Inactive Attepmting to recover from a trojan yesterday, almost there, but stuck at the end

[dan fleming]

Hi!

I got hit with some form of trojan or virus yesterday. A fake Windows Security Essentials warning popped up asking me to load "Think Point AV" as my antivirus software. I rebooted into safe-mode and ThinkPoint popped up there too before even explorer.exe. To make a long story short I ended up pulling out my hard drive, slaving it to another computer and running malwarebytes on my drive. That at least allowed me to boot into safe mode where I again ran MBAM and cleaned up my registry there. At the height of my problems I could not boot into safe mode, standard mode, nor my recovery partition. Instead it would power on, bring up the XP black boot screen (or list of files being loaded when in safe-mode) and then BSOD and power down...lather rinse repeat. I thought I had it beat, but this morning MBAM caught 4 more infected objects. The latest MBAM run was clean.
Having run MBAM and TrendMicro I can now boot normally and do most of what I want. However I do have some lingering issues.
1) My Recovery partition still boots to BSOD.
2) Google Chrome (both installed and portable) loads, but just sits on a white tab not doing anything. (an ancient version of IE still works and I can browse the web/download/etc). I reinstalled Chrome and no luck, including having it delete all my personal data.
3) Firefox might load once after start up, but immediately crashes and will not fully load again. Instead firefox.exe will load into memory but not do any thing and just sit there eating about 7MB of ram. (incidentally copying notepad.exe to the desktop and renaming it firefox.exe and notepad still runs) Completely reinstalled firefox, no better.
4) I cannot boot with anything plugged into my USB ports. This is not a huge deal as it is a netbook (see below) however it is odd.
5) My Disk Management Console does not recognize any drives at all. There is 1 SATA hard drive plugged in partitioned into C D and a hidden partition for recovery. C and D are visible in Windows Explorer.

MBAM Log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4892

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

10/20/2010 11:59:02 AM
mbam-log-2010-10-20 (11-59-02).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 198163
Time elapsed: 49 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




GMER Log:

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-20 12:11:54
Windows 5.1.2600 Service Pack 3
Running: x2e9dkz7.exe; Driver: C:\DOCUME~1\Daniel\LOCALS~1\Temp\fgldapog.sys


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[120] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B2000A
.text C:\WINDOWS\Explorer.EXE[120] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B3000A
.text C:\WINDOWS\Explorer.EXE[120] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A2000C
.text C:\WINDOWS\system32\wuauclt.exe[572] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008C000A
.text C:\WINDOWS\system32\wuauclt.exe[572] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 008D000A
.text C:\WINDOWS\system32\wuauclt.exe[572] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003E000C
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0080000A
.text C:\WINDOWS\System32\svchost.exe[1324] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007E000C
.text C:\WINDOWS\System32\svchost.exe[1324] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00EC000A

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 864F0292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 864F0292
Device \FileSystem\Cdfs \Cdfs A0AD6400
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD1600BEVT-22ZCT0___________________11.01A11#5&2ef5f6c5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 312581552 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----


DDS Log:


DDS (Ver_10-10-10.03) - NTFSx86
Run by Daniel at 12:13:12.14 on Wed 10/20/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1013.605 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CE\nmSvc.exe
C:\WINDOWS\system32\iprntctl.exe
C:\WINDOWS\system32\iprntlgn.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\CE\nmFlt.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Daniel\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\system32\cidaemon.exe
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msi.com.tw/
mDefault_Page_URL = hxxp://www.msi.com.tw
uInternet Connection Wizard,ShellNext = hxxp://www.msi.com.tw/
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NMSVC] c:\program files\ce\nmSvc.exe
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [iPrint Tray] c:\windows\system32\iprntctl.exe TRAY_ICON
mRun: [iPrint Event Monitor] c:\windows\system32\iprntlgn.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
StartupFolder: c:\docume~1\daniel\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\daniel\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
uPolicies-explorer: NoActiveDesktop = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoTrayItemsDisplay = 00000000
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: CESpy.dll
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\daniel\applic~1\mozilla\firefox\profiles\bcg3hauy.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\windows\system32\npnipp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [2010-9-15 41336]
R1 vcdrom;Virtual CD-ROM Device Driver;d:\dans\new\VCdRom.sys [2001-12-19 8576]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-8-21 182304]
R3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-10-15 1334240]
S0 csqugxnw;csqugxnw; [x]
S3 ABBYY.Licensing.FineReader.Professional.10.0;ABBYY FineReader 10 PE Licensing Service;c:\program files\common files\abbyy\finereader\10.00\licensing\pe\NetworkLicenseServer.exe [2009-12-11 814344]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-8-21 1684736]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-10-19 38224]

