TechSpot

Avast! reporting Rootkit in mssmbios.sys - Win7 32-Bit

By kananesgi
Feb 27, 2011
  1. My Avast! has been reporting this infection for about two weeks now. I've tried multiple times to remove the infection with no success. Finally decided to bite the bullet and see if I can get some help here. I've followed the 8-Step instructions and have the requested log files. I guess I just paste them inline here. Hope that's right. Here they are:

    ---------------------------------------------------------------------------------------------------

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5898

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    2/27/2011 4:25:12 PM
    mbam-log-2011-02-27 (16-25-12).txt

    Scan type: Quick scan
    Objects scanned: 159786
    Time elapsed: 5 minute(s), 58 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    =============================================================


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-02-27 16:28:55
    Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdePort1 TOSHIBA_MK3263GSX rev.FG020M
    Running: 0jdpc0gp.exe; Driver: C:\Users\primary\AppData\Local\Temp\kwtirpoc.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sectors 625142192 (+254): rootkit-like behavior;

    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x8FBB382E]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8FBB3652]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8FBB378C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-2 866BAAEA
    Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 853BA1F8
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 866BAAEA
    Device \Driver\atapi \Device\Ide\IdePort0 853BA1F8
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 866BAAEA
    Device \Driver\atapi \Device\Ide\IdePort1 853BA1F8
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 866BAAEA
    Device \Driver\atapi \Device\Ide\IdePort2 853BA1F8
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 866BAAEA
    Device \Driver\atapi \Device\Ide\IdePort3 853BA1F8
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 866BAAEA
    Device \Driver\atapi \Device\Ide\IdePort4 853BA1F8
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 866BAAEA
    Device \Driver\atapi \Device\Ide\IdePort5 853BA1F8
    Device \Driver\msahci \Device\Ide\PciIde0Channel0 853BB1F8
    Device \Driver\msahci \Device\Ide\PciIde0Channel1 853BB1F8
    Device \Driver\msahci \Device\Ide\PciIde0Channel2 853BB1F8
    Device \Driver\msahci \Device\Ide\PciIde0Channel3 853BB1F8
    Device \Driver\msahci \Device\Ide\PciIde0Channel4 853BB1F8
    Device \Driver\msahci \Device\Ide\PciIde0Channel5 853BB1F8
    Device \Driver\awaa96fb \Device\Scsi\awaa96fb1 867C71F8
    Device \FileSystem\Ntfs \Ntfs 853BD1F8

    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

    Device \Device\Ide\IdeDeviceP1T0L0-1 -> \??\IDE#DiskTOSHIBA_MK3263GSX_______________________FG020M__#5&1ac922e7&0&1.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----


    ================================================================


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by primary at 16:30:37.37 on Sun 02/27/2011
    Internet Explorer: 8.0.7600.16385
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2812.1782 [GMT -6:00]

    AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
    SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\windows\system32\wininit.exe
    C:\windows\system32\lsm.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\windows\system32\svchost.exe -k RPCSS
    C:\windows\system32\atiesrxx.exe
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\atieclxx.exe
    C:\windows\system32\svchost.exe -k NetworkService
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Eraser\Eraser.exe
    C:\Program Files\Citrix\ICA Client\concentr.exe
    C:\Program Files\AGEIA Technologies\TrayIcon.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files\Real\RealPlayer\Update\realsched.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\DAEMON Tools Lite\DTLite.exe
    C:\Program Files\Steam\steam.exe
    C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    C:\windows\system32\taskhost.exe
    C:\windows\System32\spoolsv.exe
    C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\windows\system32\taskeng.exe
    C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
    C:\windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\TODDSrv.exe
    C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    C:\Program Files\TOSHIBA\TECO\TecoService.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\windows\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
    C:\windows\system32\DllHost.exe
    C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
    C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\windows\System32\svchost.exe -k secsvcs
    C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    C:\windows\system32\AUDIODG.EXE
    C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
    C:\Users\primary\Desktop\dds.scr
    C:\windows\system32\conhost.exe
    C:\windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/ig
    uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
    mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - No File
    BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No File
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: DAPIELoader Class: {ff6c3cf0-4b15-11d1-abed-709549c10000} - c:\progra~1\dap\DAPIEL~1.DLL
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [MyTOSHIBA] "c:\program files\toshiba\my toshiba\MyToshiba.exe" /AUTO
    uRun: [Google Update] "c:\users\primary\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
    uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
    mRun: [<NO NAME>]
    mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    mRun: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
    mRun: [TosSENotify] c:\program files\toshiba\toshiba hdd ssd alert\TosWaitSrv.exe
    mRun: [ToshibaServiceStation] "c:\program files\toshiba\toshiba service station\ToshibaServiceStation.exe" /hide:60
    mRun: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
    mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
    mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
    mRun: [NortonOnlineBackupReminder] "c:\program files\toshiba\toshiba online backup\activation\TobuActivation.exe" UNATTENDED
    mRun: [Eraser] "c:\progra~1\eraser\Eraser.exe" --atRestart
    mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [AGEIA PhysX SysTray] c:\program files\ageia technologies\TrayIcon.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    StartupFolder: c:\users\primary\appdata\roaming\micros~1\windows\startm~1\programs\startup\accuwe~1.lnk - c:\program files\accuweather\desktop\AccuWeatherDesktop.exe
    StartupFolder: c:\users\primary\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\users\primary\appdata\roaming\micros~1\windows\startm~1\programs\startup\impuls~1.lnk - c:\program files\stardock\impulse\now\ImpulseNow.exe
    StartupFolder: c:\users\primary\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
    IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
    IE: &Download with &DAP - c:\program files\dap\dapextie.htm
    IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    Trusted Zone: real.com\rhap-app-4-0
    Trusted Zone: real.com\rhapreg
    Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
    mASetup: {01250B8F-D947-4F8A-9408-FE8E3EE2EC92} - c:\program files\toshiba\my toshiba\MyToshiba.exe /SETUP
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\primary\appdata\roaming\mozilla\firefox\profiles\uhgthp4f.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.nasa.gov/multimedia/imagegallery/iotd.html
    FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\tabletplugins\npwacom.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - plugin: c:\users\primary\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: OnlyWire: {e26ba8db-a646-a44e-997c-2fafeadb50f2} - %profile%\extensions\{e26ba8db-a646-a44e-997c-2fafeadb50f2}

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-11-23 294608]
    R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-10-28 176128]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-23 17744]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-23 51280]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2011-1-18 40384]
    R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2009-8-10 185712]
    R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]
    R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-12-30 1153368]
    R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\toshiba\teco\TecoService.exe [2009-8-11 185712]
    R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2009-6-19 12920]
    R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2009-10-29 7680]
    R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-23 13952]
    R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-23 28800]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-23 275048]
    R3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2009-10-29 51512]
    R3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-8-3 111960]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\PTDUBus.sys [2009-11-26 54416]
    S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\PTDUMdm.sys [2009-11-26 160272]
    S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\PTDUVsp.sys [2009-11-26 160272]
    S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\PTDUWFLT.sys [2009-11-26 11920]
    S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\PTDUWWAN.sys [2009-11-26 113680]
    S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-10-29 171520]
    S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-3-20 32408]
    S3 TPCHSrv;TPCH Service;c:\program files\toshiba\tphm\TPCHSrv.exe [2009-8-6 685424]
    S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-2-26 1343400]

    =============== Created Last 30 ================

    2011-02-26 16:15:58 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{8e21be66-4f9b-4583-b261-0ed923f477e3}\mpengine.dll
    2011-02-24 09:00:30 276992 ----a-w- c:\windows\system32\wcncsvc.dll
    2011-02-24 01:36:23 442880 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-02-24 01:36:22 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-02-15 04:24:57 -------- d-----w- c:\users\primary\appdata\roaming\Malwarebytes
    2011-02-15 04:24:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-15 04:24:45 -------- d-----w- c:\progra~2\Malwarebytes
    2011-02-15 04:24:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-15 04:24:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-09 00:50:59 73728 ----a-w- c:\windows\system32\wscsvc.dll
    2011-02-09 00:50:59 51200 ----a-w- c:\windows\system32\wscapi.dll
    2011-02-09 00:50:59 14336 ----a-w- c:\windows\system32\slwga.dll
    2011-02-05 16:01:48 -------- d-----w- C:\My Music
    2011-01-30 20:57:00 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
    2011-01-30 20:57:00 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

    ==================== Find3M ====================

    2011-02-02 23:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-13 08:47:35 38848 ----a-w- c:\windows\avastSS.scr
    2011-01-07 07:27:11 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-07 05:33:11 294400 ----a-w- c:\windows\system32\atmfd.dll
    2011-01-05 05:37:33 428032 ----a-w- c:\windows\system32\vbscript.dll
    2011-01-05 03:37:38 2329088 ----a-w- c:\windows\system32\win32k.sys
    2010-12-21 05:38:22 981504 ----a-w- c:\windows\system32\wininet.dll
    2010-12-21 05:38:22 350720 ----a-w- c:\windows\system32\winhttp.dll
    2010-12-21 05:38:21 204800 ----a-w- c:\windows\system32\WebClnt.dll
    2010-12-21 05:38:19 204288 ----a-w- c:\windows\system32\upnp.dll
    2010-12-21 05:36:17 1389568 ----a-w- c:\windows\system32\msxml6.dll
    2010-12-21 05:36:16 1236992 ----a-w- c:\windows\system32\msxml3.dll
    2010-12-21 05:34:12 80384 ----a-w- c:\windows\system32\davclnt.dll
    2010-12-18 05:29:40 44544 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-18 05:29:31 541184 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-18 04:20:55 386048 ----a-w- c:\windows\system32\html.iec
    2010-12-18 03:47:59 1638912 ----a-w- c:\windows\system32\mshtml.tlb

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 6.1.7600 Disk: TOSHIBA_MK3263GSX rev.FG020M -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-1

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x866BAEC5]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85d22872; SUB DWORD [EBP-0x4], 0x85d2212e; PUSH EDI; CALL 0xffffffffffffdf33; }
    1 ntkrnlpa!IofCallDriver[0x82E74448] -> \Device\Harddisk0\DR0[0x862297D0]
    3 CLASSPNP[0x8B2EE59E] -> ntkrnlpa!IofCallDriver[0x82E74448] -> [0x86244C10]
    5 ACPI[0x8AB403B2] -> ntkrnlpa!IofCallDriver[0x82E74448] -> \IdeDeviceP1T0L0-1[0x86244030]
    [0x86575538] -> IRP_MJ_CREATE -> 0x866BAEC5
    kernel: MBR read successfully
    _asm { JMP 0x65; }
    detected disk devices:
    \Device\Ide\IdeDeviceP1T0L0-1 -> \??\IDE#DiskTOSHIBA_MK3263GSX_______________________FG020M__#5&1ac922e7&0&1.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    sectors 625142446 (+255): user != kernel
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 16:34:03.26 ===============


    ================================================================


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume1
    Install Date: 11/22/2009 11:58:01 AM
    System Uptime: 2/27/2011 4:15:29 PM (0 hours ago)

    Motherboard: TOSHIBA | | Portable PC
    Processor: AMD Athlon(tm) II Dual-Core M300 | Socket S1G3 | 2000/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 242 GiB total, 10.038 GiB free.
    D: is CDROM (CDFS)
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4d36e96f-e325-11ce-bfc1-08002be10318}
    Description: Synaptics PS/2 Port TouchPad
    Device ID: ACPI\SYN191B\4&257B6A8D&0
    Manufacturer: Synaptics
    Name: Synaptics PS/2 Port TouchPad
    PNP Device ID: ACPI\SYN191B\4&257B6A8D&0
    Service: i8042prt

    ==== System Restore Points ===================

    RP275: 2/1/2011 12:12:10 PM - Windows Update
    RP276: 2/4/2011 11:52:35 AM - Windows Update
    RP277: 2/8/2011 3:13:30 AM - Windows Update
    RP278: 2/9/2011 12:56:22 PM - Windows Update
    RP279: 2/15/2011 3:08:43 AM - Windows Update
    RP280: 2/19/2011 1:34:52 PM - Windows Update
    RP281: 2/23/2011 7:34:13 PM - Windows Update
    RP282: 2/24/2011 3:00:13 AM - Windows Update
    RP283: 2/26/2011 10:15:00 AM - Windows Update

