-=End Of File=-

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by Belahzur on Sun Apr 18, 2010 6:12 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    FCopy::
    C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\isapnp.sys | C:\WINDOWS\system32\drivers\isapnp.sys
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Sun Apr 18, 2010 6:34 pm

ComboFix 10-04-15.05 - Owner 04/18/2010 11:21:30.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.684 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Anti-Virus *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\ReinstallBackups\0001\DriverFiles\i386\isapnp.sys --> c:\windows\system32\drivers\isapnp.sys
.
((((((((((((((((((((((((( Files Created from 2010-03-18 to 2010-04-18 )))))))))))))))))))))))))))))))
.

2010-04-15 00:13 . 2010-04-15 00:13 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-04-15 00:07 . 2010-04-15 00:07 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Adobe
2010-04-15 00:05 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-04-15 00:05 . 2010-02-01 01:45 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2010-04-15 00:05 . 2010-04-15 00:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-14 21:41 . 2010-04-14 21:48 37248 -c--a-w- c:\windows\system32\dllcache\isapnp.sys
2010-04-14 21:41 . 2010-04-14 21:48 37248 ----a-w- c:\windows\system32\drivers\isapnp.sys
2010-04-14 19:36 . 2010-04-14 19:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-14 18:44 . 2010-04-14 18:44 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-04-14 18:44 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-14 18:44 . 2010-04-14 20:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 18:44 . 2010-04-14 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-14 18:44 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 18:39 . 2010-04-13 18:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-04-12 23:57 . 2010-04-12 23:57 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-04-12 20:38 . 2010-04-12 20:38 -------- d-----w- c:\program files\FileZilla FTP Client
2010-04-12 18:48 . 2010-04-12 18:48 36488 ----a-w- c:\windows\system32\drivers\klmdb.sys
2010-04-12 05:43 . 2010-04-12 05:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-12 01:27 . 2010-04-12 01:27 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-04-12 01:16 . 2010-04-13 16:56 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-12 01:16 . 2010-04-12 01:16 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-12 01:16 . 2010-04-12 01:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-03-30 21:27 . 2010-03-30 21:27 -------- d-----w- c:\documents and settings\Owner\Application Data\pdf995
2010-03-30 21:22 . 2010-04-12 00:33 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2010-03-30 21:22 . 2007-08-24 18:13 142 ----a-w- c:\windows\wpd99.drv
2010-03-30 21:22 . 2010-03-30 21:22 51716 ----a-w- c:\windows\system32\pdf995mon.dll
2010-03-30 21:22 . 2010-03-30 21:22 249856 ----a-w- c:\windows\system32\pdfmona.dll
2010-03-26 17:49 . 2010-03-26 17:49 -------- d-----w- C:\shop3
2010-03-22 19:27 . 2010-03-22 19:27 3743944 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Downloads\HRBlockCA.exe
2010-03-22 05:09 . 2010-03-22 05:09 -------- d-----w- c:\program files\3ivx
2010-03-22 05:09 . 2010-03-22 05:09 -------- d-----w- c:\program files\Flip Video
2010-03-22 05:09 . 2010-03-22 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 12:13 . 2009-05-05 23:20 7271968 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-18 12:13 . 2009-05-05 23:20 57892 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-17 16:35 . 2009-04-20 05:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-04-17 16:29 . 2009-05-05 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-04-17 16:12 . 2009-07-12 02:50 720 ----a-w- c:\documents and settings\All Users\Application Data\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-04-16 23:53 . 2009-05-05 23:20 5420 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-16 23:53 . 2009-05-05 23:20 1269792 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-16 20:49 . 2009-06-13 23:49 -------- d-----w- c:\program files\iWin Games
2010-04-16 04:56 . 2009-08-28 23:53 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2010-04-16 04:55 . 2009-08-28 23:55 110592 ----a-w- c:\documents and settings\Owner\Application Data\U3\temp\cleanup.exe