=============== Created Last 30 ================

2010-10-20 15:46:20 -------- d-----w- c:\docume~1\daniel\locals~1\applic~1\Deployment
2010-10-20 14:51:55 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-10-20 14:51:55 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-10-20 14:51:55 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-10-20 14:51:54 608448 ----a-w- c:\windows\system32\comctl32.ocx
2010-10-20 14:51:54 -------- d-----w- c:\program files\AML Products
2010-10-19 18:47:18 -------- d-----w- c:\program files\Marcos Velasco Security
2010-10-19 17:47:35 -------- d-----w- c:\windows\Cookies
2010-10-19 17:47:34 -------- d-----w- c:\windows\Recent
2010-10-19 17:20:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-19 17:20:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-19 17:20:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-19 16:51:12 -------- d-----w- c:\docume~1\daniel\applic~1\Malwarebytes
2010-10-19 16:50:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-19 15:26:40 -------- d-sh--w- C:\$RECYCLE.BIN
2010-10-19 12:58:46 -------- d-----w- c:\windows\pss
2010-10-19 01:02:01 199 ----a-w- c:\docume~1\daniel\applic~1\13541.bat
2010-10-19 01:01:41 199 ----a-w- c:\docume~1\daniel\applic~1\10495.bat
2010-10-19 01:00:20 -------- d-----w- c:\docume~1\daniel\applic~1\Pihia
2010-10-19 01:00:20 -------- d-----w- c:\docume~1\daniel\applic~1\Iwhadu
2010-10-14 01:04:12 -------- d-----w- c:\docume~1\daniel\applic~1\.minecraft
2010-10-06 13:11:23 -------- d-----w- c:\program files\SpeedFan
2010-09-23 15:03:01 -------- d-----w- c:\docume~1\daniel\applic~1\Xerox
2010-09-22 23:10:52 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-09-22 16:05:28 -------- d-----w- c:\docume~1\daniel\applic~1\Novell

==================== Find3M ====================

2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 14:16:31 667136 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 14:16:30 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-09-09 14:16:29 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-09-08 16:49:49 369664 ----a-w- c:\windows\system32\html.iec
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 12:13:55.23 ===============


DDS Attach is attached.

 

[Broni]

Welcome aboard

Please, observe forum rules.
All logs have to be pasted in.


