Thanks for your help, Broni. My logs are as follows:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5607
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
1/25/2011 11:29:49 PM
mbam-log-2011-01-25 (23-29-49).txt
Scan type: Quick scan
Objects scanned: 141379
Time elapsed: 14 minute(s), 36 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15530 -
http://www.gmer.net
Rootkit scan 2011-01-26 00:05:37
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD400BB-75FJA1 rev.14.03G14
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgrcypog.sys
GMER 1.0.15.15530 -
http://www.gmer.net
Rootkit scan 2011-01-26 00:05:37
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD400BB-75FJA1 rev.14.03G14
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fgrcypog.sys
---- System - GMER 1.0.15 ----
SSDT FF8999D0 ZwAlertResumeThread
SSDT FFB38600 ZwAlertThread
SSDT FF70A300 ZwAllocateVirtualMemory
SSDT FF6ECC98 ZwAssignProcessToJobObject
SSDT FF938120 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAEAB1210]
SSDT FF71C5C0 ZwCreateMutant
SSDT FF71A978 ZwCreateSymbolicLinkObject
SSDT FFB22BA8 ZwCreateThread
SSDT FF7A7C98 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAEAB1490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAEAB19F0]
SSDT FF71B160 ZwDuplicateObject
SSDT FF71D978 ZwFreeVirtualMemory
SSDT FF72C0C0 ZwImpersonateAnonymousToken
SSDT FFBB0B68 ZwImpersonateThread
SSDT FF87C208 ZwLoadDriver
SSDT FFB22818 ZwMapViewOfSection
SSDT FF8950E0 ZwOpenEvent
SSDT FF71D160 ZwOpenProcess
SSDT FF75F108 ZwOpenProcessToken
SSDT FF6E2910 ZwOpenSection
SSDT FF71D090 ZwOpenThread
SSDT FF71AC50 ZwProtectVirtualMemory
SSDT FFBB3768 ZwResumeThread
SSDT FFBB5C98 ZwSetContextThread
SSDT FF71D798 ZwSetInformationProcess
SSDT FF6E4730 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAEAB1C40]
SSDT FF7BC230 ZwSuspendProcess
SSDT FF7591A8 ZwSuspendThread
SSDT FF74F108 ZwTerminateProcess
SSDT FF6EF070 ZwTerminateThread
SSDT FF838298 ZwUnmapViewOfSection
SSDT FF70A230 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\WINDOWS\system32\drivers\dmio.sys entry point in ".rsrc" section [0xF9243B14]
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF8480F80]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006C000C
.text C:\WINDOWS\System32\svchost.exe[1064] ole32.dll!CoCreateInstance 774FF1C4 5 Bytes JMP 023B000A
.text C:\WINDOWS\Explorer.EXE[1652] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1652] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1652] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\wuauclt.exe[3868] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\wuauclt.exe[3868] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\wuauclt.exe[3868] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B9000C
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3928] kernel32.dll!SetUnhandledExceptionFilter 7C844935 5 Bytes JMP 326054C1 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3928] ole32.dll!OleLoadFromStream 7752986B 5 Bytes JMP 330BD62A C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Udfs.SYS (UDF File System Driver/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 81296AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 81296AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 81296AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 81296AEA
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD400BB-75FJA1______________________14.03G14#4457572d4143414a343231353134203720202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sectors 78124744 (+255): rootkit-like behavior;
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\system32\drivers\dmio.sys suspicious modification; TDL3 <-- ROOTKIT !!!