    ==== Installed Programs ======================

    3dsmax ancillary install
    7-Zip 4.65
    Active Camera 2004 2.1 for FS 2004 (updated to 9.1)
    Adobe AIR
    Adobe Anchor Service CS4
    Adobe Bridge 1.0
    Adobe Bridge CS4
    Adobe CMaps CS4
    Adobe Color EU Extra Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Recommended Settings CS4
    Adobe Common File Installer
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe Device Central CS4
    Adobe Drive CS4
    Adobe ExtendScript Toolkit CS4
    Adobe Extension Manager CS4
    Adobe Flash Player 10 ActiveX
    Adobe Fonts All
    Adobe Help Center 1.0
    Adobe Illustrator CS4
    Adobe Linguistics CS4
    Adobe Media Player
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Photoshop CS2
    Adobe Reader 9.4.2
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe Stock Photos 1.0
    Adobe Type Support CS4
    Adobe Update Manager CS4
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    AGEIA PhysX v6.10.25
    Amazon MP3 Downloader 1.0.10
    Apple Application Support
    Apple Software Update
    Armstrong Whitworth Ensign for FS2004
    ATI Catalyst Install Manager
    Autodesk 3ds Max 9 32-bit
    Autodesk DWF Viewer 7
    avast! Free Antivirus
    Backburner
    Big Rig Europe
    BitTorrent
    Catalyst Control Center - Branding
    Catalyst Control Center Core Implementation
    Catalyst Control Center Graphics Full Existing
    Catalyst Control Center Graphics Full New
    Catalyst Control Center Graphics Light
    Catalyst Control Center Graphics Previews Common
    Catalyst Control Center Graphics Previews Vista
    Catalyst Control Center InstallProxy
    Catalyst Control Center Localization All
    ccc-core-static
    ccc-utility
    CCC Help Chinese Standard
    CCC Help Chinese Traditional
    CCC Help Czech
    CCC Help Danish
    CCC Help Dutch
    CCC Help English
    CCC Help Finnish
    CCC Help French
    CCC Help German
    CCC Help Greek
    CCC Help Hungarian
    CCC Help Italian
    CCC Help Japanese
    CCC Help Korean
    CCC Help Norwegian
    CCC Help Polish
    CCC Help Portuguese
    CCC Help Russian
    CCC Help Spanish
    CCC Help Swedish
    CCC Help Thai
    CCC Help Turkish
    Check Version Ver 1.0.0
    Citrix online plug-in (Web)
    Classic Wings Graf Zeppelin
    Classic Wings Hindenburg Zeppelin
    Compatibility Pack for the 2007 Office system
    Condor: The Competition Soaring Simulator 1.0.4
    Connect
    D3DX10
    DeLorme Street Atlas USA 2009 Plus
    Download Accelerator Plus (DAP)
    ENERGY project, release 4
    Eraser 6.0.6.1376
    EVE Online (remove only)
    EVEMon
    Ewisoft Website Builder (include eCommerce Builder) Version 5
    FBX Plugin 2006.08 for Max 9.0
    FileZilla Client 3.3.1
    FMS
    Free 3GP Video Converter version 3.7.18
    Free WMA to MP3 Converter 1.16
    FreeMind
    Fuel Service Stations, release 2
    Glacier Bay v2a
    Glacier Bay v2b
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB945282)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946040)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946308)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947540)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947789)
    Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB948127)
    Impulse
    inSSIDer
    Java(TM) 6 Update 14
    kuler
    Label@Once 1.0
    Logo Design Studio Pro
    Logo Design Studio The Big Concept Expansion Pack
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Combat Flight Simulator 3.1
    Microsoft Crimson Skies
    Microsoft Flight Simulator 2004 A Century of Flight
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft SQL Server 2008 Management Objects
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
    Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
    Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
    Microsoft Works
    Mir-2 space station, release 1.1
    Mozilla Firefox (3.6.13)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MyScribe
    MyToshiba
    Network Recording Player
    Niche Research Commando Ver 3.0.2
    NifSkope (remove only)
    OFF MP Essential Files
    OGA Notifier 2.0.0048.0
    Over Flanders Fields - Between Heaven and Hell - Update To V1.3
    Paint Shop Pro 7
    PANTECH UM175 Driver
    Parallel Port Joystick
    PDF Settings CS4
    PeerGuardian 2.0
    Pepakura Designer2
    Photoshop Camera Raw
    Pinnacle VideoSpin
    PlayReady PC Runtime x86
    Power Tab Editor 1.7
    PowerISO
    Quickbooks Financial Center
    QuickPar 0.9
    QuickTime
    RailWorks
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    Realtek Ethernet Controller Driver
    Realtek High Definition Audio Driver
    Realtek USB 2.0 Card Reader
    REALTEK Wireless LAN Driver
    Realtek WLAN Driver
    RealUpgrade 1.1
    Rhapsody
    Rosetta Stone 2.2.0.0A
    SD Formatter
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB2345043)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    Shotstone
    Sid Meier's Civilization 4 - Beyond the Sword
    Sid Meier's Civilization 4 Complete
    Sid Meier's Civilization V
    SimCharts 3.0
    Sins of a Solar Empire
    Sins of a Solar Empire - Diplomacy
    Sins of a Solar Empire - Entrenchment
    Skype Launcher
    SmartPropoPlus
    SocialBot
    SolveigMM AVI Trimmer
    Space Tankers, release 1
    Space Tugs, release 4
    Spybot - Search & Destroy
    SQL Server System CLR Types
    SquawkBox
    Steam
    Suite Shared Configuration CS4
    Synaptics Pointing Device Driver
    Toshiba Application and Driver Installer
    TOSHIBA Assist
    TOSHIBA ConfigFree
    TOSHIBA Disc Creator
    TOSHIBA DVD PLAYER
    TOSHIBA eco Utility
    TOSHIBA Extended Tiles for Windows Mobility Center
    TOSHIBA Hardware Setup
    TOSHIBA HDD/SSD Alert
    Toshiba Online Backup
    TOSHIBA PC Health Monitor
    Toshiba Quality Application
    TOSHIBA Recovery Media Creator
    TOSHIBA Service Station
    TOSHIBA Speech System Applications
    TOSHIBA Speech System SR Engine(U.S.) Version1.0
    TOSHIBA Speech System TTS Engine(U.S.) Version1.0
    TOSHIBA Supervisor Password
    TOSHIBA Value Added Package
    ToshibaRegistration
    Uninstall 1.0.0.1
    Universal Cargo Deck, release 4
    Universal RMS, release 3
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB963670)
    Update for Microsoft Office Powerpoint 2007 Help (KB963669)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    VAT-Spy
    Visual Studio Express Editions Registration Benefits Overview
    VLC media player 1.1.4
    VRC
    VZAccess Manager
    WebEx
    WebTablet IE Plugin
    WebTablet Netscape Plugin
    WildTangent Games
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live ID Sign-in Assistant
    Windows Live Installer
    Windows Live Movie Maker
    Windows Live Photo Common
    Windows Live Photo Gallery
    Windows Live PIMT Platform
    Windows Live SOXE
    Windows Live SOXE Definitions
    Windows Live Sync
    Windows Live UX Platform
    Windows Live UX Platform Language Pack
    Yahoo! Software Update

    ==== Event Viewer Messages From Past Week ========

    2/27/2011 4:15:47 PM, Error: atikmdag [52236] - CPLIB :: General - Invalid Parameter
    2/27/2011 4:15:47 PM, Error: atikmdag [43029] - Display is not active
    2/27/2011 4:12:47 PM, Error: Service Control Manager [7034] - The AMD External Events Utility service terminated unexpectedly. It has done this 1 time(s).
    2/26/2011 10:13:54 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    2/26/2011 10:13:53 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Computer Browser service, but this action failed with the following error: An instance of the service is already running.
    2/26/2011 10:12:53 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Server service, but this action failed with the following error: An instance of the service is already running.
    2/26/2011 10:12:14 AM, Error: Service Control Manager [7034] - The TOSHIBA HDD SSD Alert Service service terminated unexpectedly. It has done this 1 time(s).
    2/26/2011 10:11:53 AM, Error: Service Control Manager [7031] - The Windows Update service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/26/2011 10:11:53 AM, Error: Service Control Manager [7031] - The Windows Management Instrumentation service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/26/2011 10:11:53 AM, Error: Service Control Manager [7031] - The User Profile Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/26/2011 10:11:53 AM, Error: Service Control Manager [7031] - The Themes service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/26/2011 10:11:53 AM, Error: Service Control Manager [7031] - The Task Scheduler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/26/2011 10:11:53 AM, Error: Service Control Manager [7031] - The System Event Notification Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/26/2011 10:11:53 AM, Error: Service Control Manager [7031] - The Shell Hardware Detection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/26/2011 10:11:53 AM, Error: Service Control Manager [7031] - The Server service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/26/2011 10:11:53 AM, Error: Service Control Manager [7031] - The Remote Access Connection Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/26/2011 10:11:53 AM, Error: Service Control Manager [7031] - The IP Helper service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/26/2011 10:11:53 AM, Error: Service Control Manager [7031] - The IKE and AuthIP IPsec Keying Modules service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/26/2011 10:11:53 AM, Error: Service Control Manager [7031] - The Group Policy Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/26/2011 10:11:53 AM, Error: Service Control Manager [7031] - The Extensible Authentication Protocol service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/26/2011 10:11:53 AM, Error: Service Control Manager [7031] - The Computer Browser service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
    2/26/2011 10:11:53 AM, Error: Service Control Manager [7031] - The Background Intelligent Transfer Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    2/26/2011 10:11:30 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
    2/24/2011 8:29:00 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
    2/21/2011 4:07:05 PM, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR2.

    ==== End Of File ===========================
     
  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ========================================================================

    You're infected with a rootkit.

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  3. kananesgi

    kananesgi TS Rookie Topic Starter

    Sorry it took me so long to get back. Unexpected visit from my brother and his family took me away from the computer for a while.

    Ran TDSSKiller and it found the rootkit, maybe it removed it during the reboot. Avast! hasn't reported the infection yet since reboot.

    Here's the log:
    =================================================================