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-10.03)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/21/2010 1:15:42 AM
System Uptime: 10/20/2010 12:01:57 PM (0 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | U90/U100
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | CPU 1 | 1600/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 39 GiB total, 27.228 GiB free.
D: is FIXED (NTFS) - 106 GiB total, 62.492 GiB free.
E: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
32 Bit HP CIO Components Installer
ABBYY FineReader 10 Professional Edition
Adobe Reader 9.4.0
AML Free Registry Cleaner 4.21
Bluetooth Stack for Windows by Toshiba
Covenant Eyes
Dropbox
foobar2000 v1.0.2.1
GroupWise
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
Java Auto Updater
Java(TM) 6 Update 21
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Age of Empires Gold
Microsoft Age of Empires II
Microsoft Sync Framework 2.0 Core Components (x86) ENU
Microsoft Sync Framework 2.0 Provider Services (x86) ENU
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft WSE 3.0 Runtime
Mozilla Firefox (3.6.11)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MV RegClean 5.9
Novell iPrint Client v05.50.00
OpenOffice.org 3.2
PDFCreator
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
RocketDock 1.3.5
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973815)
USB 2.0 Card Reader
WebFldrs XP
Windows Driver Package - Atheros (AR5416) Net (04/08/2008 7.6.0.200)
Windows Driver Package - Ralink Technology, Corp. (RT80x86) Net (05/19/2008 1.01.03.0000)
Windows Driver Package - Ralink Technology, Corp. (RT80x86) Net (07/06/2010 3.01.08.0001)
Windows Driver Package - Realtek (rtl8187Se) Net (07/10/2008 5.9067.0710.2008)
Windows Genuine Advantage Validation Tool (KB892130)
Windows NT Messaging
WinRAR archiver

==== Event Viewer Messages From Past Week ========

10/20/2010 9:09:53 AM, error: Service Control Manager [7031] - The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
10/20/2010 12:03:43 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
10/20/2010 12:02:21 PM, error: Dhcp [1002] - The IP address lease 172.16.20.159 for the Network Card with network address 002185BA176A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
10/19/2010 7:58:13 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm Tosrfcom
10/19/2010 7:56:51 AM, error: Dhcp [1002] - The IP address lease 192.168.1.66 for the Network Card with network address 002185BA176A has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
10/19/2010 6:27:37 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The system cannot find the file specified.
10/19/2010 3:33:51 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFCLOC. Reference error message: The referenced assembly is not installed on your system. .
10/19/2010 3:33:51 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80U.DLL. Reference error message: The operation completed successfully. .
10/19/2010 3:33:51 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFCLOC could not be found and Last Error was The referenced assembly is not installed on your system.
10/19/2010 2:11:00 PM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
10/19/2010 12:20:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
10/19/2010 1:42:26 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/19/2010 1:40:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip Tosrfcom WS2IFSL
10/19/2010 1:40:51 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
10/19/2010 1:40:51 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/19/2010 1:40:51 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/19/2010 1:40:51 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
10/19/2010 1:39:33 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
10/18/2010 8:02:25 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\spoolsv.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.6024.
10/18/2010 8:00:33 PM, error: Service Control Manager [7000] - The Microsoft Kernel Acoustic Echo Canceller service failed to start due to the following error: A device attached to the system is not functioning.
10/18/2010 4:36:17 PM, error: Dhcp [1002] - The IP address lease 172.16.72.48 for the Network Card with network address 002185BA176A has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
10/18/2010 12:41:07 PM, error: SideBySide [59] - Generate Activation Context failed for C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.DLL. Reference error message: The operation completed successfully. .
10/16/2010 9:22:04 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
10/13/2010 8:15:37 AM, error: DCOM [10009] - DCOM was unable to communicate with the computer ipp://matthew.tiu.edu using any of the configured protocols.

==== End Of File ===========================

 

[Broni]

Download TDSSKiller and save it to your desktop.

• Extract (unzip) its contents to your desktop.
• Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

====================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

 

[dan fleming]

hi Broni,

Sorry about the attachment, I read the log not the forum rules.

Below are the two new logs:

TDSSKiller

2010/10/20 21:28:39.0500 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/20 21:28:39.0500 ================================================================================
2010/10/20 21:28:39.0500 SystemInfo:
2010/10/20 21:28:39.0500
2010/10/20 21:28:39.0500 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/20 21:28:39.0515 Product type: Workstation
2010/10/20 21:28:39.0515 ComputerName: DAN
2010/10/20 21:28:39.0515 UserName: Daniel
2010/10/20 21:28:39.0515 Windows directory: C:\WINDOWS
2010/10/20 21:28:39.0515 System windows directory: C:\WINDOWS
2010/10/20 21:28:39.0515 Processor architecture: Intel x86
2010/10/20 21:28:39.0515 Number of processors: 2
2010/10/20 21:28:39.0515 Page size: 0x1000
2010/10/20 21:28:39.0515 Boot type: Normal boot
2010/10/20 21:28:39.0515 ================================================================================
2010/10/20 21:28:40.0125 Initialize success
2010/10/20 21:28:43.0218 ================================================================================
2010/10/20 21:28:43.0218 Scan started
2010/10/20 21:28:43.0218 Mode: Manual;
2010/10/20 21:28:43.0218 ================================================================================
2010/10/20 21:28:45.0171 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/20 21:28:45.0203 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/10/20 21:28:45.0296 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/20 21:28:45.0359 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/20 21:28:45.0609 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2010/10/20 21:28:45.0828 AR5416 (0297af4b89769159058b996c21218421) C:\WINDOWS\system32\DRIVERS\athw.sys
2010/10/20 21:28:46.0015 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/20 21:28:46.0062 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/20 21:28:46.0093 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/20 21:28:46.0125 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/20 21:28:46.0156 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/20 21:28:46.0187 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/20 21:28:46.0218 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/20 21:28:46.0250 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/20 21:28:46.0281 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/20 21:28:46.0312 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/20 21:28:46.0375 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/10/20 21:28:46.0406 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/10/20 21:28:46.0546 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/20 21:28:46.0609 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/20 21:28:46.0640 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/20 21:28:46.0671 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/20 21:28:46.0718 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/20 21:28:46.0796 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2010/10/20 21:28:46.0828 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2010/10/20 21:28:46.0859 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
2010/10/20 21:28:46.0906 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/20 21:28:46.0968 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/20 21:28:47.0015 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/10/20 21:28:47.0046 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/20 21:28:47.0062 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/10/20 21:28:47.0093 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/10/20 21:28:47.0125 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/20 21:28:47.0140 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/20 21:28:47.0187 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
2010/10/20 21:28:47.0234 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/20 21:28:47.0281 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/20 21:28:47.0359 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/20 21:28:47.0437 i8042prt (4cf9b1273c44118cdbb32384bd433949) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/20 21:28:47.0640 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2010/10/20 21:28:47.0843 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/20 21:28:48.0093 IntcAzAudAddService (691dda8c43bd8e33a2567b694643c3f5) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/10/20 21:28:48.0312 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/20 21:28:48.0375 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/10/20 21:28:48.0390 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/20 21:28:48.0421 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/20 21:28:48.0453 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/20 21:28:48.0484 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/20 21:28:48.0515 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/20 21:28:48.0546 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/20 21:28:48.0578 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/20 21:28:48.0609 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/20 21:28:48.0656 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/20 21:28:48.0734 MBAMSwissArmy (c7dd7d9739785bd3a6b8499eec1dee7e) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010/10/20 21:28:48.0765 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/20 21:28:48.0796 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/20 21:28:48.0875 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2010/10/20 21:28:48.0953 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/20 21:28:48.0984 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/20 21:28:49.0015 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/20 21:28:49.0062 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/20 21:28:49.0125 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/20 21:28:49.0156 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/20 21:28:49.0187 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/20 21:28:49.0218 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/20 21:28:49.0234 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/20 21:28:49.0265 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/20 21:28:49.0296 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/10/20 21:28:49.0312 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/20 21:28:49.0343 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/10/20 21:28:49.0453 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/20 21:28:49.0531 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/10/20 21:28:49.0656 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/20 21:28:49.0734 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/20 21:28:49.0781 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/20 21:28:49.0828 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/20 21:28:49.0875 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/20 21:28:49.0906 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/20 21:28:50.0000 nipplpt2 (4f9b1439bfbb1d3b3a7eefd5ecd8238f) C:\WINDOWS\system32\drivers\nipplpt.sys