2010-04-16 04:55 . 2009-08-28 23:53 3096576 ---ha-w- c:\documents and settings\Owner\Application Data\U3\temp\Launchpad Removal.exe
2010-04-15 23:57 . 2008-10-10 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-15 00:15 . 2008-10-10 19:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-14 23:01 . 2010-01-04 23:23 -------- d-----w- c:\documents and settings\Owner\Application Data\FileZilla
2010-04-14 21:46 . 2010-04-14 21:46 37248 ----a-w- c:\windows\system32\drivers\OLD76.tmp
2010-04-14 21:45 . 2010-04-14 21:44 37248 ----a-w- c:\windows\system32\drivers\OLD73.tmp
2010-04-14 21:44 . 2010-04-14 21:44 37248 ----a-w- c:\windows\system32\drivers\OLD70.tmp
2010-04-14 21:42 . 2010-04-14 21:42 37248 ----a-w- c:\windows\system32\drivers\OLD6C.tmp
2010-04-14 21:40 . 2010-04-14 21:40 37248 ----a-w- c:\windows\system32\drivers\OLD65.tmp
2010-04-14 21:39 . 2010-04-14 21:39 37248 ----a-w- c:\windows\system32\drivers\OLD61.tmp
2010-04-14 21:36 . 2010-04-14 21:36 37248 ----a-w- c:\windows\system32\drivers\OLD5A.tmp
2010-04-14 21:34 . 2010-04-14 21:34 37248 ----a-w- c:\windows\system32\drivers\OLD56.tmp
2010-04-14 21:33 . 2010-04-14 21:33 37248 ----a-w- c:\windows\system32\drivers\OLD52.tmp
2010-04-14 21:30 . 2010-04-14 21:30 37248 ----a-w- c:\windows\system32\drivers\OLD4B.tmp
2010-04-14 21:27 . 2010-04-14 21:27 37248 ----a-w- c:\windows\system32\drivers\OLD47.tmp
2010-04-14 21:23 . 2010-04-14 21:23 37248 ----a-w- c:\windows\system32\drivers\OLD40.tmp
2010-04-14 21:22 . 2010-04-14 21:22 37248 ----a-w- c:\windows\system32\drivers\OLD3B.tmp
2010-04-14 21:20 . 2010-04-14 21:20 37248 ----a-w- c:\windows\system32\drivers\OLD33.tmp
2010-04-14 21:18 . 2010-04-14 21:18 37248 ----a-w- c:\windows\system32\drivers\OLD2E.tmp
2010-04-14 21:16 . 2010-04-14 21:16 37248 ----a-w- c:\windows\system32\drivers\OLD22.tmp
2010-04-14 21:14 . 2010-04-14 21:14 37248 ----a-w- c:\windows\system32\drivers\OLD1B.tmp
2010-04-14 18:44 . 2010-04-14 21:41 37248 ----a-w- c:\windows\system32\drivers\OLD69.tmp
2010-04-14 18:44 . 2010-04-14 21:17 37248 ----a-w- c:\windows\system32\drivers\OLD27.tmp
2010-04-12 23:59 . 2009-05-05 18:57 -------- d-----w- c:\program files\Java
2010-04-12 23:56 . 2009-12-01 11:31 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-12 18:48 . 2010-04-12 18:48 96512 ----a-w- c:\windows\system32\drivers\tskC.tmp
2010-04-12 00:52 . 2010-03-18 21:13 -------- d-----w- c:\program files\DeductionPro 2009
2010-04-12 00:33 . 2009-02-22 22:21 -------- d-----w- c:\documents and settings\Owner\Application Data\TaxCut
2010-04-10 19:26 . 2009-03-02 07:44 -------- d-----w- c:\program files\Safari
2010-04-10 19:24 . 2008-10-21 05:50 -------- d-----w- c:\program files\Common Files\Apple
2010-04-09 06:47 . 2008-10-09 20:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-08 18:18 . 2009-12-02 01:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Any Audio Converter
2010-04-01 20:31 . 2009-05-31 17:30 116300 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-30 21:22 . 2009-02-22 22:15 -------- d-----w- c:\program files\PDF995
2010-03-19 17:24 . 2009-06-08 16:16 -------- d-----w- c:\program files\iWin.com
2010-03-18 21:15 . 2010-03-18 21:14 21195208 ----a-w- c:\documents and settings\All Users\Application Data\TaxCut\2009\Update\US30026901xupd.exe
2010-03-18 21:13 . 2008-10-08 03:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-18 21:12 . 2010-03-18 21:11 -------- d-----w- c:\program files\HRBlock2009
2010-03-18 21:06 . 2009-02-22 22:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TaxCut
2010-03-13 02:14 . 2010-03-13 02:14 20 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP8\Data\Updater\Temporary Files\temporaryFolder\bases\apu\ForDiff\apu0001.dat.exe
2010-03-12 18:50 . 2010-03-12 18:50 114330 ----a-w- c:\documents and settings\All Users\SPLD.tmp
2010-03-12 18:37 . 2010-03-12 18:37 115562 ----a-w- c:\documents and settings\All Users\SPL3ED3.tmp
2010-03-10 06:15 . 2003-07-16 20:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 19:26 . 2009-09-27 01:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Any DVD Converter Professional
2010-03-04 11:00 . 2010-03-04 11:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-02-28 00:26 . 2010-02-28 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Musicnotes