    2011/02/27 18:05:48.0431 1040 TDSS rootkit removing tool 2.4.18.0 Feb 21 2011 11:08:08
    2011/02/27 18:05:48.0930 1040 ================================================================================
    2011/02/27 18:05:48.0930 1040 SystemInfo:
    2011/02/27 18:05:48.0930 1040
    2011/02/27 18:05:48.0930 1040 OS Version: 6.1.7600 ServicePack: 0.0
    2011/02/27 18:05:48.0930 1040 Product type: Workstation
    2011/02/27 18:05:48.0930 1040 ComputerName: ROADWARRIOR-PC
    2011/02/27 18:05:48.0930 1040 UserName: primary
    2011/02/27 18:05:48.0930 1040 Windows directory: C:\windows
    2011/02/27 18:05:48.0930 1040 System windows directory: C:\windows
    2011/02/27 18:05:48.0930 1040 Processor architecture: Intel x86
    2011/02/27 18:05:48.0930 1040 Number of processors: 2
    2011/02/27 18:05:48.0930 1040 Page size: 0x1000
    2011/02/27 18:05:48.0930 1040 Boot type: Normal boot
    2011/02/27 18:05:48.0930 1040 ================================================================================
    2011/02/27 18:05:50.0833 1040 Initialize success
    2011/02/27 18:05:55.0622 2368 ================================================================================
    2011/02/27 18:05:55.0622 2368 Scan started
    2011/02/27 18:05:55.0622 2368 Mode: Manual;
    2011/02/27 18:05:55.0622 2368 ================================================================================
    2011/02/27 18:05:56.0558 2368 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\windows\system32\DRIVERS\1394ohci.sys
    2011/02/27 18:05:56.0683 2368 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\windows\system32\DRIVERS\ACPI.sys
    2011/02/27 18:05:56.0792 2368 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\windows\system32\DRIVERS\acpipmi.sys
    2011/02/27 18:05:56.0933 2368 adfs (6d7f09cd92a9fef3a8efce66231fdd79) C:\windows\system32\drivers\adfs.sys
    2011/02/27 18:05:57.0073 2368 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\windows\system32\DRIVERS\adp94xx.sys
    2011/02/27 18:05:57.0214 2368 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\windows\system32\DRIVERS\adpahci.sys
    2011/02/27 18:05:57.0354 2368 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\windows\system32\DRIVERS\adpu320.sys
    2011/02/27 18:05:57.0479 2368 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\windows\system32\drivers\afd.sys
    2011/02/27 18:05:57.0635 2368 AgereSoftModem (7e10e3bb9b258ad8a9300f91214d67b9) C:\windows\system32\DRIVERS\AGRSM.sys
    2011/02/27 18:05:57.0760 2368 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\windows\system32\DRIVERS\agp440.sys
    2011/02/27 18:05:57.0884 2368 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\windows\system32\DRIVERS\djsvs.sys
    2011/02/27 18:05:58.0025 2368 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\windows\system32\DRIVERS\aliide.sys
    2011/02/27 18:05:58.0134 2368 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\windows\system32\DRIVERS\amdagp.sys
    2011/02/27 18:05:58.0228 2368 amdide (cd5914170297126b6266860198d1d4f0) C:\windows\system32\DRIVERS\amdide.sys
    2011/02/27 18:05:58.0337 2368 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\windows\system32\DRIVERS\amdk8.sys
    2011/02/27 18:05:58.0477 2368 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\windows\system32\DRIVERS\amdppm.sys
    2011/02/27 18:05:58.0602 2368 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\windows\system32\DRIVERS\amdsata.sys
    2011/02/27 18:05:58.0727 2368 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\windows\system32\DRIVERS\amdsbs.sys
    2011/02/27 18:05:58.0820 2368 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\windows\system32\DRIVERS\amdxata.sys
    2011/02/27 18:05:58.0945 2368 AppID (feb834c02ce1e84b6a38f953ca067706) C:\windows\system32\drivers\appid.sys
    2011/02/27 18:05:59.0070 2368 arc (2932004f49677bd84dbc72edb754ffb3) C:\windows\system32\DRIVERS\arc.sys
    2011/02/27 18:05:59.0148 2368 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\windows\system32\DRIVERS\arcsas.sys
    2011/02/27 18:05:59.0257 2368 aswFsBlk (cba53c5e29ae0a0ce76f9a2be3a40d9e) C:\windows\system32\drivers\aswFsBlk.sys
    2011/02/27 18:05:59.0382 2368 aswMonFlt (317f85fb68a3be507e9ccede5e6d9ee0) C:\windows\system32\drivers\aswMonFlt.sys
    2011/02/27 18:05:59.0507 2368 aswRdr (b6e8c5874377a42756c282fac2e20836) C:\windows\system32\drivers\aswRdr.sys
    2011/02/27 18:05:59.0632 2368 aswSP (b93a553c9b0f14263c8f016a44c3258c) C:\windows\system32\drivers\aswSP.sys
    2011/02/27 18:05:59.0741 2368 aswTdi (1408421505257846eb336feeef33352d) C:\windows\system32\drivers\aswTdi.sys
    2011/02/27 18:05:59.0850 2368 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\windows\system32\DRIVERS\asyncmac.sys
    2011/02/27 18:05:59.0944 2368 atapi (338c86357871c167a96ab976519bf59e) C:\windows\system32\DRIVERS\atapi.sys
    2011/02/27 18:06:00.0069 2368 athr (76bab0c824e2d05b940c4dd40a9b08bf) C:\windows\system32\DRIVERS\athr.sys
    2011/02/27 18:06:00.0334 2368 atikmdag (c97be8350fbcb1960b22fad2e6c2b514) C:\windows\system32\DRIVERS\atikmdag.sys
    2011/02/27 18:06:00.0615 2368 AtiPcie (b73c832088dd54b55e04ff6f9646ad8c) C:\windows\system32\DRIVERS\AtiPcie.sys
    2011/02/27 18:06:00.0802 2368 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\windows\system32\DRIVERS\bxvbdx.sys
    2011/02/27 18:06:00.0911 2368 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\windows\system32\DRIVERS\b57nd60x.sys
    2011/02/27 18:06:01.0036 2368 Beep (505506526a9d467307b3c393dedaf858) C:\windows\system32\drivers\Beep.sys
    2011/02/27 18:06:01.0161 2368 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\windows\system32\DRIVERS\blbdrive.sys
    2011/02/27 18:06:01.0239 2368 bowser (fcafaef6798d7b51ff029f99a9898961) C:\windows\system32\DRIVERS\bowser.sys
    2011/02/27 18:06:01.0270 2368 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\windows\system32\DRIVERS\BrFiltLo.sys
    2011/02/27 18:06:01.0363 2368 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\windows\system32\DRIVERS\BrFiltUp.sys
    2011/02/27 18:06:01.0395 2368 Brserid (845b8ce732e67f3b4133164868c666ea) C:\windows\System32\Drivers\Brserid.sys
    2011/02/27 18:06:01.0473 2368 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\windows\System32\Drivers\BrSerWdm.sys
    2011/02/27 18:06:01.0551 2368 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\windows\System32\Drivers\BrUsbMdm.sys
    2011/02/27 18:06:01.0629 2368 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\windows\System32\Drivers\BrUsbSer.sys
    2011/02/27 18:06:01.0660 2368 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\windows\system32\DRIVERS\bthmodem.sys
    2011/02/27 18:06:01.0769 2368 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\windows\system32\DRIVERS\cdfs.sys
    2011/02/27 18:06:01.0878 2368 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\windows\system32\DRIVERS\cdrom.sys
    2011/02/27 18:06:02.0003 2368 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\windows\system32\DRIVERS\circlass.sys
    2011/02/27 18:06:02.0050 2368 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\windows\system32\CLFS.sys
    2011/02/27 18:06:02.0159 2368 CmBatt (dea805815e587dad1dd2c502220b5616) C:\windows\system32\DRIVERS\CmBatt.sys
    2011/02/27 18:06:02.0190 2368 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\windows\system32\DRIVERS\cmdide.sys
    2011/02/27 18:06:02.0268 2368 CNG (1b675691ed940766149c93e8f4488d68) C:\windows\system32\Drivers\cng.sys
    2011/02/27 18:06:02.0362 2368 Compbatt (a6023d3823c37043986713f118a89bee) C:\windows\system32\DRIVERS\compbatt.sys
    2011/02/27 18:06:02.0440 2368 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\windows\system32\DRIVERS\CompositeBus.sys
    2011/02/27 18:06:02.0533 2368 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\windows\system32\DRIVERS\crcdisk.sys
    2011/02/27 18:06:02.0658 2368 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\windows\system32\Drivers\dfsc.sys
    2011/02/27 18:06:02.0767 2368 discache (1a050b0274bfb3890703d490f330c0da) C:\windows\system32\drivers\discache.sys
    2011/02/27 18:06:02.0861 2368 Disk (565003f326f99802e68ca78f2a68e9ff) C:\windows\system32\DRIVERS\disk.sys
    2011/02/27 18:06:02.0986 2368 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\windows\system32\drivers\drmkaud.sys
    2011/02/27 18:06:03.0079 2368 DXGKrnl (1679a4669326cb1a67cc95658d273234) C:\windows\System32\drivers\dxgkrnl.sys
    2011/02/27 18:06:03.0267 2368 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\windows\system32\DRIVERS\evbdx.sys
    2011/02/27 18:06:03.0454 2368 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\windows\system32\DRIVERS\elxstor.sys
    2011/02/27 18:06:03.0547 2368 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\windows\system32\DRIVERS\errdev.sys
    2011/02/27 18:06:03.0657 2368 exfat (2dc9108d74081149cc8b651d3a26207f) C:\windows\system32\drivers\exfat.sys
    2011/02/27 18:06:03.0735 2368 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\windows\system32\drivers\fastfat.sys
    2011/02/27 18:06:03.0844 2368 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\windows\system32\DRIVERS\fdc.sys
    2011/02/27 18:06:03.0937 2368 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\windows\system32\drivers\fileinfo.sys
    2011/02/27 18:06:03.0969 2368 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\windows\system32\drivers\filetrace.sys
    2011/02/27 18:06:04.0078 2368 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\windows\system32\DRIVERS\flpydisk.sys
    2011/02/27 18:06:04.0156 2368 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\windows\system32\drivers\fltmgr.sys
    2011/02/27 18:06:04.0281 2368 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\windows\system32\drivers\FsDepends.sys
    2011/02/27 18:06:04.0327 2368 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\windows\system32\drivers\Fs_Rec.sys
    2011/02/27 18:06:04.0483 2368 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\windows\system32\DRIVERS\fvevol.sys
    2011/02/27 18:06:04.0577 2368 FwLnk (0f76e205bdc60364f08a5949082771ca) C:\windows\system32\DRIVERS\FwLnk.sys
    2011/02/27 18:06:04.0686 2368 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\windows\system32\DRIVERS\gagp30kx.sys
    2011/02/27 18:06:04.0811 2368 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\windows\system32\drivers\hcw85cir.sys
    2011/02/27 18:06:04.0873 2368 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\windows\system32\drivers\HdAudio.sys
    2011/02/27 18:06:04.0951 2368 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\windows\system32\DRIVERS\HDAudBus.sys
    2011/02/27 18:06:04.0983 2368 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\windows\system32\DRIVERS\HidBatt.sys
    2011/02/27 18:06:05.0076 2368 HidBth (89448f40e6df260c206a193a4683ba78) C:\windows\system32\DRIVERS\hidbth.sys
    2011/02/27 18:06:05.0185 2368 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\windows\system32\DRIVERS\hidir.sys
    2011/02/27 18:06:05.0295 2368 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\windows\system32\DRIVERS\hidusb.sys
    2011/02/27 18:06:05.0419 2368 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\windows\system32\DRIVERS\HpSAMD.sys
    2011/02/27 18:06:05.0466 2368 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\windows\system32\drivers\HTTP.sys
    2011/02/27 18:06:05.0544 2368 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\windows\system32\drivers\hwpolicy.sys
    2011/02/27 18:06:05.0685 2368 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\windows\system32\DRIVERS\i8042prt.sys
    2011/02/27 18:06:05.0809 2368 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\windows\system32\DRIVERS\iaStorV.sys
    2011/02/27 18:06:05.0950 2368 iirsp (4173ff5708f3236cf25195fecd742915) C:\windows\system32\DRIVERS\iirsp.sys
    2011/02/27 18:06:06.0153 2368 IntcAzAudAddService (e4a2e810cb2607c9c159c0dfb0bd4c88) C:\windows\system32\drivers\RTKVHDA.sys
    2011/02/27 18:06:06.0262 2368 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\windows\system32\DRIVERS\intelide.sys
    2011/02/27 18:06:06.0340 2368 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\windows\system32\DRIVERS\intelppm.sys
    2011/02/27 18:06:06.0402 2368 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\windows\system32\DRIVERS\ipfltdrv.sys
    2011/02/27 18:06:06.0480 2368 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\windows\system32\DRIVERS\IPMIDrv.sys
    2011/02/27 18:06:06.0543 2368 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\windows\system32\drivers\ipnat.sys
    2011/02/27 18:06:06.0901 2368 IRENUM (42996cff20a3084a56017b7902307e9f) C:\windows\system32\drivers\irenum.sys
    2011/02/27 18:06:06.0995 2368 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\windows\system32\DRIVERS\isapnp.sys
    2011/02/27 18:06:07.0042 2368 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\windows\system32\DRIVERS\msiscsi.sys
    2011/02/27 18:06:07.0167 2368 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\windows\system32\DRIVERS\kbdclass.sys
    2011/02/27 18:06:07.0291 2368 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\windows\system32\DRIVERS\kbdhid.sys
    2011/02/27 18:06:07.0338 2368 KSecDD (e36a061ec11b373826905b21be10948f) C:\windows\system32\Drivers\ksecdd.sys
    2011/02/27 18:06:07.0432 2368 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\windows\system32\Drivers\ksecpkg.sys
    2011/02/27 18:06:07.0572 2368 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\windows\system32\DRIVERS\lltdio.sys
    2011/02/27 18:06:07.0681 2368 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\windows\system32\DRIVERS\lsi_fc.sys
    2011/02/27 18:06:07.0775 2368 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\windows\system32\DRIVERS\lsi_sas.sys
    2011/02/27 18:06:07.0900 2368 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\windows\system32\DRIVERS\lsi_sas2.sys
    2011/02/27 18:06:07.0931 2368 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\windows\system32\DRIVERS\lsi_scsi.sys
    2011/02/27 18:06:08.0025 2368 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\windows\system32\drivers\luafv.sys
    2011/02/27 18:06:08.0056 2368 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\windows\system32\DRIVERS\megasas.sys
    2011/02/27 18:06:08.0149 2368 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\windows\system32\DRIVERS\MegaSR.sys
    2011/02/27 18:06:08.0274 2368 Modem (f001861e5700ee84e2d4e52c712f4964) C:\windows\system32\drivers\modem.sys
    2011/02/27 18:06:08.0383 2368 monitor (79d10964de86b292320e9dfe02282a23) C:\windows\system32\DRIVERS\monitor.sys
    2011/02/27 18:06:08.0524 2368 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\windows\system32\DRIVERS\mouclass.sys
    2011/02/27 18:06:08.0617 2368 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\windows\system32\DRIVERS\mouhid.sys
    2011/02/27 18:06:08.0664 2368 mountmgr (921c18727c5920d6c0300736646931c2) C:\windows\system32\drivers\mountmgr.sys
    2011/02/27 18:06:08.0742 2368 mpio (2af5997438c55fb79d33d015c30e1974) C:\windows\system32\DRIVERS\mpio.sys
    2011/02/27 18:06:08.0773 2368 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\windows\system32\drivers\mpsdrv.sys
    2011/02/27 18:06:08.0867 2368 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\windows\system32\drivers\mrxdav.sys
    2011/02/27 18:06:08.0929 2368 mrxsmb (f1b6aa08497ea86ca6ef6f7a08b0bfb8) C:\windows\system32\DRIVERS\mrxsmb.sys
    2011/02/27 18:06:09.0039 2368 mrxsmb10 (5613358b4050f46f5a9832da8050d6e4) C:\windows\system32\DRIVERS\mrxsmb10.sys
    2011/02/27 18:06:09.0163 2368 mrxsmb20 (25c9792778d80feb4c8201e62281bfdf) C:\windows\system32\DRIVERS\mrxsmb20.sys
    2011/02/27 18:06:09.0241 2368 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\windows\system32\DRIVERS\msahci.sys
    2011/02/27 18:06:09.0304 2368 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\windows\system32\DRIVERS\msdsm.sys
    2011/02/27 18:06:09.0397 2368 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\windows\system32\drivers\Msfs.sys
    2011/02/27 18:06:09.0444 2368 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\windows\System32\drivers\mshidkmdf.sys
    2011/02/27 18:06:09.0522 2368 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\windows\system32\DRIVERS\msisadrv.sys
    2011/02/27 18:06:09.0647 2368 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\windows\system32\drivers\MSKSSRV.sys
    2011/02/27 18:06:09.0756 2368 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\windows\system32\drivers\MSPCLOCK.sys
    2011/02/27 18:06:09.0865 2368 MSPQM (f456e973590d663b1073e9c463b40932) C:\windows\system32\drivers\MSPQM.sys
    2011/02/27 18:06:09.0959 2368 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\windows\system32\drivers\MsRPC.sys
    2011/02/27 18:06:10.0053 2368 mssmbios (90e1c4ac32f605d92539d3e8ba9bfd43) C:\windows\system32\DRIVERS\mssmbios.sys
    2011/02/27 18:06:10.0053 2368 Suspicious file (Forged): C:\windows\system32\DRIVERS\mssmbios.sys. Real md5: 90e1c4ac32f605d92539d3e8ba9bfd43, Fake md5: fc6b9ff600cc585ea38b12589bd4e246
    2011/02/27 18:06:10.0084 2368 mssmbios - detected Rootkit.Win32.TDSS.tdl3 (0)
    2011/02/27 18:06:10.0177 2368 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\windows\system32\drivers\MSTEE.sys