2010/10/20 21:28:50.0046 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/20 21:28:50.0109 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/20 21:28:50.0187 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/20 21:28:50.0218 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/20 21:28:50.0281 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/20 21:28:50.0343 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/10/20 21:28:50.0359 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/20 21:28:50.0406 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/20 21:28:50.0437 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/20 21:28:50.0500 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/20 21:28:50.0546 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/20 21:28:50.0750 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/20 21:28:50.0781 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/20 21:28:50.0812 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/20 21:28:50.0968 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/20 21:28:51.0000 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/20 21:28:51.0015 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/20 21:28:51.0046 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/20 21:28:51.0078 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/20 21:28:51.0093 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/20 21:28:51.0140 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/20 21:28:51.0187 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/20 21:28:51.0250 RSUSBSTOR (b87f999e05dd9c0312c83a8752e8e66b) C:\WINDOWS\system32\Drivers\RtsUStor.sys
2010/10/20 21:28:51.0328 RT80x86 (c980aed0b53c321f030905785b88db34) C:\WINDOWS\system32\DRIVERS\RT2860.sys
2010/10/20 21:28:51.0406 rtl8187Se (0df1d68f289e07efd054b498d8efbbfd) C:\WINDOWS\system32\DRIVERS\rtl8187Se.sys
2010/10/20 21:28:51.0437 RTLE8023xp (185641ad7e80bfce0aa545d3ec79d557) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2010/10/20 21:28:51.0500 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/20 21:28:51.0562 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/10/20 21:28:51.0718 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2010/10/20 21:28:51.0859 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/10/20 21:28:51.0984 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS\system32\speedfan.sys
2010/10/20 21:28:52.0015 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/20 21:28:52.0062 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/20 21:28:52.0140 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/20 21:28:52.0203 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/20 21:28:52.0234 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/20 21:28:52.0265 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/20 21:28:52.0390 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/20 21:28:52.0453 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/20 21:28:52.0500 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/20 21:28:52.0515 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/20 21:28:52.0531 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/20 21:28:52.0593 toshidpt (7c315ed5819329edb2f9b70e1c01d66b) C:\WINDOWS\system32\drivers\Toshidpt.sys
2010/10/20 21:28:52.0656 tosporte (2c15b4856f929ac7dd144044d8334b54) C:\WINDOWS\system32\DRIVERS\tosporte.sys
2010/10/20 21:28:52.0718 tosrfbd (6750328ab04ae5faf01403a575d66978) C:\WINDOWS\system32\DRIVERS\tosrfbd.sys
2010/10/20 21:28:52.0765 tosrfbnp (e5e34cd8848742cdc946f589f802630f) C:\WINDOWS\system32\Drivers\tosrfbnp.sys
2010/10/20 21:28:52.0828 Tosrfcom (c281d231ba7bc7955d39ea9e21374eff) C:\WINDOWS\system32\Drivers\tosrfcom.sys
2010/10/20 21:28:52.0843 Tosrfhid (592cd9c8ab08ef02ea53905d30fb157e) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
2010/10/20 21:28:52.0875 tosrfnds (0f3fd4f55175caeddce9efd6c5ca45d3) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
2010/10/20 21:28:52.0921 TosRfSnd (f21031c35fe340a948ffdca6de74d333) C:\WINDOWS\system32\drivers\tosrfsnd.sys
2010/10/20 21:28:52.0953 Tosrfusb (c4245835d4fac0494ed616f3bfe9ee0a) C:\WINDOWS\system32\DRIVERS\tosrfusb.sys
2010/10/20 21:28:53.0000 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/20 21:28:53.0078 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/20 21:28:53.0140 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/20 21:28:53.0156 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/20 21:28:53.0203 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/20 21:28:53.0218 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/20 21:28:53.0250 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/20 21:28:53.0281 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2010/10/20 21:28:53.0328 vcdrom (bfa4ae30b3ac10e9223830bf103f5a3f) D:\Dans\new\VCdRom.sys
2010/10/20 21:28:53.0375 VClone (94d73b62e458fb56c9ce60aa96d914f9) C:\WINDOWS\system32\DRIVERS\VClone.sys
2010/10/20 21:28:53.0406 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/20 21:28:53.0468 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/20 21:28:53.0515 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/20 21:28:53.0578 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/20 21:28:53.0656 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/10/20 21:28:53.0703 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/10/20 21:28:53.0750 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/20 21:28:53.0859 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/10/20 21:28:53.0859 ================================================================================
2010/10/20 21:28:53.0859 Scan finished
2010/10/20 21:28:53.0859 ================================================================================
2010/10/20 21:28:53.0890 Detected object count: 1
2010/10/20 21:29:03.0703 \HardDisk0\MBR - will be cured after reboot
2010/10/20 21:29:03.0703 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
2010/10/20 21:29:07.0156 Deinitialize success