2010-02-28 00:15 . 2008-10-08 04:35 147584 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-28 00:15 . 2010-02-28 00:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Sibelius Software
2010-02-28 00:15 . 2010-02-28 00:14 -------- d-----w- c:\program files\Musicnotes
2010-02-28 00:07 . 2008-10-09 20:00 -------- d-----w- c:\program files\Games
2010-02-27 23:49 . 2008-10-09 20:01 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2010-02-25 06:24 . 2003-07-16 20:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 18:13 . 2008-10-13 19:24 -------- d-----w- c:\program files\WS_FTP
2010-02-24 13:11 . 2003-07-16 20:34 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-21 03:10 . 2010-02-21 03:10 13664 ----a-w- c:\documents and settings\All Users\SPL6B4.tmp
2010-02-17 16:10 . 2003-07-16 20:39 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2003-07-16 20:23 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2003-07-16 20:47 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2009-12-02 01:57 . 2009-12-02 01:57 15203738 ----a-w- c:\program files\any-audio-converter.exe
2009-12-02 01:49 . 2009-12-02 01:49 15386889 ----a-w- c:\program files\avc-free.exe
2009-06-05 17:40 . 2009-06-05 17:40 38709280 ----a-w- c:\program files\kav8.0.0.506en.exe
2009-05-22 20:15 . 2009-05-22 20:15 434832 ----a-w- c:\program files\switchsetup.exe
2009-05-14 18:15 . 2009-05-14 18:15 140800 ----a-w- c:\program files\ODMediaConsoleSetup.exe
2009-03-02 07:43 . 2009-03-02 07:43 26699048 ----a-w- c:\program files\SafariSetup.exe
2009-02-03 11:59 . 2009-02-03 11:59 1226 ----a-w- c:\program files\setup.reg
2008-11-14 09:52 . 2008-11-14 09:52 41937 ----a-w- c:\program files\release_notes_kav8.0cf2_en.html
2008-11-13 17:23 . 2008-11-13 17:23 40375808 ----a-w- c:\program files\kav.en.msi
2008-11-04 18:53 . 2008-11-04 18:53 5166072 ----a-w- c:\program files\msgrplus.exe
2008-10-28 17:25 . 2008-10-28 17:25 283843 ----a-w- c:\program files\youmurdererbb_tt.zip
2008-10-21 05:49 . 2008-10-21 05:49 67167528 ----a-w- c:\program files\iTunes801Setup.exe
2008-10-17 20:37 . 2008-10-15 20:40 1851544 ----a-w- c:\program files\install_flash_player.exe
2008-10-09 20:01 . 2008-10-09 20:01 0 ----a-w- c:\program files\temp01
2008-10-09 00:27 . 2008-10-09 00:27 50689960 ----a-w- c:\program files\avg_free_stf_en_8_173a1373.exe
2008-10-09 00:22 . 2008-10-09 00:22 19153264 ----a-w- c:\program files\aaw2008.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-17 16:13 . 2010-04-17 16:13 16384 c:\windows\Temp\Perflib_Perfdata_24c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-10-02 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-10-02 118784]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"IPInSightLAN 01"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 380928]
"IPInSightMonitor 01"="c:\program files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" [2003-06-11 122880]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-07-21 208616]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-10-10 203264]
"lxdwmon.exe"="c:\program files\Lexmark 7600 Series\lxdwmon.exe" [2008-09-10 676520]
"lxdwamon"="c:\program files\Lexmark 7600 Series\lxdwamon.exe" [2008-09-10 16040]
"Lexmark 7600 Series Fax Server"="c:\program files\Lexmark 7600 Series\fm3032.exe" [2008-09-10 311976]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-14 113664]
Event Reminder.lnk - c:\program files\Broderbund\PrintMaster\pmremind.exe [2009-2-17 331776]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\wamp\\bin\\apache\\Apache2.2.11\\bin\\httpd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\lxdwcoms.exe"=
"c:\\Program Files\\iWin Games\\iWinGames.exe"=
"c:\\Program Files\\iWin Games\\WebUpdater.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 5:29 PM 33808]
R2 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [1/21/2010 12:12 PM 78104]
R2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe -service --> c:\windows\system32\lxdwcoms.exe -service [?]
R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdwserv.exe [8/7/2009 1:01 PM 98984]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [4/30/2008 5:06 PM 24592]
S3 klmd21;klmd21;c:\windows\system32\drivers\klmd.sys --> c:\windows\system32\drivers\klmd.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KGTYQPOB
*Deregistered* - IPVNMon
*Deregistered* - kgtyqpob
.
Contents of the 'Scheduled Tasks' folder