    2011/02/27 18:06:10.0271 2368 MTConfig (33599130f44e1f34631cea241de8ac84) C:\windows\system32\DRIVERS\MTConfig.sys
    2011/02/27 18:06:10.0396 2368 Mup (159fad02f64e6381758c990f753bcc80) C:\windows\system32\Drivers\mup.sys
    2011/02/27 18:06:10.0521 2368 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\windows\system32\DRIVERS\nwifi.sys
    2011/02/27 18:06:10.0614 2368 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\windows\system32\drivers\ndis.sys
    2011/02/27 18:06:10.0723 2368 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\windows\system32\DRIVERS\ndiscap.sys
    2011/02/27 18:06:10.0817 2368 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\windows\system32\DRIVERS\ndistapi.sys
    2011/02/27 18:06:10.0911 2368 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\windows\system32\DRIVERS\ndisuio.sys
    2011/02/27 18:06:10.0942 2368 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\windows\system32\DRIVERS\ndiswan.sys
    2011/02/27 18:06:11.0020 2368 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\windows\system32\drivers\NDProxy.sys
    2011/02/27 18:06:11.0113 2368 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\windows\system32\DRIVERS\netbios.sys
    2011/02/27 18:06:11.0145 2368 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\windows\system32\DRIVERS\netbt.sys
    2011/02/27 18:06:11.0285 2368 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\windows\system32\DRIVERS\nfrd960.sys
    2011/02/27 18:06:11.0394 2368 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\windows\system32\drivers\Npfs.sys
    2011/02/27 18:06:11.0472 2368 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\windows\system32\drivers\nsiproxy.sys
    2011/02/27 18:06:11.0550 2368 Ntfs (3795dcd21f740ee799fb7223234215af) C:\windows\system32\drivers\Ntfs.sys
    2011/02/27 18:06:11.0659 2368 Null (f9756a98d69098dca8945d62858a812c) C:\windows\system32\drivers\Null.sys
    2011/02/27 18:06:11.0769 2368 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\windows\system32\DRIVERS\nvraid.sys
    2011/02/27 18:06:11.0956 2368 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\windows\system32\DRIVERS\nvstor.sys
    2011/02/27 18:06:12.0112 2368 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\windows\system32\DRIVERS\nv_agp.sys
    2011/02/27 18:06:12.0205 2368 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\windows\system32\DRIVERS\ohci1394.sys
    2011/02/27 18:06:12.0330 2368 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\windows\system32\DRIVERS\parport.sys
    2011/02/27 18:06:12.0455 2368 partmgr (ff4218952b51de44fe910953a3e686b9) C:\windows\system32\drivers\partmgr.sys
    2011/02/27 18:06:12.0486 2368 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\windows\system32\DRIVERS\parvdm.sys
    2011/02/27 18:06:12.0580 2368 pci (c858cb77c577780ecc456a892e7e7d0f) C:\windows\system32\DRIVERS\pci.sys
    2011/02/27 18:06:12.0673 2368 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\windows\system32\DRIVERS\pciide.sys
    2011/02/27 18:06:12.0720 2368 pcmcia (f396431b31693e71e8a80687ef523506) C:\windows\system32\DRIVERS\pcmcia.sys
    2011/02/27 18:06:12.0798 2368 pcw (250f6b43d2b613172035c6747aeeb19f) C:\windows\system32\drivers\pcw.sys
    2011/02/27 18:06:12.0861 2368 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\windows\system32\drivers\peauth.sys
    2011/02/27 18:06:12.0970 2368 pgfilter (2cf226173b467ab48f89d77e89936951) C:\Program Files\PeerGuardian2\pgfilter.sys
    2011/02/27 18:06:13.0157 2368 PPJoyBus (89045b00bd36cfe3910e3cb6762c2db0) C:\windows\system32\drivers\PPJoyBus.sys
    2011/02/27 18:06:13.0282 2368 PPortJoystick (f1228587245ad1db17f918d518d85bc1) C:\windows\system32\drivers\PPortJoy.sys
    2011/02/27 18:06:13.0375 2368 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\windows\system32\DRIVERS\raspptp.sys
    2011/02/27 18:06:13.0422 2368 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\windows\system32\DRIVERS\processr.sys
    2011/02/27 18:06:13.0547 2368 Psched (6270ccae2a86de6d146529fe55b3246a) C:\windows\system32\DRIVERS\pacer.sys
    2011/02/27 18:06:13.0656 2368 PTDUBus (dbaf8a53d7669efb4742896b458181d0) C:\windows\system32\DRIVERS\PTDUBus.sys
    2011/02/27 18:06:13.0781 2368 PTDUMdm (fa4e2a5cf478624d3154fb045fb2d076) C:\windows\system32\DRIVERS\PTDUMdm.sys
    2011/02/27 18:06:13.0890 2368 PTDUVsp (9c489b38ca13f251289004fe4f8631dd) C:\windows\system32\DRIVERS\PTDUVsp.sys
    2011/02/27 18:06:13.0968 2368 PTDUWFLT (37a75ac00d26364a5ea2050a6f85c2d0) C:\windows\system32\DRIVERS\PTDUWFLT.sys
    2011/02/27 18:06:14.0062 2368 PTDUWWAN (f4a789a94ff74a47eb321be4465259d0) C:\windows\system32\DRIVERS\PTDUWWAN.sys
    2011/02/27 18:06:14.0171 2368 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\windows\system32\DRIVERS\ql2300.sys
    2011/02/27 18:06:14.0280 2368 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\windows\system32\DRIVERS\ql40xx.sys
    2011/02/27 18:06:14.0358 2368 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\windows\system32\drivers\qwavedrv.sys
    2011/02/27 18:06:14.0405 2368 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\windows\system32\DRIVERS\rasacd.sys
    2011/02/27 18:06:14.0514 2368 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\windows\system32\DRIVERS\AgileVpn.sys
    2011/02/27 18:06:14.0592 2368 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\windows\system32\DRIVERS\rasl2tp.sys
    2011/02/27 18:06:14.0686 2368 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\windows\system32\DRIVERS\raspppoe.sys
    2011/02/27 18:06:14.0779 2368 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\windows\system32\DRIVERS\rassstp.sys
    2011/02/27 18:06:14.0811 2368 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\windows\system32\DRIVERS\rdbss.sys
    2011/02/27 18:06:14.0889 2368 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\windows\system32\DRIVERS\rdpbus.sys
    2011/02/27 18:06:14.0920 2368 RDPCDD (1e016846895b15a99f9a176a05029075) C:\windows\system32\DRIVERS\RDPCDD.sys
    2011/02/27 18:06:15.0029 2368 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\windows\system32\drivers\rdpencdd.sys
    2011/02/27 18:06:15.0060 2368 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\windows\system32\drivers\rdprefmp.sys
    2011/02/27 18:06:15.0169 2368 RDPWD (801371ba9782282892d00aadb08ee367) C:\windows\system32\drivers\RDPWD.sys
    2011/02/27 18:06:15.0263 2368 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\windows\system32\drivers\rdyboost.sys
    2011/02/27 18:06:15.0403 2368 rspndr (032b0d36ad92b582d869879f5af5b928) C:\windows\system32\DRIVERS\rspndr.sys
    2011/02/27 18:06:15.0497 2368 RSUSBSTOR (ef8b2afc3c0751c5e5a59983c8893260) C:\windows\system32\Drivers\RtsUStor.sys
    2011/02/27 18:06:15.0637 2368 RTL8167 (d5ede44ca85899e0478208c8413c1c31) C:\windows\system32\DRIVERS\Rt86win7.sys
    2011/02/27 18:06:15.0778 2368 RTL8187Se (e48daf453d773a89a44134ce4ba9af44) C:\windows\system32\DRIVERS\RTL8187Se.sys
    2011/02/27 18:06:15.0934 2368 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\windows\system32\DRIVERS\sbp2port.sys
    2011/02/27 18:06:16.0090 2368 SCDEmu (16b1abe7f3e35f21dac57592b6c5d464) C:\windows\system32\drivers\SCDEmu.sys
    2011/02/27 18:06:16.0183 2368 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\windows\system32\DRIVERS\scfilter.sys
    2011/02/27 18:06:16.0324 2368 Secdrv (07f7f501ad50de2ba2d5842d9b6d6155) C:\windows\system32\drivers\SECDRV.SYS
    2011/02/27 18:06:16.0464 2368 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\windows\system32\DRIVERS\serenum.sys
    2011/02/27 18:06:16.0542 2368 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\windows\system32\DRIVERS\serial.sys
    2011/02/27 18:06:16.0651 2368 sermouse (79bffb520327ff916a582dfea17aa813) C:\windows\system32\DRIVERS\sermouse.sys
    2011/02/27 18:06:16.0776 2368 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\windows\system32\drivers\sffdisk.sys
    2011/02/27 18:06:16.0839 2368 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\windows\system32\drivers\sffp_mmc.sys
    2011/02/27 18:06:16.0932 2368 sffp_sd (a0708bbd07d245c06ff9de549ca47185) C:\windows\system32\drivers\sffp_sd.sys
    2011/02/27 18:06:16.0979 2368 sfloppy (db96666cc8312ebc45032f30b007a547) C:\windows\system32\DRIVERS\sfloppy.sys
    2011/02/27 18:06:17.0088 2368 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\windows\system32\DRIVERS\sisagp.sys
    2011/02/27 18:06:17.0244 2368 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\windows\system32\DRIVERS\SiSRaid2.sys
    2011/02/27 18:06:17.0338 2368 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\windows\system32\DRIVERS\sisraid4.sys
    2011/02/27 18:06:17.0431 2368 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\windows\system32\DRIVERS\smb.sys
    2011/02/27 18:06:17.0494 2368 SMSIVZAM5 (1e715247efffdda938c085913045d599) C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS
    2011/02/27 18:06:17.0619 2368 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\windows\system32\drivers\spldr.sys
    2011/02/27 18:06:17.0806 2368 sptd (cdddec541bc3c96f91ecb48759673505) C:\windows\system32\Drivers\sptd.sys
    2011/02/27 18:06:17.0806 2368 Suspicious file (NoAccess): C:\windows\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
    2011/02/27 18:06:17.0821 2368 sptd - detected Locked file (1)
    2011/02/27 18:06:17.0946 2368 srv (2dbedfb1853f06110ec2aa7f3213c89f) C:\windows\system32\DRIVERS\srv.sys
    2011/02/27 18:06:18.0055 2368 srv2 (db37131d1027c50ea7ee21c8bb4536aa) C:\windows\system32\DRIVERS\srv2.sys
    2011/02/27 18:06:18.0180 2368 srvnet (f5980b74124db9233b33f86fc5ebbb4f) C:\windows\system32\DRIVERS\srvnet.sys
    2011/02/27 18:06:18.0352 2368 stexstor (db32d325c192b801df274bfd12a7e72b) C:\windows\system32\DRIVERS\stexstor.sys
    2011/02/27 18:06:18.0445 2368 swenum (e58c78a848add9610a4db6d214af5224) C:\windows\system32\DRIVERS\swenum.sys
    2011/02/27 18:06:18.0601 2368 SynTP (8bd10dc8809dc69a1c5a795cb10add76) C:\windows\system32\DRIVERS\SynTP.sys
    2011/02/27 18:06:18.0757 2368 Tcpip (bb7f39c31c4a4417fd318e7cd184e225) C:\windows\system32\drivers\tcpip.sys
    2011/02/27 18:06:18.0929 2368 TCPIP6 (bb7f39c31c4a4417fd318e7cd184e225) C:\windows\system32\DRIVERS\tcpip.sys
    2011/02/27 18:06:19.0038 2368 tcpipreg (e64444523add154f86567c469bc0b17f) C:\windows\system32\drivers\tcpipreg.sys
    2011/02/27 18:06:19.0163 2368 tdcmdpst (4084ea00d50c858d6f9038f86ae2e2d0) C:\windows\system32\DRIVERS\tdcmdpst.sys
    2011/02/27 18:06:19.0241 2368 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\windows\system32\drivers\tdpipe.sys
    2011/02/27 18:06:19.0303 2368 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\windows\system32\drivers\tdtcp.sys
    2011/02/27 18:06:19.0335 2368 tdx (cb39e896a2a83702d1737bfd402b3542) C:\windows\system32\DRIVERS\tdx.sys
    2011/02/27 18:06:19.0428 2368 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\windows\system32\DRIVERS\termdd.sys
    2011/02/27 18:06:19.0600 2368 tos_sps32 (969377943fe7284609babbab4e06b93c) C:\windows\system32\DRIVERS\tos_sps32.sys
    2011/02/27 18:06:19.0740 2368 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\windows\system32\DRIVERS\tssecsrv.sys
    2011/02/27 18:06:19.0849 2368 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\windows\system32\DRIVERS\tunnel.sys
    2011/02/27 18:06:19.0959 2368 TVALZ (fc24015b4052600c324c43e3a79c0664) C:\windows\system32\DRIVERS\TVALZ_O.SYS
    2011/02/27 18:06:20.0068 2368 TVALZFL (866462f5ae3f375ef83ef9dce436031c) C:\windows\system32\DRIVERS\TVALZFL.sys
    2011/02/27 18:06:20.0146 2368 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\windows\system32\DRIVERS\uagp35.sys
    2011/02/27 18:06:20.0224 2368 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\windows\system32\DRIVERS\udfs.sys
    2011/02/27 18:06:20.0380 2368 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\windows\system32\DRIVERS\uliagpkx.sys
    2011/02/27 18:06:20.0489 2368 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\windows\system32\DRIVERS\umbus.sys
    2011/02/27 18:06:20.0505 2368 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\windows\system32\DRIVERS\umpass.sys
    2011/02/27 18:06:20.0598 2368 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\windows\system32\DRIVERS\usbccgp.sys
    2011/02/27 18:06:20.0692 2368 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\windows\system32\DRIVERS\usbcir.sys
    2011/02/27 18:06:20.0785 2368 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\windows\system32\DRIVERS\usbehci.sys
    2011/02/27 18:06:20.0895 2368 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\windows\system32\DRIVERS\usbhub.sys
    2011/02/27 18:06:20.0988 2368 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\windows\system32\DRIVERS\usbohci.sys
    2011/02/27 18:06:21.0082 2368 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\windows\system32\DRIVERS\usbprint.sys
    2011/02/27 18:06:21.0113 2368 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\windows\system32\DRIVERS\USBSTOR.SYS
    2011/02/27 18:06:21.0191 2368 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\windows\system32\DRIVERS\usbuhci.sys
    2011/02/27 18:06:21.0347 2368 usbvideo (b5f6a992d996282b7fae7048e50af83a) C:\windows\System32\Drivers\usbvideo.sys
    2011/02/27 18:06:21.0472 2368 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\windows\system32\DRIVERS\vdrvroot.sys
    2011/02/27 18:06:21.0597 2368 vga (17c408214ea61696cec9c66e388b14f3) C:\windows\system32\DRIVERS\vgapnp.sys
    2011/02/27 18:06:21.0675 2368 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\windows\System32\drivers\vga.sys
    2011/02/27 18:06:21.0721 2368 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\windows\system32\DRIVERS\vhdmp.sys
    2011/02/27 18:06:21.0815 2368 viaagp (c829317a37b4bea8f39735d4b076e923) C:\windows\system32\DRIVERS\viaagp.sys
    2011/02/27 18:06:21.0846 2368 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\windows\system32\DRIVERS\viac7.sys
    2011/02/27 18:06:21.0877 2368 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\windows\system32\DRIVERS\viaide.sys
    2011/02/27 18:06:21.0955 2368 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\windows\system32\DRIVERS\volmgr.sys
    2011/02/27 18:06:22.0049 2368 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\windows\system32\drivers\volmgrx.sys
    2011/02/27 18:06:22.0127 2368 volsnap (58df9d2481a56edde167e51b334d44fd) C:\windows\system32\DRIVERS\volsnap.sys
    2011/02/27 18:06:22.0236 2368 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\windows\system32\DRIVERS\vsmraid.sys
    2011/02/27 18:06:22.0330 2368 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\windows\system32\DRIVERS\vwifibus.sys
    2011/02/27 18:06:22.0455 2368 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\windows\system32\DRIVERS\vwififlt.sys
    2011/02/27 18:06:22.0548 2368 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\windows\system32\DRIVERS\vwifimp.sys
    2011/02/27 18:06:22.0579 2368 WacomPen (de3721e89c653aa281428c8a69745d90) C:\windows\system32\DRIVERS\wacompen.sys
    2011/02/27 18:06:22.0689 2368 WANARP (692a712062146e96d28ba0b7d75de31b) C:\windows\system32\DRIVERS\wanarp.sys
    2011/02/27 18:06:22.0704 2368 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\windows\system32\DRIVERS\wanarp.sys
    2011/02/27 18:06:22.0860 2368 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\windows\system32\DRIVERS\wd.sys
    2011/02/27 18:06:22.0954 2368 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\windows\system32\drivers\Wdf01000.sys
    2011/02/27 18:06:23.0094 2368 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\windows\system32\DRIVERS\wfplwf.sys
    2011/02/27 18:06:23.0172 2368 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\windows\system32\drivers\wimmount.sys
    2011/02/27 18:06:23.0344 2368 WinUsb (30fc6e5448d0cbaaa95280eeef7fedae) C:\windows\system32\DRIVERS\WinUsb.sys
    2011/02/27 18:06:23.0469 2368 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\windows\system32\DRIVERS\wmiacpi.sys
    2011/02/27 18:06:23.0609 2368 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\windows\system32\drivers\ws2ifsl.sys
    2011/02/27 18:06:23.0734 2368 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\windows\system32\drivers\WudfPf.sys
    2011/02/27 18:06:23.0843 2368 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\windows\system32\DRIVERS\WUDFRd.sys
    2011/02/27 18:06:23.0968 2368 ================================================================================
    2011/02/27 18:06:23.0968 2368 Scan finished
    2011/02/27 18:06:23.0968 2368 ================================================================================
    2011/02/27 18:06:23.0983 3188 Detected object count: 2
    2011/02/27 18:06:49.0255 3188 mssmbios (90e1c4ac32f605d92539d3e8ba9bfd43) C:\windows\system32\DRIVERS\mssmbios.sys
    2011/02/27 18:06:49.0255 3188 Suspicious file (Forged): C:\windows\system32\DRIVERS\mssmbios.sys. Real md5: 90e1c4ac32f605d92539d3e8ba9bfd43, Fake md5: fc6b9ff600cc585ea38b12589bd4e246
    2011/02/27 18:06:49.0365 3188 Backup copy found, using it..
    2011/02/27 18:06:49.0365 3188 C:\windows\system32\DRIVERS\mssmbios.sys - will be cured after reboot
    2011/02/27 18:06:49.0365 3188 Rootkit.Win32.TDSS.tdl3(mssmbios) - User select action: Cure
    2011/02/27 18:06:49.0365 3188 Locked file(sptd) - User select action: Skip
    2011/02/27 18:06:54.0606 6036 Deinitialize success
     