---- EOF - GMER 1.0.15 ----
DDS (Ver_10-12-12.02) - NTFSx86
Run by Owner at 0:20:02.61 on Wed 01/26/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.254.49 [GMT -8:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\Owner\LOCALS~1\Temp\jZip\jZip222A5\jZip353DC\gmer.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://mgs.marriott.com/index.html
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.3.0.5\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.3.0.5\coIEPlg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {01017200-5E80-11D8-9E86-0007E96C65AE} - hxxps://hdxplus.marriott.com/sdccommon/download/tgctlpr.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://hdxplus.marriott.com/sdccommon/download/tgctlcm.cab
DPF: {01118F00-3E00-11D2-8470-0060089874ED} - hxxps://hdxplus.marriott.com/sdccommon/download/ssrc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1
www.spywareinfo.com
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ewt4un7k.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter:
jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Norton IPS: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\IPSFFPlgn
FF - Ext: Norton Toolbar: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62} - c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coFFPlgn
============= SERVICES / DRIVERS ===============
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0403000.005\symds.sys [2010-11-2 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0403000.005\symefa.sys [2010-11-2 173104]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20110114.001\BHDrvx86.sys [2011-1-18 691248]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0403000.005\cchpx86.sys [2010-11-2 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0403000.005\ironx86.sys [2010-11-2 116784]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.3.0.5\ccsvchst.exe [2010-11-2 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-11-1 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20110125.002\IDSXpx86.sys [2011-1-25 341944]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110125.020\NAVENG.SYS [2011-1-25 86008]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20110125.020\NAVEX15.SYS [2011-1-25 1360760]
S3 WUSB54GV4SRV;Linksys Wireless-G USB Network Adapter Driver;c:\windows\system32\drivers\rt2500usb.sys [2009-10-18 245376]
=============== Created Last 30 ================
2011-01-26 07:11:32 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-26 07:11:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-26 07:11:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-19 16:17:26 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-01-13 11:45:21 -------- d-----w- c:\windows\system32\MpEngineStore
2011-01-12 20:56:45 253952 ------w- c:\windows\system32\dllcache\odbc32.dll
2011-01-12 20:56:45 143360 ------w- c:\windows\system32\dllcache\msadco.dll
2011-01-12 20:56:44 180224 ------w- c:\windows\system32\dllcache\msadomd.dll
2011-01-12 20:56:44 102400 ------w- c:\windows\system32\dllcache\msjro.dll
2011-01-12 20:56:43 200704 ------w- c:\windows\system32\dllcache\msadox.dll
2010-12-29 19:08:41 -------- d-----w- c:\program files\iPod
2010-12-29 19:08:12 -------- d-----w- c:\program files\iTunes
2010-12-29 18:53:35 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-12-29 18:53:30 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-12-29 18:48:51 -------- d-----w- c:\program files\Bonjour
==================== Find3M ====================
2010-11-30 01:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-30 01:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-13 02:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-09 14:50:47 253952 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:27:34 919552 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:27:33 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:27:33 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:00:50 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 02:07:18 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-10-28 13:08:53 290048 ----a-w- c:\windows\system32\atmfd.dll
=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BB-75FJA1 rev.14.03G14 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x81296CEC]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x50; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0xfa7c7846; SUB DWORD [EBP-0x4], 0xfa7c712e; PUSH EDI; CALL 0xffffffffffffe10c; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x81315030]
3 CLASSPNP[0xF9306FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x8121CF18]
[0x812617C8] -> IRP_MJ_CREATE -> 0x81296CEC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD400BB-75FJA1______________________14.03G14#4457572d4143414a343231353134203720202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x81296AEA
user & kernel MBR OK
sectors 78124998 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
============= FINISH: 0:22:20.97 ===============
DDS (Ver_10-12-12.02)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/18/2009 7:58:14 PM
System Uptime: 1/25/2011 10:51:32 PM (2 hours ago)
Motherboard: Dell Computer Corp. | | 0F4491