2010-04-18 c:\windows\Tasks\User_Feed_Synchronization-{54802705-6404-494B-8E69-3EC5B0EF9994}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-18 11:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-527237240-115176313-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4044)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-18 11:32:56
ComboFix-quarantined-files.txt 2010-04-18 18:32
ComboFix2.txt 2010-04-18 03:09
ComboFix3.txt 2010-04-16 21:10

Pre-Run: 279,940,853,760 bytes free
Post-Run: 279,893,725,184 bytes free

- - End Of File - - 963BEAC3229492BA0EC1046FA47F6AC2

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by Belahzur on Sun Apr 18, 2010 6:35 pm

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Sun Apr 18, 2010 8:54 pm

It said no threats found. My Kaspersky keeps showing threats founds, do I need to Fix that or something?

SETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=b3640aec1b87bc42bac85b45477025df
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-18 08:47:21
# local_time=2010-04-18 01:47:21 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1026 16777214 0 2 29964774 29964774 0 0
# compatibility_mode=1280 16777191 100 0 29964355 29964355 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=239447
# found=0
# cleaned=0
# scan_time=7288

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by Belahzur on Sun Apr 18, 2010 10:26 pm

Does Kaspersky say where?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Mon Apr 19, 2010 12:21 am

It showed Active Threat as the one I came here with, then I clicked on it and it said Not found! Yay! I'm clean now?

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by Belahzur on Mon Apr 19, 2010 12:27 am

I am having doubt, I think it's a new rootkit that is still here.

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Mon Apr 19, 2010 8:44 am

GMER 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-19 01:42:44
Windows 5.1.2600 Service Pack 3
Running: roxcgzxw.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kgtyqpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xB1C1C1DA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xB1C1C7AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xB1C1E1EA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xB1C1DB9C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xB1C1B950]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xB1C1FB7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xB1C1C5AE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xB1C1BD92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xB1C1BF92]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xB1C1DEAC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xB1C20084]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateKey [0xB1C1C0A8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwEnumerateValueKey [0xB1C1C110]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xB1C1DD5E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xB1C1F620]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xB1C1D9F8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenKey [0xB1C1BAB2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xB1C1C3B2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xB1C1FBA6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenThread [0xB1C1C2FE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryKey [0xB1C1C178]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xB1C1BE7C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xB1C1BC5A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xB1C1F888]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xB1C1B5D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xB1C1EA74]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xB1C1B734]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xB1C1FF56]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xB1C1B3D0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xB1C1E08C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xB1C1C6AC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xB1C1F71A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xB1C1FBD0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xB1C1BB08]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xB1C1FCB4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xB1C1FDE0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xB1C1F54C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xB1C1C47E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xB1C1C4F0]

Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous
Code \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + C8 804E2734 4 Bytes JMP 06B1C1E1
.text ntoskrnl.exe!_abnormal_termination + 36C 804E29D8 4 Bytes JMP C234B1C1
.text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 1 Byte [B4]
.text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [B4, FC, C1, B1, E0, FD, C1, ...]
.text ntoskrnl.exe!IoIsOperationSynchronous 804E876A 5 Bytes JMP B1C339E0 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
.text ntoskrnl.exe!FsRtlCheckLockForReadAccess 80512939 5 Bytes JMP B1C33626 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab)
? C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[148] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[148] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 6D] {JO 0x13; INC ECX; INSD }
? C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[1584] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe[1584] USER32.dll!AlignRects + FFFA5598 7E412A78 4 Bytes [70, 11, 41, 6D] {JO 0x13; INC ECX; INSD }