  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Very good :)

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  5. kananesgi

    kananesgi TS Rookie Topic Starter

    Here are the logs. The MBRCheck does return an unknown MBR likely because this computer has both Win7 and Xubuntu Linux installed, with GRUB2 for the boot loader. I've been seriously thinking about getting rid of Xubuntu to free up it's HD space, but I haven't gotten around to restoring the original MBR to do that. I've done that before on another computer, but don't remember how I did it.

    At any rate, here are the logs:
    =================================================================

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows 7 Home Premium Edition
    Windows Information: (build 7600), 32-bit
    Base Board Manufacturer: TOSHIBA
    BIOS Manufacturer: Insyde Corp.
    System Manufacturer: TOSHIBA
    System Product Name: Satellite L505D
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 186):
    0x82E44000 \SystemRoot\system32\ntkrnlpa.exe
    0x82E0D000 \SystemRoot\system32\halmacpi.dll
    0x80B9D000 \SystemRoot\system32\kdcom.dll
    0x8A827000 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
    0x8A832000 \SystemRoot\system32\PSHED.dll
    0x8A843000 \SystemRoot\system32\BOOTVID.dll
    0x8A84B000 \SystemRoot\system32\CLFS.SYS
    0x8A88D000 \SystemRoot\system32\CI.dll
    0x8A938000 \SystemRoot\system32\drivers\klmdb.sys
    0x8A94A000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x8A9BB000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x8AA36000 \SystemRoot\System32\Drivers\spbq.sys
    0x8AB29000 \SystemRoot\System32\Drivers\WMILIB.SYS
    0x8AB32000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
    0x8AB58000 \SystemRoot\system32\DRIVERS\ACPI.sys
    0x8ABA0000 \SystemRoot\system32\DRIVERS\msisadrv.sys
    0x8ABA8000 \SystemRoot\system32\DRIVERS\vdrvroot.sys
    0x8ABB3000 \SystemRoot\system32\DRIVERS\pci.sys
    0x8ABDD000 \SystemRoot\System32\drivers\partmgr.sys
    0x8ABEE000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x8AA00000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x8AA0B000 \SystemRoot\system32\DRIVERS\volmgr.sys
    0x8AC2A000 \SystemRoot\System32\drivers\volmgrx.sys
    0x8AC75000 \SystemRoot\system32\DRIVERS\pciide.sys
    0x8AC7C000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
    0x8AC8A000 \SystemRoot\System32\drivers\mountmgr.sys
    0x8ACA0000 \SystemRoot\system32\DRIVERS\atapi.sys
    0x8ACA9000 \SystemRoot\system32\DRIVERS\ataport.SYS
    0x8ACCC000 \SystemRoot\system32\DRIVERS\msahci.sys
    0x8ACD6000 \SystemRoot\system32\DRIVERS\amdxata.sys
    0x8ACDF000 \SystemRoot\system32\drivers\fltmgr.sys
    0x8AD13000 \SystemRoot\system32\drivers\fileinfo.sys
    0x8AE0D000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8AF3C000 \SystemRoot\System32\Drivers\msrpc.sys
    0x8AF67000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x8AF7A000 \SystemRoot\System32\Drivers\cng.sys
    0x8AFD7000 \SystemRoot\System32\drivers\pcw.sys
    0x8AFE5000 \SystemRoot\System32\Drivers\Fs_Rec.sys
    0x8AD24000 \SystemRoot\system32\drivers\ndis.sys
    0x8B008000 \SystemRoot\system32\drivers\NETIO.SYS
    0x8B046000 \SystemRoot\System32\Drivers\ksecpkg.sys
    0x8B06B000 \SystemRoot\System32\drivers\tcpip.sys
    0x8B1B4000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x8B20C000 \SystemRoot\system32\DRIVERS\volsnap.sys
    0x8B24B000 \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
    0x8B250000 \SystemRoot\system32\DRIVERS\tos_sps32.sys
    0x8B297000 \SystemRoot\System32\Drivers\spldr.sys
    0x8B29F000 \SystemRoot\System32\drivers\rdyboost.sys
    0x8B2CC000 \SystemRoot\System32\Drivers\mup.sys
    0x8B2DC000 \SystemRoot\System32\drivers\hwpolicy.sys
    0x8B2E4000 \SystemRoot\System32\DRIVERS\fvevol.sys
    0x8B316000 \SystemRoot\system32\DRIVERS\disk.sys
    0x8B327000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    0x8B34C000 \SystemRoot\system32\DRIVERS\AtiPcie.sys
    0x8B387000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x8B3A6000 \SystemRoot\System32\Drivers\Null.SYS
    0x8B3AD000 \SystemRoot\System32\Drivers\Beep.SYS
    0x8B3B4000 \SystemRoot\System32\drivers\vga.sys
    0x8B3C0000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x8B3E1000 \SystemRoot\System32\drivers\watchdog.sys
    0x8B3EE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x8B3F6000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x8B200000 \SystemRoot\system32\drivers\rdprefmp.sys
    0x8B1E5000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x8B1F0000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x8ADDB000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x8AFEE000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8AE00000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0x8F213000 \SystemRoot\system32\drivers\afd.sys
    0x8F26D000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0x8F272000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x8F2A4000 \SystemRoot\system32\DRIVERS\wfplwf.sys
    0x8F2AB000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x8F2CA000 \SystemRoot\system32\DRIVERS\vwififlt.sys
    0x8F2DB000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x8F2E9000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x8F2FC000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x8F30C000 \SystemRoot\System32\Drivers\SCDEmu.SYS
    0x8F31A000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x8F35B000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x8F365000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8F36F000 \SystemRoot\System32\drivers\discache.sys
    0x8F37B000 \SystemRoot\System32\Drivers\dfsc.sys
    0x8F393000 \SystemRoot\system32\DRIVERS\blbdrive.sys
    0x8F3A1000 \SystemRoot\System32\Drivers\aswSP.SYS
    0x8AC00000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x8F3E8000 \SystemRoot\system32\DRIVERS\TVALZFL.sys
    0x8F3EF000 \SystemRoot\system32\DRIVERS\FwLnk.sys
    0x8F200000 \SystemRoot\system32\DRIVERS\amdppm.sys
    0x8F3F7000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x9060B000 \SystemRoot\system32\DRIVERS\atikmdag.sys
    0x90B20000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x9181F000 \SystemRoot\System32\drivers\dxgmms1.sys
    0x91858000 \SystemRoot\system32\DRIVERS\RTL8187Se.sys
    0x918B1000 \SystemRoot\system32\DRIVERS\Rt86win7.sys
    0x918F6000 \SystemRoot\system32\DRIVERS\tdcmdpst.sys
    0x91900000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0x9190A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x91955000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x91964000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x91983000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x9199B000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x919A8000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0x919DB000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x919DD000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x9763C000 \SystemRoot\System32\Drivers\ac0mbc7c.SYS
    0x97675000 \SystemRoot\system32\DRIVERS\CompositeBus.sys
    0x97682000 \SystemRoot\system32\drivers\PPJoyBus.sys
    0x97686000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
    0x97698000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x976B0000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x976BB000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x976DD000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x976F5000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x9770C000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x97723000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x97725000 \SystemRoot\system32\DRIVERS\ks.sys
    0x97759000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x97767000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x977AB000 \SystemRoot\system32\drivers\PPortJoy.sys
    0x977B3000 \SystemRoot\system32\drivers\HIDCLASS.SYS
    0x977C6000 \SystemRoot\system32\drivers\HIDPARSE.SYS
    0x977CD000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x98231000 \SystemRoot\system32\drivers\RTKVHDA.sys
    0x984CD000 \SystemRoot\system32\drivers\portcls.sys
    0x984FC000 \SystemRoot\system32\drivers\drmk.sys
    0x98515000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0x98670000 \SystemRoot\System32\win32k.sys
    0x98520000 \SystemRoot\System32\drivers\Dxapi.sys
    0x9852A000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x98535000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x988D0000 \SystemRoot\System32\TSDDD.dll
    0x98900000 \SystemRoot\System32\cdd.dll
    0x98920000 \SystemRoot\System32\ATMFD.DLL
    0x98540000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x98556000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x98563000 \SystemRoot\System32\Drivers\dump_dumpata.sys
    0x9856E000 \SystemRoot\System32\Drivers\dump_msahci.sys
    0x98578000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
    0x98589000 \SystemRoot\system32\drivers\luafv.sys
    0x985A4000 \??\C:\windows\system32\drivers\aswMonFlt.sys
    0x985DB000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0x985DE000 \SystemRoot\system32\drivers\WudfPf.sys
    0x98200000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x99C0A000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x99C50000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x99C60000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x99C73000 \SystemRoot\system32\drivers\HTTP.sys
    0x99CF8000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x99D11000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x99D23000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x99D46000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x99D81000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x99DB4000 \SystemRoot\System32\Drivers\adfs.SYS
    0xA6204000 \SystemRoot\system32\drivers\peauth.sys
    0xA629B000 \??\C:\windows\system32\drivers\SECDRV.SYS
    0xA62C3000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0xA62E4000 \SystemRoot\System32\drivers\tcpipreg.sys
    0xA62F1000 \SystemRoot\System32\DRIVERS\srv2.sys
    0xA6340000 \SystemRoot\System32\DRIVERS\srv.sys
    0x77500000 \Windows\System32\ntdll.dll
    0x477B0000 \Windows\System32\smss.exe
    0x77740000 \Windows\System32\apisetschema.dll
    0x00CA0000 \Windows\System32\autochk.exe
    0x77680000 \Windows\System32\rpcrt4.dll
    0x10000000 \Program Files\DAEMON Tools Lite\Engine.dll
    0x77640000 \Windows\System32\ws2_32.dll
    0x77470000 \Windows\System32\oleaut32.dll
    0x77370000 \Windows\System32\wininet.dll
    0x77350000 \Windows\System32\sechost.dll
    0x76700000 \Windows\System32\shell32.dll
    0x766F0000 \Windows\System32\normaliz.dll
    0x76620000 \Windows\System32\msctf.dll
    0x765D0000 \Windows\System32\Wldap32.dll
    0x765B0000 \Windows\System32\imm32.dll
    0x764E0000 \Windows\System32\user32.dll
    0x763A0000 \Windows\System32\urlmon.dll
    0x76320000 \Windows\System32\comdlg32.dll
    0x76280000 \Windows\System32\advapi32.dll
    0x76270000 \Windows\System32\psapi.dll
    0x76220000 \Windows\System32\gdi32.dll
    0x761F0000 \Windows\System32\imagehlp.dll
    0x75FF0000 \Windows\System32\iertutil.dll
    0x75F50000 \Windows\System32\usp10.dll
    0x75EC0000 \Windows\System32\clbcatq.dll
    0x75D20000 \Windows\System32\setupapi.dll

    Processes (total 77):
    0 System Idle Process
    4 System
    376 C:\Windows\System32\smss.exe
    508 csrss.exe
    580 C:\Windows\System32\wininit.exe
    592 csrss.exe
    640 C:\Windows\System32\services.exe
    656 C:\Windows\System32\lsass.exe
    664 C:\Windows\System32\lsm.exe
    728 C:\Windows\System32\winlogon.exe
    808 C:\Windows\System32\svchost.exe
    904 C:\Windows\System32\svchost.exe
    952 C:\Windows\System32\atiesrxx.exe
    1028 C:\Windows\System32\svchost.exe
    1072 C:\Windows\System32\svchost.exe
    1104 C:\Windows\System32\svchost.exe
    1212 C:\Windows\System32\svchost.exe
    1284 C:\Windows\System32\atieclxx.exe
    1404 C:\Windows\System32\svchost.exe
    1520 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    1632 C:\Windows\System32\dwm.exe
    1644 C:\Windows\explorer.exe
    1984 C:\Windows\System32\spoolsv.exe
    2032 C:\Windows\System32\taskhost.exe
    2040 C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
    248 C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    388 C:\Windows\System32\svchost.exe
    412 C:\Program Files\PowerISO\PWRISOVM.EXE
    576 C:\Program Files\Eraser\Eraser.exe
    424 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    776 C:\Program Files\Citrix\ICA Client\concentr.exe
    1280 C:\Program Files\AGEIA Technologies\TrayIcon.exe
    1340 C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    1432 C:\Program Files\Real\RealPlayer\Update\realsched.exe
    1724 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    2172 C:\Program Files\DAEMON Tools Lite\DTLite.exe
    2224 C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    2376 C:\Program Files\Steam\steam.exe
    2456 C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    2464 C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    2496 C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    2592 C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
    2744 C:\Windows\System32\svchost.exe
    2800 C:\Windows\System32\TODDSrv.exe
    2888 C:\Windows\System32\taskeng.exe
    2968 C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    3136 C:\Program Files\TOSHIBA\TECO\TecoService.exe
    3284 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
    3464 C:\Windows\System32\SearchIndexer.exe
    3504 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    3580 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    3592 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
    3700 C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    2564 C:\Windows\System32\svchost.exe
    2684 C:\Windows\System32\svchost.exe
    4164 C:\Windows\System32\svchost.exe
    4344 C:\Program Files\Windows Media Player\wmpnetwk.exe
    5104 C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    5256 C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
    5452 dllhost.exe
    5604 C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    4868 C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
    1156 C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
    2716 C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
    5792 C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    5980 C:\Windows\System32\svchost.exe
    4692 C:\Program Files\Internet Explorer\iexplore.exe
    5872 C:\Program Files\Internet Explorer\iexplore.exe
    4684 C:\Windows\System32\audiodg.exe
    4968 C:\Windows\System32\taskhost.exe
    1092 C:\Program Files\Internet Explorer\iexplore.exe
    504 C:\Windows\System32\taskeng.exe
    4924 C:\Windows\System32\SearchProtocolHost.exe
    204 C:\Windows\System32\SearchFilterHost.exe
    2884 C:\Users\primary\Desktop\MBRCheck.exe
    3260 C:\Windows\System32\conhost.exe
    5824 C:\Windows\System32\dllhost.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000 (NTFS)

    PhysicalDrive0 Model Number: TOSHIBAMK3263GSX, Rev: FG020M

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: F7ED2365FD5579D16F2315F1490304F53A8A30C6


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!


    =================================================================


    ComboFix 11-02-27.01 - primary 02/27/2011 20:10:40.1.2 - x86
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2812.1833 [GMT -6:00]
    Running from: c:\users\primary\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
    SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\Thumbs.db

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-28 to 2011-02-28 )))))))))))))))))))))))))))))))
    .