MBRCheck

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 118):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF7AF3000 \WINDOWS\system32\KDCOM.DLL
0xF7A03000 \WINDOWS\system32\BOOTVID.dll
0xF74C4000 ACPI.sys
0xF7AF5000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74B3000 pci.sys
0xF75F3000 isapnp.sys
0xF7A07000 compbatt.sys
0xF7A0B000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7BBB000 pciide.sys
0xF7873000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7603000 MountMgr.sys
0xF7494000 ftdisk.sys
0xF7A0F000 ACPIEC.sys
0xF7BBC000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF787B000 PartMgr.sys
0xF7613000 VolSnap.sys
0xF747C000 atapi.sys
0xF7623000 disk.sys
0xF7633000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF745C000 fltMgr.sys
0xF7445000 KSecDD.sys
0xF73B8000 Ntfs.sys
0xF738B000 NDIS.sys
0xF7AF7000 speedfan.sys
0xF7371000 Mup.sys
0xF7BBD000 giveio.sys
0xF6D93000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xF6D7F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF6D57000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF6D3A000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xF6BF5000 \SystemRoot\system32\DRIVERS\RT2860.sys
0xF78DB000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF6BD1000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF78E3000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF76F3000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF78EB000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF78F3000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7AA7000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7AAB000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7703000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7713000 \SystemRoot\System32\Drivers\tosrfcom.sys
0xF7D24000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7723000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7AAF000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6BBA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7733000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7743000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF78FB000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6BA9000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7753000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF790B000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7913000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7773000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7B0D000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5B6E000 \SystemRoot\system32\DRIVERS\ks.sys
0xF5B10000 \SystemRoot\system32\DRIVERS\update.sys
0xF7ABF000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7793000 \SystemRoot\system32\DRIVERS\tosporte.sys
0xF77A3000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA1EB000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA1C7000 \SystemRoot\system32\drivers\portcls.sys
0xF77B3000 \SystemRoot\system32\drivers\drmk.sys
0xF77C3000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B13000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7B15000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C7B000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B17000 \SystemRoot\System32\Drivers\Beep.SYS
0xF793B000 \SystemRoot\System32\drivers\vga.sys
0xF7B19000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B1B000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7943000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF794B000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF732D000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA144000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA0EB000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA0C5000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAA09D000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF77F3000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7A9F000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xAA07B000 \SystemRoot\System32\drivers\afd.sys
0xF7803000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF6BA1000 \??\D:\Dans\new\VCdRom.sys
0xA9FAD000 \SystemRoot\System32\Drivers\RtsUStor.sys
0xA9F82000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF7843000 \SystemRoot\system32\drivers\nipplpt.sys
0xA9F12000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7863000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7663000 \SystemRoot\system32\DRIVERS\tosrfusb.sys