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/533mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 8.478 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is CDROM (UDF)
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP538: 12/22/2010 11:43:19 PM - System Checkpoint
RP539: 12/23/2010 3:46:39 AM - Software Distribution Service 3.0
RP540: 12/24/2010 3:01:18 AM - Software Distribution Service 3.0
RP541: 12/24/2010 12:14:34 PM - Software Distribution Service 3.0
RP542: 12/25/2010 3:00:58 AM - Software Distribution Service 3.0
RP543: 12/26/2010 3:00:51 AM - Software Distribution Service 3.0
RP544: 12/26/2010 10:46:16 AM - Software Distribution Service 3.0
RP545: 12/27/2010 11:33:20 AM - System Checkpoint
RP546: 12/28/2010 3:00:50 AM - Software Distribution Service 3.0
RP547: 12/29/2010 3:01:28 AM - Software Distribution Service 3.0
RP548: 12/29/2010 8:54:25 AM - Software Distribution Service 3.0
RP549: 12/29/2010 11:07:18 AM - Installed iTunes
RP550: 12/30/2010 3:00:45 AM - Software Distribution Service 3.0
RP551: 12/31/2010 3:00:39 AM - Software Distribution Service 3.0
RP552: 12/31/2010 6:07:29 PM - Software Distribution Service 3.0
RP553: 1/2/2011 12:04:20 PM - System Checkpoint
RP554: 1/3/2011 3:00:53 AM - Software Distribution Service 3.0
RP555: 1/3/2011 6:36:41 PM - Software Distribution Service 3.0
RP556: 1/4/2011 3:00:30 AM - Software Distribution Service 3.0
RP557: 1/5/2011 3:00:32 AM - Software Distribution Service 3.0
RP558: 1/6/2011 3:00:40 AM - Software Distribution Service 3.0
RP559: 1/7/2011 3:00:38 AM - Software Distribution Service 3.0
RP560: 1/8/2011 3:01:36 AM - Software Distribution Service 3.0
RP561: 1/9/2011 3:00:43 AM - Software Distribution Service 3.0
RP562: 1/10/2011 3:00:43 AM - Software Distribution Service 3.0
RP563: 1/10/2011 5:39:54 PM - Software Distribution Service 3.0
RP564: 1/11/2011 3:00:34 AM - Software Distribution Service 3.0
RP565: 1/12/2011 3:00:41 AM - Software Distribution Service 3.0
RP566: 1/13/2011 3:01:32 AM - Software Distribution Service 3.0
RP567: 1/13/2011 11:21:41 PM - Software Distribution Service 3.0
RP568: 1/14/2011 11:23:37 PM - System Checkpoint
RP569: 1/15/2011 3:00:52 AM - Software Distribution Service 3.0
RP570: 1/15/2011 11:40:25 AM - Software Distribution Service 3.0
RP571: 1/15/2011 10:07:40 PM - Software Distribution Service 3.0
RP572: 1/16/2011 7:34:23 PM - Software Distribution Service 3.0
RP573: 1/17/2011 7:44:43 PM - System Checkpoint
RP574: 1/18/2011 3:00:50 AM - Software Distribution Service 3.0
RP575: 1/18/2011 8:58:31 AM - Software Distribution Service 3.0
RP576: 1/19/2011 3:00:34 AM - Software Distribution Service 3.0
RP577: 1/19/2011 8:04:12 AM - Installed Java(TM) 6 Update 23
RP578: 1/20/2011 2:54:56 AM - Software Distribution Service 3.0
RP579: 1/21/2011 3:00:47 AM - Software Distribution Service 3.0
RP580: 1/22/2011 3:00:38 AM - Software Distribution Service 3.0
RP581: 1/23/2011 3:00:36 AM - Software Distribution Service 3.0
RP582: 1/24/2011 3:00:35 AM - Software Distribution Service 3.0
RP583: 1/25/2011 3:01:28 AM - Software Distribution Service 3.0
==== Installed Programs ======================
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.1
AiO_Scan
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Print Creations
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Funhouse
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Photo Calendar
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
Bonjour
CCScore
Conexant D850 56K V.9x DFVc Modem
Dell Driver Download Manager
DVD Decoder Pak for Windows XP
Enterprise
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP PSC & Officejet 4.2 Corporate Edition
Intel(R) Extreme Graphics 2 Driver
iTunes
Java Auto Updater
Java(TM) 6 Update 23
jZip
Kodak EasyShare software
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Mozilla Firefox (3.6.13)
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB973685)
netbrdg
Norton 360
OfotoXMI
OGA Notifier 2.0.0048.0
QFolder
QuickTime
Scan
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SFR
SHASTA
skin0001
SKINXSDK
SoundMAX
staticcr
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Outlook 2007 Junk Email Filter (KB2483110)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VPRINTOL
WebFldrs XP
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
WIRELESS
XML Paper Specification Shared Components Pack 1.0
==== Event Viewer Messages From Past Week ========
1/25/2011 11:49:38 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
1/25/2011 10:47:14 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
1/25/2011 10:47:14 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
1/25/2011 10:47:14 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
1/25/2011 10:47:14 PM, error: Service Control Manager [7034] - The ArcSoft Connect Daemon service terminated unexpectedly. It has done this 1 time(s).
1/25/2011 10:47:14 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/20/2011 3:39:30 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
1/20/2011 3:39:30 PM, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/20/2011 3:31:08 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
1/20/2011 3:31:08 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
1/19/2011 8:06:21 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
==== End Of File ===========================