    2011-02-28 02:20 . 2011-02-28 02:20 -------- d-----w- c:\users\primary\AppData\Local\temp
    2011-02-28 02:20 . 2011-02-28 02:20 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-02-26 16:15 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8E21BE66-4F9B-4583-B261-0ED923F477E3}\mpengine.dll
    2011-02-24 09:00 . 2010-09-14 06:07 276992 ----a-w- c:\windows\system32\wcncsvc.dll
    2011-02-24 01:36 . 2011-01-07 07:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-02-24 01:36 . 2011-01-07 07:31 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-02-21 20:12 . 2011-02-21 20:32 -------- d-----w- c:\users\Public\School Bus Maps
    2011-02-15 04:24 . 2011-02-15 04:24 -------- d-----w- c:\users\primary\AppData\Roaming\Malwarebytes
    2011-02-15 04:24 . 2010-12-21 00:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-02-15 04:24 . 2011-02-15 04:24 -------- d-----w- c:\programdata\Malwarebytes
    2011-02-15 04:24 . 2011-02-15 04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-02-15 04:24 . 2010-12-21 00:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-02-14 04:51 . 2011-02-14 04:54 -------- d-----w- c:\users\Public\EVE Online Files
    2011-02-09 00:50 . 2010-12-21 05:38 73728 ----a-w- c:\windows\system32\wscsvc.dll
    2011-02-09 00:50 . 2010-12-21 05:38 51200 ----a-w- c:\windows\system32\wscapi.dll
    2011-02-09 00:50 . 2010-12-21 05:38 14336 ----a-w- c:\windows\system32\slwga.dll
    2011-02-05 16:01 . 2011-02-05 16:01 -------- d-----w- C:\My Music
    2011-01-30 20:57 . 2011-01-30 20:57 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
    2011-01-30 20:57 . 2011-01-30 20:57 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-28 00:08 . 2009-07-13 23:19 28240 ----a-w- c:\windows\system32\drivers\mssmbios.sys
    2011-02-02 23:11 . 2009-11-22 18:58 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-13 08:47 . 2010-12-16 01:54 38848 ----a-w- c:\windows\avastSS.scr
    2011-01-13 08:47 . 2009-11-23 12:52 188216 ----a-w- c:\windows\system32\aswBoot.exe
    2011-01-13 08:41 . 2009-11-23 12:52 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-01-13 08:40 . 2009-11-23 12:52 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-01-13 08:37 . 2009-11-23 12:52 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-01-13 08:37 . 2009-11-23 12:52 51280 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2011-01-13 08:37 . 2009-11-23 12:52 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "MyTOSHIBA"="c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe" [2009-08-06 264048]
    "Google Update"="c:\users\primary\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-08 135664]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
    "Steam"="c:\program files\Steam\Steam.exe" [2010-12-02 1242448]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TosSENotify"="c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe" [2009-08-04 611672]
    "ToshibaServiceStation"="c:\program files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" [2009-08-17 1294136]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-30 98304]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-29 7625248]
    "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]
    "NortonOnlineBackupReminder"="c:\program files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe" [2009-07-16 529256]
    "Eraser"="c:\progra~1\Eraser\Eraser.exe" [2009-12-15 976784]
    "ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2009-09-13 103768]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "AGEIA PhysX SysTray"="c:\program files\AGEIA Technologies\TrayIcon.exe" [2006-09-08 339968]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2011-01-13 3396624]
    "TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-12-26 274608]

    c:\users\primary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    AccuWeatherDesktop.lnk - c:\program files\AccuWeather\Desktop\AccuWeatherDesktop.exe [N/A]
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    Impulse Now.lnk - c:\program files\Stardock\Impulse\Now\ImpulseNow.exe [2009-11-10 468272]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 135664]
    R3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys [2009-08-12 54416]
    R3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys [2009-08-12 160272]
    R3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys [2009-08-12 160272]
    R3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\DRIVERS\PTDUWFLT.sys [2009-08-12 11920]
    R3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys [2009-08-12 113680]
    R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-08-06 171520]
    R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
    R3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [2009-03-21 32408]
    R3 TPCHSrv;TPCH Service;c:\program files\TOSHIBA\TPHM\TPCHSrv.exe [2009-08-07 685424]
    R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-02-26 1343400]
    S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-05-11 691696]
    S1 aswSP;aswSP; [x]
    S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-07-30 176128]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-01-13 51280]
    S2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe [2009-08-11 185712]
    S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2009-03-11 46448]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\TOSHIBA\TECO\TecoService.exe [2009-08-11 185712]
    S2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\DRIVERS\TVALZFL.sys [2009-06-20 12920]
    S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2009-07-07 7680]
    S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-10-24 13952]
    S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-10-24 28800]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-06-23 275048]
    S3 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2009-08-17 51512]
    S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe [2009-08-04 111960]


    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - KLMDB
    *Deregistered* - klmdb

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{01250B8F-D947-4F8A-9408-FE8E3EE2EC92}]
    2009-08-06 16:15 264048 ----a-w- c:\program files\TOSHIBA\My Toshiba\MyToshiba.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 02:09]

    2011-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 02:09]

    2011-02-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3825601106-2848115462-3809073124-1000Core.job
    - c:\users\primary\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-08 02:41]

    2011-02-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3825601106-2848115462-3809073124-1000UA.job
    - c:\users\primary\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-08 02:41]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/ig
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
    IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
    IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
    IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    Trusted Zone: real.com\rhap-app-4-0
    Trusted Zone: real.com\rhapreg
    FF - ProfilePath - c:\users\primary\AppData\Roaming\Mozilla\Firefox\Profiles\uhgthp4f.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.nasa.gov/multimedia/imagegallery/iotd.html
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: OnlyWire: {e26ba8db-a646-a44e-997c-2fafeadb50f2} - %profile%\extensions\{e26ba8db-a646-a44e-997c-2fafeadb50f2}
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    HKLM-Run-TPwrMain - %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
    HKLM-Run-TosWaitSrv - %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
    HKLM-Run-Teco - %ProgramFiles%\TOSHIBA\TECO\Teco.exe
    HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
    HKLM-Run-SmoothView - %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
    HKLM-Run-00TCrdMain - %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
    SafeBoot-klmdb.sys
    AddRemove-ENERGY project_is1 - c:\programs\Orbiter\unins002.exe
    AddRemove-Fuel Service Stations_is1 - c:\programs\Orbiter\unins000.exe
    AddRemove-Mir-2 space station_is1 - c:\programs\Orbiter\unins003.exe
    AddRemove-Space Tankers_is1 - c:\programs\Orbiter\unins004.exe
    AddRemove-Space Tugs_is1 - c:\programs\Orbiter\unins005.exe
    AddRemove-Universal Cargo Deck_is1 - c:\programs\Orbiter\unins006.exe
    AddRemove-Universal RMS_is1 - c:\programs\Orbiter\unins001.exe
    AddRemove-Classic Wings Graf Zeppelin - c:\program files\Microsoft Games\Flight Simulator 9\Aircraft\Graf_Zeppelin\Uninstall Classic Wings Graf Zeppelin.exe


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2011-02-27 20:23:49
    ComboFix-quarantined-files.txt 2011-02-28 02:23

    Pre-Run: 8,527,106,048 bytes free
    Post-Run: 15,728,119,808 bytes free

    - - End Of File - - 954A5431318287E773B29BBF26994968
     
  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Looks good :)

    How is computer doing?

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  7. kananesgi

    kananesgi TS Rookie Topic Starter

    OTL scan complete.

    Computer doesn't seem to be running any different than it did before, but Avast! isn't popping up within a few minutes of booting up warning me about mssmbios.sys being infected, so I guess everything worked so far.

    Here are the OTL logs:


    =================================================================


    OTL logfile created on: 2/27/2011 9:28:58 PM - Run 1
    OTL by OldTimer - Version 3.2.22.2 Folder = C:\Users\primary\Desktop
    Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.7600.16385)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 59.00% Memory free
    5.00 Gb Paging File | 4.00 Gb Available in Paging File | 75.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
    Drive C: | 242.17 Gb Total Space | 14.71 Gb Free Space | 6.08% Space Free | Partition Type: NTFS
    Drive D: | 654.81 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: ROADWARRIOR-PC | User Name: primary | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2011/02/27 21:26:57 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Users\primary\Desktop\OTL.exe
    PRC - [2011/01/13 02:47:34 | 003,396,624 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    PRC - [2011/01/13 02:47:33 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    PRC - [2010/12/26 11:21:54 | 000,274,608 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
    PRC - [2010/12/01 21:41:56 | 001,242,448 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\steam.exe
    PRC - [2010/05/19 14:53:46 | 000,468,272 | ---- | M] (Stardock Corporation) -- C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe
    PRC - [2010/04/01 03:16:20 | 000,357,696 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
    PRC - [2010/03/31 00:19:18 | 000,072,704 | ---- | M] (Autodesk) -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    PRC - [2009/12/15 09:46:48 | 000,976,784 | ---- | M] (The Eraser Project) -- C:\Program Files\Eraser\Eraser.exe
    PRC - [2009/11/08 21:17:50 | 000,180,224 | ---- | M] (PowerISO Computing, Inc.) -- C:\Program Files\PowerISO\PWRISOVM.EXE
    PRC - [2009/10/30 23:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2009/09/13 00:09:10 | 000,103,768 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\concentr.exe
    PRC - [2009/09/13 00:09:04 | 000,550,232 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfcrun32.exe
    PRC - [2009/08/21 10:29:40 | 000,464,224 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
    PRC - [2009/08/17 11:48:46 | 001,294,136 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe
    PRC - [2009/08/17 11:48:42 | 000,051,512 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
    PRC - [2009/08/11 17:09:54 | 000,185,712 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TECO\TecoService.exe
    PRC - [2009/08/10 20:55:46 | 000,185,712 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
    PRC - [2009/08/03 19:16:50 | 001,021,272 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSENotify.exe
    PRC - [2009/08/03 19:16:32 | 000,111,960 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
    PRC - [2009/07/30 00:54:38 | 000,348,160 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
    PRC - [2009/07/30 00:54:10 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
    PRC - [2009/07/28 21:26:42 | 000,062,848 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
    PRC - [2009/07/28 16:43:04 | 000,128,344 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
    PRC - [2009/07/13 19:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2009/07/13 16:24:00 | 000,304,496 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
    PRC - [2009/03/10 19:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    PRC - [2009/03/05 17:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    PRC - [2009/01/26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    PRC - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    PRC - [2006/09/29 11:48:06 | 000,065,536 | ---- | M] () -- C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
    PRC - [2006/09/08 08:01:50 | 000,339,968 | R--- | M] () -- C:\Program Files\AGEIA Technologies\TrayIcon.exe


    ========== Modules (SafeList) ==========

    MOD - [2011/02/27 21:26:57 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Users\primary\Desktop\OTL.exe
    MOD - [2011/01/13 02:47:35 | 000,189,728 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\snxhk.dll
    MOD - [2010/12/26 11:22:15 | 000,040,448 | ---- | M] (RealNetworks, Inc.) -- C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
    MOD - [2010/10/15 22:34:37 | 000,573,440 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\odbc32.dll
    MOD - [2010/08/20 23:21:32 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll
    MOD - [2009/07/13 19:15:39 | 001,163,264 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mfc42u.dll
    MOD - [2009/07/13 19:09:14 | 000,229,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\odbcint.dll
    MOD - [2009/06/10 15:14:56 | 000,652,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4926_none_508ed732bcbc0e5a\msvcr90.dll
    MOD - [2009/06/10 15:14:54 | 000,569,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4926_none_508ed732bcbc0e5a\msvcp90.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2011/01/13 02:47:33 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2010/03/31 00:19:18 | 000,072,704 | ---- | M] (Autodesk) [Auto | Running] -- C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe -- (Autodesk Licensing Service)
    SRV - [2010/02/26 04:00:40 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
    SRV - [2009/12/08 22:01:08 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
    SRV - [2009/08/21 10:29:40 | 000,464,224 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe -- (TosCoSrv)
    SRV - [2009/08/17 11:48:42 | 000,051,512 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe -- (TMachInfo)
    SRV - [2009/08/11 17:09:54 | 000,185,712 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\TECO\TecoService.exe -- (TOSHIBA eco Utility Service)
    SRV - [2009/08/10 20:55:46 | 000,185,712 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe -- (cfWiMAXService)
    SRV - [2009/08/06 18:04:56 | 000,685,424 | ---- | M] (TOSHIBA Corporation) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe -- (TPCHSrv)
    SRV - [2009/08/03 19:16:32 | 000,111,960 | ---- | M] (TOSHIBA Corporation) [On_Demand | Running] -- C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe -- (TOSHIBA HDD SSD Alert Service)
    SRV - [2009/07/30 00:54:10 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
    SRV - [2009/07/28 16:43:04 | 000,128,344 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
    SRV - [2009/07/13 19:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009/07/13 19:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2009/05/22 12:02:20 | 000,250,616 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
    SRV - [2009/03/10 19:51:20 | 000,046,448 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
    SRV - [2009/01/26 16:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
    SRV - [2008/12/22 10:52:16 | 000,104,944 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
    SRV - [2008/11/09 14:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
    SRV - [2006/09/29 11:48:06 | 000,065,536 | ---- | M] () [Auto | Running] -- C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe -- (mi-raysat_3dsmax9_32) mental ray 3.5 Satellite (32-bit)


    ========== Driver Services (SafeList) ==========

    DRV - [2011/01/13 02:41:16 | 000,294,608 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2011/01/13 02:40:16 | 000,047,440 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2011/01/13 02:37:30 | 000,023,632 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\System32\drivers\aswRdr.sys -- (aswRdr)
    DRV - [2011/01/13 02:37:19 | 000,051,280 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
    DRV - [2011/01/13 02:37:09 | 000,017,744 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2010/05/11 01:56:52 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\windows\System32\Drivers\sptd.sys -- (sptd)
    DRV - [2009/11/08 21:21:18 | 000,059,388 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\windows\System32\drivers\scdemu.sys -- (SCDEmu)
    DRV - [2009/08/12 05:13:32 | 000,160,272 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUMdm.sys -- (PTDUMdm)
    DRV - [2009/08/12 05:13:32 | 000,113,680 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUWWAN.sys -- (PTDUWWAN)
    DRV - [2009/08/12 05:13:32 | 000,054,416 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUBus.sys -- (PTDUBus)
    DRV - [2009/08/12 05:13:28 | 000,160,272 | ---- | M] (DEVGURU Co., LTD.(www.devguru.co.kr)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUVsp.sys -- (PTDUVsp)
    DRV - [2009/08/12 05:13:28 | 000,011,920 | ---- | M] (DEVGURU Co., LTD.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PTDUWFLT.sys -- (PTDUWFLT)
    DRV - [2009/08/05 20:04:04 | 000,171,520 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\RtsUStor.sys -- (RSUSBSTOR)
    DRV - [2009/07/30 18:45:56 | 000,022,912 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
    DRV - [2009/07/30 13:06:30 | 004,994,560 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
    DRV - [2009/07/24 16:57:06 | 000,275,536 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\tos_sps32.sys -- (tos_sps32)
    DRV - [2009/07/14 16:28:42 | 000,023,512 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
    DRV - [2009/07/13 17:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
    DRV - [2009/07/13 17:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
    DRV - [2009/07/13 16:13:48 | 001,035,776 | ---- | M] (LSI Corp) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
    DRV - [2009/07/13 16:02:46 | 001,096,704 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athr.sys -- (athr)
    DRV - [2009/07/07 09:53:06 | 000,007,680 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)
    DRV - [2009/06/19 20:31:08 | 000,012,920 | ---- | M] (TOSHIBA Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\TVALZFL.sys -- (TVALZFL)
    DRV - [2009/05/05 01:30:28 | 000,014,392 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\windows\system32\DRIVERS\AtiPcie.sys -- (AtiPcie) AMD PCI Express (3GIO)
    DRV - [2009/03/20 19:03:36 | 000,032,408 | ---- | M] (Smith Micro Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Verizon Wireless\VZAccess Manager\SMSIVZAM5.sys -- (SMSIVZAM5)
    DRV - [2008/08/22 10:28:32 | 000,333,824 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTL8187Se.sys -- (RTL8187Se)
    DRV - [2007/06/02 14:59:42 | 000,008,192 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\PeerGuardian2\pgfilter.sys -- (pgfilter)
    DRV - [2004/10/24 07:11:00 | 000,028,800 | ---- | M] (Deon van der Westhuysen) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PPortJoy.sys -- (PPortJoystick)
    DRV - [2004/10/24 07:11:00 | 000,013,952 | ---- | M] (Deon van der Westhuysen) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\PPJoyBus.sys -- (PPJoyBus)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========


    FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/12/26 11:22:15 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/26 11:22:09 | 000,000,000 | ---D | M]
    FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/02/26 21:42:00 | 000,000,000 | ---D | M]

    [2010/05/01 19:03:27 | 000,000,000 | ---D | M] (No name found) -- C:\Users\primary\AppData\Roaming\Mozilla\Extensions
    [2010/05/09 21:45:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\primary\AppData\Roaming\Mozilla\Firefox\Profiles\uhgthp4f.default\extensions
    [2010/05/01 19:05:28 | 000,000,000 | ---D | M] (OnlyWire) -- C:\Users\primary\AppData\Roaming\Mozilla\Firefox\Profiles\uhgthp4f.default\extensions\{e26ba8db-a646-a44e-997c-2fafeadb50f2}
    [2010/12/24 11:09:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

    O1 HOSTS File: ([2011/02/27 20:20:18 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
    O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No CLSID value found.
    O2 - BHO: (DAPIELoader Class) - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\DAP\dapieloader.dll (SpeedBit Ltd.)
    O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
    O4 - HKLM..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe ()
    O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
    O4 - HKLM..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe (The Eraser Project)
    O4 - HKLM..\Run: [NortonOnlineBackupReminder] C:\Program Files\TOSHIBA\Toshiba Online Backup\Activation\TobuActivation.exe (Toshiba)
    O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
    O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
    O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Real\RealPlayer\update\realsched.exe (RealNetworks, Inc.)
    O4 - HKLM..\Run: [ToshibaServiceStation] C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe (TOSHIBA Corporation)
    O4 - HKLM..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe (TOSHIBA Corporation)
    O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
    O4 - HKCU..\Run: [MyTOSHIBA] C:\Program Files\TOSHIBA\My Toshiba\MyToshiba.exe (TOSHIBA)
    O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
    O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
    O4 - Startup: C:\Users\primary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccuWeatherDesktop.lnk = File not found
    O4 - Startup: C:\Users\primary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
    O4 - Startup: C:\Users\primary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Impulse Now.lnk = C:\Program Files\Stardock\Impulse\Now\ImpulseNow.exe (Stardock Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm ()
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm ()
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm ()
    O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O15 - HKCU\..Trusted Domains: real.com ([rhap-app-4-0] https in Trusted sites)
    O15 - HKCU\..Trusted Domains: real.com ([rhapreg] https in Trusted sites)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.123.1
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/10 15:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O32 - AutoRun File - [2006/02/01 11:26:54 | 000,000,000 | ---D | M] - D:\Autorun -- [ CDFS ]
    O32 - AutoRun File - [2005/01/26 14:42:47 | 000,000,039 | R--- | M] () - D:\autorun.inf -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKCU\...com [@ = ComFile] -- Reg Error: Key error. File not found
    O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found

    Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: MSVideo8 - C:\windows\System32\vfwwdm32.dll (Microsoft Corporation)
    Drivers32: vidc.cvid - C:\windows\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.mjpg - C:\windows\System32\pvmjpg30.dll (Pegasus Imaging Corporation)


    ========== Files/Folders - Created Within 30 Days ==========

    [2011/02/27 21:26:48 | 000,581,120 | ---- | C] (OldTimer Tools) -- C:\Users\primary\Desktop\OTL.exe
    [2011/02/27 20:23:55 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2011/02/27 20:23:52 | 000,000,000 | ---D | C] -- C:\windows\temp
    [2011/02/27 20:23:51 | 000,000,000 | ---D | C] -- C:\Users\primary\AppData\Local\temp
    [2011/02/27 20:08:48 | 000,161,792 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
    [2011/02/27 20:08:48 | 000,136,704 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
    [2011/02/27 20:08:48 | 000,031,232 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
    [2011/02/27 20:08:42 | 000,000,000 | ---D | C] -- C:\windows\ERDNT
    [2011/02/27 20:08:09 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2011/02/27 20:07:49 | 000,212,480 | ---- | C] (SteelWerX) -- C:\windows\SWXCACLS.exe
    [2011/02/27 20:07:46 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
    [2011/02/27 16:07:12 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Users\primary\Desktop\TFC.exe
    [2011/02/26 21:41:48 | 000,000,000 | ---D | C] -- C:\Config.Msi
    [2011/02/21 11:09:14 | 001,372,248 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\primary\Desktop\TDSSKiller.exe
    [2011/02/14 22:24:57 | 000,000,000 | ---D | C] -- C:\Users\primary\AppData\Roaming\Malwarebytes
    [2011/02/14 22:24:46 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbamswissarmy.sys
    [2011/02/14 22:24:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/02/14 22:24:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2011/02/14 22:24:41 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
    [2011/02/14 22:24:41 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/02/05 10:01:48 | 000,000,000 | ---D | C] -- C:\My Music

    ========== Files - Modified Within 30 Days ==========

    [2011/02/27 21:26:57 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Users\primary\Desktop\OTL.exe
    [2011/02/27 21:00:00 | 000,000,886 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineUA.job
    [2011/02/27 20:45:15 | 000,015,792 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2011/02/27 20:45:15 | 000,015,792 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2011/02/27 20:43:26 | 000,624,178 | ---- | M] () -- C:\windows\System32\perfh009.dat
    [2011/02/27 20:43:26 | 000,106,522 | ---- | M] () -- C:\windows\System32\perfc009.dat
    [2011/02/27 20:40:00 | 000,000,916 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-3825601106-2848115462-3809073124-1000UA.job
    [2011/02/27 20:37:58 | 000,000,882 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskMachineCore.job
    [2011/02/27 20:37:40 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
    [2011/02/27 20:37:34 | 2211,577,856 | -HS- | M] () -- C:\hiberfil.sys
    [2011/02/27 20:20:18 | 000,000,027 | ---- | M] () -- C:\windows\System32\drivers\etc\hosts
    [2011/02/27 20:02:43 | 004,276,140 | R--- | M] () -- C:\Users\primary\Desktop\ComboFix.exe
    [2011/02/27 20:00:36 | 000,080,384 | ---- | M] () -- C:\Users\primary\Desktop\MBRCheck.exe
    [2011/02/27 18:05:10 | 001,372,248 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\primary\Desktop\TDSSKiller.exe
    [2011/02/27 16:08:23 | 000,624,128 | ---- | M] () -- C:\Users\primary\Desktop\dds.scr
    [2011/02/27 16:07:46 | 000,296,448 | ---- | M] () -- C:\Users\primary\Desktop\0jdpc0gp.exe
    [2011/02/27 16:07:23 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\primary\Desktop\TFC.exe
    [2011/02/27 00:40:00 | 000,000,864 | ---- | M] () -- C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-3825601106-2848115462-3809073124-1000Core.job
    [2011/02/26 21:42:01 | 000,001,995 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
    [2011/02/17 19:36:15 | 000,000,349 | ---- | M] () -- C:\Users\Public\Documents\PCLECHAL.INI
    [2011/02/09 17:04:51 | 002,365,400 | ---- | M] () -- C:\windows\System32\FNTCACHE.DAT

    ========== Files Created - No Company Name ==========

    [2011/02/27 20:08:48 | 000,256,512 | ---- | C] () -- C:\windows\PEV.exe
    [2011/02/27 20:08:48 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
    [2011/02/27 20:08:48 | 000,089,088 | ---- | C] () -- C:\windows\MBR.exe
    [2011/02/27 20:08:48 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
    [2011/02/27 20:08:48 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
    [2011/02/27 20:02:37 | 004,276,140 | R--- | C] () -- C:\Users\primary\Desktop\ComboFix.exe
    [2011/02/27 20:00:33 | 000,080,384 | ---- | C] () -- C:\Users\primary\Desktop\MBRCheck.exe
    [2011/02/27 16:08:07 | 000,624,128 | ---- | C] () -- C:\Users\primary\Desktop\dds.scr
    [2011/02/27 16:07:43 | 000,296,448 | ---- | C] () -- C:\Users\primary\Desktop\0jdpc0gp.exe
    [2010/11/03 19:37:24 | 000,002,425 | ---- | C] () -- C:\windows\cdplayer.ini
    [2010/06/03 09:56:56 | 000,000,082 | ---- | C] () -- C:\windows\SimViewJr.ini
    [2010/06/03 09:53:16 | 000,180,224 | ---- | C] () -- C:\windows\System32\mrvtcl.dll
    [2010/06/03 09:52:17 | 000,001,287 | ---- | C] () -- C:\windows\SimView.ini
    [2010/06/03 09:52:17 | 000,000,057 | ---- | C] () -- C:\windows\Jeppesen.ini
    [2010/05/08 18:04:38 | 000,000,693 | ---- | C] () -- C:\Users\primary\AppData\Roaming\DriveCalculator Preferences
    [2010/05/01 19:03:13 | 000,000,000 | ---- | C] () -- C:\windows\nsreg.dat
    [2010/03/22 23:37:39 | 000,000,061 | -HS- | C] () -- C:\windows\cnerolf.dat
    [2010/03/06 21:39:48 | 000,000,666 | ---- | C] () -- C:\Users\primary\AppData\Roaming\wklnhst.dat
    [2010/03/02 17:15:02 | 000,000,050 | ---- | C] () -- C:\windows\MegaManager.INI
    [2009/12/18 23:15:14 | 000,451,072 | ---- | C] () -- C:\windows\System32\ISSRemoveSP.exe
    [2009/12/07 16:30:43 | 000,010,240 | ---- | C] () -- C:\windows\System32\vidx16.dll
    [2009/12/03 09:27:30 | 000,080,416 | ---- | C] () -- C:\windows\System32\RtNicProp32.dll
    [2009/11/22 17:50:20 | 000,000,083 | ---- | C] () -- C:\Users\primary\AppData\Local\X-Plane Installer.prf
    [2009/11/22 11:59:01 | 000,000,013 | RHS- | C] () -- C:\windows\System32\drivers\fbd.sys
    [2009/10/29 00:27:27 | 000,000,000 | ---- | C] () -- C:\windows\NDSTray.INI
    [2009/10/29 00:06:00 | 000,000,520 | ---- | C] () -- C:\windows\System32\drivers\RTEQEX0.dat
    [2009/10/29 00:06:00 | 000,000,176 | ---- | C] () -- C:\windows\System32\drivers\RTHDAEQ0.dat
    [2009/10/28 23:57:31 | 000,197,654 | ---- | C] () -- C:\windows\System32\atiicdxx.dat
    [2009/09/01 23:22:18 | 000,000,000 | ---- | C] () -- C:\windows\ativpsrm.bin
    [2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\windows\System32\OGACheckControl.dll
    [2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\windows\System32\OGAEXEC.exe
    [2009/07/13 22:57:37 | 000,067,584 | --S- | C] () -- C:\windows\bootstat.dat
    [2009/07/13 22:33:53 | 002,365,400 | ---- | C] () -- C:\windows\System32\FNTCACHE.DAT
    [2009/07/13 20:05:48 | 000,624,178 | ---- | C] () -- C:\windows\System32\perfh009.dat
    [2009/07/13 20:05:48 | 000,291,294 | ---- | C] () -- C:\windows\System32\perfi009.dat
    [2009/07/13 20:05:48 | 000,106,522 | ---- | C] () -- C:\windows\System32\perfc009.dat
    [2009/07/13 20:05:48 | 000,031,548 | ---- | C] () -- C:\windows\System32\perfd009.dat
    [2009/07/13 20:05:05 | 000,000,741 | ---- | C] () -- C:\windows\System32\NOISE.DAT
    [2009/07/13 20:04:11 | 000,215,943 | ---- | C] () -- C:\windows\System32\dssec.dat
    [2009/07/13 17:55:01 | 000,043,131 | ---- | C] () -- C:\windows\mib.bin
    [2009/07/13 17:51:43 | 000,073,728 | ---- | C] () -- C:\windows\System32\BthpanContextHandler.dll
    [2009/07/13 17:42:10 | 000,064,000 | ---- | C] () -- C:\windows\System32\BWContextHandler.dll
    [2009/06/10 15:26:10 | 000,673,088 | ---- | C] () -- C:\windows\System32\mlang.dat
    [2007/01/26 02:04:12 | 000,138,752 | ---- | C] () -- C:\windows\System32\mase32.dll
    [2007/01/26 02:04:12 | 000,027,648 | ---- | C] () -- C:\windows\System32\ma32.dll
    [2006/09/28 13:55:34 | 000,053,248 | ---- | C] () -- C:\windows\System32\PhysXLoader.dll
    [2006/09/26 13:01:40 | 000,045,056 | R--- | C] () -- C:\windows\System32\AgCPanelJapanese.dll
    [2006/09/08 08:01:50 | 000,045,056 | R--- | C] () -- C:\windows\System32\AgCPanelTraditionalChinese.dll
    [2006/09/08 08:01:50 | 000,045,056 | R--- | C] () -- C:\windows\System32\AgCPanelSwedish.dll
    [2006/09/08 08:01:50 | 000,045,056 | R--- | C] () -- C:\windows\System32\AgCPanelSpanish.dll
    [2006/09/08 08:01:50 | 000,045,056 | R--- | C] () -- C:\windows\System32\AgCPanelSimplifiedChinese.dll
    [2006/09/08 08:01:50 | 000,045,056 | R--- | C] () -- C:\windows\System32\AgCPanelPortugese.dll
    [2006/09/08 08:01:50 | 000,045,056 | R--- | C] () -- C:\windows\System32\AgCPanelKorean.dll
    [2006/09/08 08:01:50 | 000,045,056 | R--- | C] () -- C:\windows\System32\AgCPanelGerman.dll
    [2006/09/08 08:01:50 | 000,045,056 | R--- | C] () -- C:\windows\System32\AgCPanelFrench.dll
    [2003/05/01 12:44:34 | 000,040,960 | ---- | C] () -- C:\windows\System32\GaugeSound.dll

    ========== LOP Check ==========

    [2010/11/06 18:49:37 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\Amazon
    [2010/06/02 13:08:11 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\BitTorrent
    [2010/05/11 02:07:44 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\DAEMON Tools Lite
    [2009/11/24 08:32:11 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\DeLorme
    [2010/12/16 22:18:20 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\DVDVideoSoft
    [2010/08/29 11:43:06 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\EVEMon
    [2010/05/02 12:13:07 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\FileZilla
    [2010/02/07 14:18:43 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\ICAClient
    [2010/04/03 16:08:43 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\KompoZer
    [2010/04/14 15:33:27 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\LEGO Company
    [2010/07/02 10:00:10 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\MyScribe
    [2009/12/07 16:00:51 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\Opera
    [2009/11/26 14:00:07 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\Stardock
    [2010/04/04 23:49:15 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\Summitsoft
    [2010/03/07 12:56:33 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\Template
    [2010/03/01 16:58:30 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\TOSHIBA
    [2010/05/20 20:08:50 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\UnitConverter
    [2010/06/05 01:53:39 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\VAT-Spy
    [2010/07/14 19:04:00 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\webex
    [2009/11/22 12:05:05 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\WildTangent
    [2009/11/22 11:58:40 | 000,000,000 | ---D | M] -- C:\Users\primary\AppData\Roaming\WinBatch
    [2011/02/26 10:11:49 | 000,032,624 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2009/06/10 15:42:20 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
    [2009/07/13 19:38:58 | 000,383,562 | RHS- | M] () -- C:\bootmgr
    [2009/09/02 15:47:32 | 000,008,192 | RHS- | M] () -- C:\BOOTSECT.BAK
    [2011/02/27 20:23:50 | 000,014,932 | ---- | M] () -- C:\ComboFix.txt
    [2010/05/11 11:35:19 | 000,000,010 | RHS- | M] () -- C:\config.sys
    [2009/10/14 07:02:32 | 000,360,056 | ---- | M] () -- C:\connectify_splash.bmp
    [2011/02/27 20:37:34 | 2211,577,856 | -HS- | M] () -- C:\hiberfil.sys
    [2010/02/19 23:08:51 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2010/02/20 16:13:20 | 000,000,106 | ---- | M] () -- C:\Lab7_Ex1_test.txt
    [2010/04/13 21:43:07 | 000,000,000 | ---- | M] () -- C:\mindrov.log
    [2010/03/23 11:52:01 | 000,000,273 | ---- | M] () -- C:\Movies and Verizon Contact.txt
    [2010/02/19 23:08:51 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2011/02/27 20:37:41 | 2948,771,840 | -HS- | M] () -- C:\pagefile.sys
    [2011/02/27 18:06:54 | 000,070,014 | ---- | M] () -- C:\TDSSKiller.2.4.18.0_27.02.2011_18.05.48_log.txt
    [2010/02/20 15:12:57 | 000,000,050 | ---- | M] () -- C:\TestCount.txt

    < %systemroot%\Fonts\*.com >
    [2009/07/13 22:52:25 | 000,026,040 | ---- | M] () -- C:\windows\Fonts\GlobalMonospace.CompositeFont
    [2009/07/13 22:52:25 | 000,026,489 | ---- | M] () -- C:\windows\Fonts\GlobalSansSerif.CompositeFont
    [2009/07/13 22:52:25 | 000,029,779 | ---- | M] () -- C:\windows\Fonts\GlobalSerif.CompositeFont
    [2009/07/13 22:52:25 | 000,043,318 | ---- | M] () -- C:\windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2009/06/10 15:31:19 | 000,000,065 | ---- | M] () -- C:\windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2009/07/13 19:15:35 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
    [2006/10/26 18:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\msonpppr.dll
    [2009/07/13 19:16:19 | 000,029,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\winprint.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >
    [2011/01/13 02:47:35 | 000,038,848 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
    [2010/09/22 23:32:56 | 000,301,936 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2009/07/13 22:41:57 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2009/11/22 12:30:28 | 000,000,221 | -HS- | M] () -- C:\Users\primary\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >
    [2011/02/27 16:07:46 | 000,296,448 | ---- | M] () -- C:\Users\primary\Desktop\0jdpc0gp.exe
    [2011/02/27 20:02:43 | 004,276,140 | R--- | M] () -- C:\Users\primary\Desktop\ComboFix.exe
    [2011/02/27 20:00:36 | 000,080,384 | ---- | M] () -- C:\Users\primary\Desktop\MBRCheck.exe
    [2011/02/27 21:26:57 | 000,581,120 | ---- | M] (OldTimer Tools) -- C:\Users\primary\Desktop\OTL.exe
    [2010/03/30 23:13:53 | 003,649,108 | ---- | M] (web technology Corp.
    http://www.webtech.co.jp/) -- C:\Users\primary\Desktop\pepakura_designer_en_v212_setup.exe
    [2011/02/27 18:05:10 | 001,372,248 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\primary\Desktop\TDSSKiller.exe
    [2011/02/27 16:07:23 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Users\primary\Desktop\TFC.exe

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >
    [2009/06/10 15:20:04 | 000,000,802 | ---- | M] () -- C:\Windows\addins\FXSEXT.ecf

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2010/08/04 21:10:47 | 000,000,402 | -HS- | M] () -- C:\Users\primary\Favorites\desktop.ini

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >
    [1998/09/02 02:46:12 | 000,075,024 | ---- | M] (Microsoft Corporation) -- C:\Windows\inf\unregmp2.exe

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:EA029835
    @Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:D74B6CF5

    < End of report >
     
  8. kananesgi

    kananesgi TS Rookie Topic Starter

    Here is the OTL Extras log:


     
  9. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Good news :)

    Please, don't wrap logs in quotes. Thanks.

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =======================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
      O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - No CLSID value found.
      O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - No CLSID value found.
      O4 - Startup: C:\Users\primary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccuWeatherDesktop.lnk = File not found
      O15 - HKCU\..Trusted Domains: real.com ([rhap-app-4-0] https in Trusted sites)
      O15 - HKCU\..Trusted Domains: real.com ([rhapreg] https in Trusted sites)
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      @Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:EA029835
      @Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:D74B6CF5
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =======================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  10. kananesgi

    kananesgi TS Rookie Topic Starter

    Okay, sorry 'bout the quotes thing. I'll get those scans done and try to get the logs posted tonight. I'm gonna have to go to bed shortly though for work. May have to finish this tomorrow evening.

    Thanks for the help so far, by the way :grinthumb
     
  11. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    You're very welcome [​IMG]
     
  12. kananesgi

    kananesgi TS Rookie Topic Starter

    Here's the latest OTL log. Now running the other scans and I'll post them when they are done.

    =================================================================


    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AA58ED58-01DD-4d91-8333-CF10577473F7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\ not found.
    C:\Users\primary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AccuWeatherDesktop.lnk moved successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\real.com\rhap-app-4-0\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\real.com\rhapreg\ deleted successfully.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    ADS C:\ProgramData\TEMP:EA029835 deleted successfully.
    ADS C:\ProgramData\TEMP:D74B6CF5 deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: primary
    ->Temp folder emptied: 677660 bytes
    ->Temporary Internet Files folder emptied: 33076725 bytes
    ->Java cache emptied: 2027 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 1095 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 844 bytes
    RecycleBin emptied: 716889 bytes

    Total Files Cleaned = 33.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: primary
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.22.2 log created on 02272011_225822

    Files\Folders moved on Reboot...
    File\Folder C:\Users\primary\AppData\Local\Temp\~DF55B773B6426E4C42.TMP not found!
    File\Folder C:\Users\primary\AppData\Local\Temp\~DF7A254586F7508474.TMP not found!
    File\Folder C:\Users\primary\AppData\Local\Temp\~DF7FF71417B6BA609F.TMP not found!
    File\Folder C:\Users\primary\AppData\Local\Temp\~DF9D51917C6793EF98.TMP not found!
    File\Folder C:\Users\primary\AppData\Local\Temp\~DFD6137362F37B8148.TMP not found!
    File\Folder C:\Users\primary\AppData\Local\Temp\~DFF562451C547839D5.TMP not found!
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B0KSV5RU\sh32[2].html moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8LULFQ18\crosspixel-dest[1].htm moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6VXQB9YT\8242921[1].htm moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6VXQB9YT\topic161791[2].html moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
    File move failed. C:\windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
     
  13. kananesgi

    kananesgi TS Rookie Topic Starter

    Security Check Log:
    =================================================================


    Results of screen317's Security Check version 0.99.7
    Windows 7 (UAC is disabled!)
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    avast! Free Antivirus
    WMI entry may not exist for antivirus; attempting automatic update.
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    Java(TM) 6 Update 24
    Out of date Java installed!
    Adobe Flash Player
    Adobe Reader 9.4.2
    Out of date Adobe Reader installed!
    Mozilla Firefox (3.6.13)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Alwil Software Avast5 AvastSvc.exe
    Alwil Software Avast5 AvastUI.exe
    ``````````End of Log````````````


    =================================================================


    ESTScan:
    =================================================================

    C:\ProgramData\Alwil Software\Avast5\arpot\87223-7a0-0.dat Win32/Olmarik.ZC trojan
    C:\ProgramData\Spybot - Search & Destroy\Recovery\WinFraudLoadedt.zip Win32/Bagle.gen.zip worm
    C:\Users\All Users\Alwil Software\Avast5\arpot\87223-7a0-0.dat Win32/Olmarik.ZC trojan
    C:\Users\All Users\Spybot - Search & Destroy\Recovery\WinFraudLoadedt.zip Win32/Bagle.gen.zip worm
     
  14. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Update Adobe Reader

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

    Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
    It's a much smaller file to download and uses a lot less resources than Adobe Reader.
    Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

    ========================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      
      :Services
      
      :Reg
      
      :Files
      C:\ProgramData\Alwil Software\Avast5\arpot\87223-7a0-0.dat 
      C:\ProgramData\Spybot - Search & Destroy\Recovery\WinFraudLoadedt.zip 
      C:\Users\All Users\Alwil Software\Avast5\arpot\87223-7a0-0.dat 
      C:\Users\All Users\Spybot - Search & Destroy\Recovery\WinFraudLoadedt.zip
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ======================================================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how your computer is doing.
     
  15. kananesgi

    kananesgi TS Rookie Topic Starter

    Last OTL log. Now I'm doing the final cleanup with OTL.


    =================================================================



    All processes killed
    ========== OTL ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    File move failed. C:\ProgramData\Alwil Software\Avast5\arpot\87223-7a0-0.dat scheduled to be moved on reboot.
    C:\ProgramData\Spybot - Search & Destroy\Recovery\WinFraudLoadedt.zip moved successfully.
    File move failed. C:\Users\All Users\Alwil Software\Avast5\arpot\87223-7a0-0.dat scheduled to be moved on reboot.
    File\Folder C:\Users\All Users\Spybot - Search & Destroy\Recovery\WinFraudLoadedt.zip not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: primary
    ->Temp folder emptied: 344700 bytes
    ->Temporary Internet Files folder emptied: 21234514 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 611 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 5746 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 21.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: primary
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.22.2 log created on 02282011_210448

    Files\Folders moved on Reboot...
    File move failed. C:\ProgramData\Alwil Software\Avast5\arpot\87223-7a0-0.dat scheduled to be moved on reboot.
    File move failed. C:\Users\All Users\Alwil Software\Avast5\arpot\87223-7a0-0.dat scheduled to be moved on reboot.
    File\Folder C:\Users\primary\AppData\Local\Temp\~DF3EFCC245613B0CAE.TMP not found!
    File\Folder C:\Users\primary\AppData\Local\Temp\~DF504BBA99359212BE.TMP not found!
    File\Folder C:\Users\primary\AppData\Local\Temp\~DF82179952D379575F.TMP not found!
    File\Folder C:\Users\primary\AppData\Local\Temp\~DF939A8B9F87DB27E4.TMP not found!
    File\Folder C:\Users\primary\AppData\Local\Temp\~DFC30087817F3F150D.TMP not found!
    File\Folder C:\Users\primary\AppData\Local\Temp\~DFEEC7A4A0AF8AE1D3.TMP not found!
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KN1QIN4O\crosspixel-dest[1].htm moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KN1QIN4O\mail[1].htm moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KN1QIN4O\mail[2].htm moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C58FPKPZ\mail[1].htm moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C58FPKPZ\topic161791[1].html moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\90Q9CYFI\3435013[1].htm moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\90Q9CYFI\mail[1].htm moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0NT6K7KM\mail[1].htm moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0NT6K7KM\sh32[1].html moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
    File move failed. C:\windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...


    =======================================================================
    Here is the last OTL log, requested to remove the restore points.
    =======================================================================


    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: primary
    ->Temp folder emptied: 329691 bytes
    ->Temporary Internet Files folder emptied: 3921314 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 456 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 608 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 4.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: primary
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb



    OTL by OldTimer - Version 3.2.22.2 log created on 02282011_211248

    Files\Folders moved on Reboot...
    File\Folder C:\Users\primary\AppData\Local\Temp\~DF0831531AEFBA2755.TMP not found!
    File\Folder C:\Users\primary\AppData\Local\Temp\~DF37CB235C206C9F13.TMP not found!
    File\Folder C:\Users\primary\AppData\Local\Temp\~DF7FBBD97448A261B6.TMP not found!
    File\Folder C:\Users\primary\AppData\Local\Temp\~DFE24BCA67F690F361.TMP not found!
    File\Folder C:\Users\primary\AppData\Local\Temp\~DFE8679D24AABE1852.TMP not found!
    File\Folder C:\Users\primary\AppData\Local\Temp\~DFF5CB56286A7E226A.TMP not found!
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DBDU4EGW\crosspixel-dest[1].htm moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5BZS7KGX\topic161791[1].html moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1G7MFHCN\5307347[1].htm moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1G7MFHCN\sh32[1].html moved successfully.
    C:\Users\primary\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
    File move failed. C:\windows\temp\_avast5_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
     
  16. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Whenever ready....
     
  17. kananesgi

    kananesgi TS Rookie Topic Starter

    Sorry, was busy helping my brother with some late school work.

    Computer seems to be running great. Avast! hasn't alerted me to any threats and even my Google redirects problem seems to have been fixed. Computer doesn't seem to run any faster or more stable, but then it never had problems in those areas anyway. I did notice we cleared up a full 9 gigs of space on the HD, which was great.
     
  18. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Way to go!! [​IMG]
    Good luck and stay safe :)
     
  19. kananesgi

    kananesgi TS Rookie Topic Starter

    Forgot to say it before...

    THANK YOU!!!!
     
  20. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    You're very welcome [​IMG]
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...