0xA9EC8000 \SystemRoot\system32\DRIVERS\tosrfbd.sys
0xA9E65000 \SystemRoot\system32\DRIVERS\Tosrfhid.sys
0xF7673000 \SystemRoot\System32\Drivers\tosrfbnp.sys
0xA9EEA000 \SystemRoot\system32\DRIVERS\tosrfnds.sys
0xF7D33000 \SystemRoot\system32\drivers\Toshidpt.sys
0xF7683000 \SystemRoot\system32\drivers\HIDCLASS.SYS
0xF796B000 \SystemRoot\system32\drivers\HIDPARSE.SYS
0xA9EB4000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA9DFD000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B3D000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA9EA4000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7973000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C03000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF1E7000 \SystemRoot\System32\igxpdx32.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA9D01000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9A88000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA9A4B000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9DBD000 \SystemRoot\system32\drivers\sysaudio.sys
0xA9745000 \SystemRoot\system32\DRIVERS\srv.sys
0xA92A4000 \SystemRoot\System32\Drivers\HTTP.sys
0xF7B9B000 \SystemRoot\System32\Drivers\hiber_WMILIB.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 45):
0 System Idle Process
4 System
628 C:\WINDOWS\system32\smss.exe
984 csrss.exe
1008 C:\WINDOWS\system32\winlogon.exe
1052 C:\WINDOWS\system32\services.exe
1064 C:\WINDOWS\system32\lsass.exe
1220 C:\WINDOWS\system32\svchost.exe
1268 svchost.exe
1320 C:\WINDOWS\system32\svchost.exe
1440 svchost.exe
1484 svchost.exe
1720 C:\WINDOWS\system32\spoolsv.exe
1832 svchost.exe
2004 C:\WINDOWS\explorer.exe
128 C:\WINDOWS\system32\cisvc.exe
148 C:\Program Files\Java\jre6\bin\jqs.exe
372 C:\WINDOWS\system32\svchost.exe
404 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
528 C:\WINDOWS\system32\wuauclt.exe
920 C:\WINDOWS\RTHDCPL.EXE
940 C:\WINDOWS\system32\igfxpers.exe
948 C:\Program Files\CE\nmSvc.exe
960 C:\WINDOWS\system32\iprntctl.exe
976 C:\WINDOWS\system32\iprntlgn.exe
1112 C:\WINDOWS\system32\igfxtray.exe
1192 C:\Program Files\CE\nmFlt.exe
1188 C:\WINDOWS\system32\igfxsrvc.exe
1252 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1360 C:\Program Files\RocketDock\RocketDock.exe
1108 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
1820 C:\Documents and Settings\Daniel\Application Data\Dropbox\bin\Dropbox.exe
2272 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
2356 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
2796 alg.exe
2804 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
2944 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
2956 C:\WINDOWS\system32\wscntfy.exe
3600 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
3704 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
3904 C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
1992 C:\WINDOWS\system32\cidaemon.exe
2136 C:\Program Files\Mozilla Firefox\firefox.exe
3364 C:\Program Files\Mozilla Firefox\plugin-container.exe
1408 D:\Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`fa08fc00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000000a`be62d400 (NTFS)

PhysicalDrive0 Model Number: WDCWD1600BEVT-22ZCT0, Rev: 11.01A11

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 536F160BF31D1EA9A0903B1B75563BB4E20A3D65


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

 

[Broni]

Your MBR seems to be infected.

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)

• Place a blank CD in your CD drive.
• Double click on NTBR_CD.exe file and a folder of the same name will appear.
• Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
• Follow the prompts to burn the CD.

• Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
• If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.

• Insert the newly created CD into your infected PC and reboot your computer.
• Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
• Read the warning and then continue as prompted.
• You first need to select your keyboard layout - press Enter for English.
• Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
• On the following screen enter 5 to select Install Standard MBR code.
• Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
• When asked to confirm please do so.
• Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
• Eject the disc and then press ctrl+alt+del to reboot the PC.

Once rebooted, run MBRCheck again and post its log.