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMSetAttributesEx] [BA1C5C29] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\rasl2tp.sys[NDIS.SYS!NdisMRegisterMiniport] [BA1C58B5] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BA1C5BFF] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BA1C5B45] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMSetAttributesEx] [BA1C5C29] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BA1C5656] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisMRegisterMiniport] [BA1C58B5] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [BA1C5656] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [BA1C5B45] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [BA1C5BFF] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMSetAttributesEx] [BA1C5C29] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisMRegisterMiniport] [BA1C58B5] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMSetAttributesEx] [BA1C5C29] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspptp.sys[NDIS.SYS!NdisMRegisterMiniport] [BA1C58B5] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisIMRegisterLayeredMiniport] [BA1C57D0] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [BA1C5656] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [BA1C5B45] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisMSetAttributesEx] [BA1C5C29] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [BA1C5BFF] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMSetAttributesEx] [BA1C5C29] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\raspti.sys[NDIS.SYS!NdisMRegisterMiniport] [BA1C58B5] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BA1C5656] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BA1C5BFF] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BA1C5B45] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BA1C5BFF] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BA1C5B45] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BA1C5656] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [BA20F820] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [BA20F820] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BA1C5656] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BA1C5B45] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BA1C5BFF] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\DRIVERS\HIDCLASS.SYS[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\usbccgp.sys[NTOSKRNL.EXE!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\mouhid.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\usbscan.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\DRIVERS\usbprint.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\USBSTOR.SYS[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [BA1C5656] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [BA1C5BFF] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [BA1C5B45] IPVNMon.sys (IPVNMon/Visual Networks)
IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\mrxdav.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\ParVdm.SYS[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
IAT \SystemRoot\system32\drivers\kmixer.sys[ntoskrnl.exe!IoCreateDevice] [BA20F6D0] kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\explorer.exe[4044] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrUnloadDll] [58002663] C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPHk2KS2.DLL (Windows 2000 SP2 System Hook DLL/Visual Networks)
IAT C:\WINDOWS\explorer.exe[4044] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrLoadDll] [580025DE] C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPHk2KS2.DLL (Windows 2000 SP2 System Hook DLL/Visual Networks)
IAT C:\WINDOWS\explorer.exe[4044] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [580024F8] C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPHk2KS2.DLL (Windows 2000 SP2 System Hook DLL/Visual Networks)
IAT C:\WINDOWS\explorer.exe[4044] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!SetWindowsHookExW] [58002861] C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPHk2KS2.DLL (Windows 2000 SP2 System Hook DLL/Visual Networks)
IAT C:\WINDOWS\explorer.exe[4044] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowsHookExA] [5800277E] C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPHk2KS2.DLL (Windows 2000 SP2 System Hook DLL/Visual Networks)
IAT C:\WINDOWS\explorer.exe[4044] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!SetWindowsHookExW] [58002861] C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPHk2KS2.DLL (Windows 2000 SP2 System Hook DLL/Visual Networks)
IAT C:\WINDOWS\explorer.exe[4044] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!SetWindowsHookExW] [58002861] C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPHk2KS2.DLL (Windows 2000 SP2 System Hook DLL/Visual Networks)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab)
---- Processes - GMER 1.0.15 ----

Library C:\Documents (*** hidden *** ) @ C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe [1584] 0x0B210000

---- EOF - GMER 1.0.15 ----

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by Belahzur on Mon Apr 19, 2010 9:29 am

Looks good, still having problems? I don't see any rootkits.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Mon Apr 19, 2010 5:46 pm

Thank you!! Should I uninstall the gmer and system look things?

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by Belahzur on Mon Apr 19, 2010 6:06 pm

Just delete them, they don't require uninstalling.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Re: isapnp.sys, rootkit.win32.tdss.d-now blue screen AFTER Adobe download here

Post by keribear on Mon Apr 19, 2010 6:14 pm

Thank you thank you! I love you, and Jeff Hardy, but also Matt!

keribear
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2010-04-14
Gender : Female
OS : XP Home
Points : 24508
# Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum