Inactive Browser slow downs, rootkit detected

Status
Not open for further replies.
Q

qsceszwsxasd

I've had problems with pages loading slowly that I wasn't sure if it was the ISP or something else, so I ran a bunch of scanners to find nothing. However, running ComboFix detected a rootkit activity which got me worrying.

I recently reformatted my computer after AVG's shield started giving warnings about Win32/Heur. Various scanners couldn't find anything then, either.

MBM LOG:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6126

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/21/2011 10:15:48 PM
mbam-log-2011-03-21 (22-15-48).txt

Scan type: Quick scan
Objects scanned: 135629
Time elapsed: 2 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER LOG:

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-03-21 22:18:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250823NS rev.5.00
Running: ckb0nmko.exe; Driver: C:\DOCUME~1\username\LOCALS~1\Temp\uxtdypog.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwEnumerateKey [0xF75380EE]
SSDT sptd.sys ZwEnumerateValueKey [0xF753847C]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target0Lun0 8A16E1E8
Device \Driver\JRAID \Device\Scsi\JRAID1 8A16E1E8
Device \Driver\an8gi89l \Device\Scsi\an8gi89l1Port5Path0Target0Lun0 89FDD1E8
Device \Driver\an8gi89l \Device\Scsi\an8gi89l1 89FDD1E8
Device \FileSystem\Ntfs \Ntfs 8A19C1E8

---- EOF - GMER 1.0.15 ----

DDS LOG:

DDS (Ver_11-03-05.01) - NTFSx86
Run by username at 22:19:51.60 on Mon 03/21/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2612 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\username\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.facemoods.com/?a=ddr
uDefault_Search_URL = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
dPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Trusted Zone: google.ca\www
Trusted Zone: leagueoflegends.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: schannel.dll, credssp.dll, digest.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\username\applic~1\mozilla\firefox\profiles\tzjge6wq.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\username\application data\mozilla\firefox\profiles\tzjge6wq.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - %profile%\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}
FF - Ext: Password Exporter: {B17C1C5A-04B1-11DB-9804-B622A1EF5492} - %profile%\extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
.
============= SERVICES / DRIVERS ===============
.
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2011-3-17 35840]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2010-10-13 101904]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
.
=============== Created Last 30 ================
.
2011-03-22 02:10:34 -------- d-----w- c:\docume~1\username\applic~1\Malwarebytes
2011-03-22 02:10:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-22 02:10:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-22 02:10:27 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-22 02:10:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-22 02:06:51 -------- d-----w- c:\windows\system32\xircom
2011-03-22 02:06:51 -------- d-----w- c:\windows\system32\wbem\snmp
2011-03-22 02:06:51 -------- d-----w- c:\windows\srchasst
2011-03-22 01:45:27 -------- d-sha-r- C:\cmdcons
2011-03-22 01:44:43 98816 ----a-w- c:\windows\sed.exe
2011-03-22 01:44:43 89088 ----a-w- c:\windows\MBR.exe
2011-03-22 01:44:43 256512 ----a-w- c:\windows\PEV.exe
2011-03-22 01:44:43 161792 ----a-w- c:\windows\SWREG.exe
2011-03-21 00:59:06 823296 ----a-w- c:\windows\j3dcore-d3d.dll
2011-03-21 00:59:06 49152 ----a-w- c:\windows\j3dcore-ogl-chk.dll
2011-03-21 00:59:06 40960 ----a-w- c:\windows\j3dcore-ogl-cg.dll
2011-03-21 00:59:06 163840 ----a-w- c:\windows\j3dcore-ogl.dll
2011-03-21 00:58:56 -------- d-----w- c:\docume~1\username\locals~1\applic~1\{3225C812-5FB8-41CE-B15F-997F80151000}
2011-03-21 00:51:52 -------- d-----w- c:\docume~1\username\applic~1\updatetool
2011-03-21 00:50:50 -------- d-----w- C:\glassfish3
2011-03-20 02:05:34 -------- d-----w- c:\program files\SopCast
2011-03-20 02:02:53 -------- d-----w- c:\windows\system32\TVUAx
2011-03-20 02:01:00 -------- d-----w- c:\program files\Veetle
2011-03-19 04:46:15 -------- d-----w- c:\docume~1\username\applic~1\.minecraft
2011-03-17 20:58:03 -------- d-----w- c:\docume~1\username\applic~1\Ubisoft
2011-03-17 20:47:53 189248 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-03-17 20:47:52 75136 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-03-17 20:47:52 -------- d-----w- c:\docume~1\username\applic~1\PunkBuster
2011-03-17 20:25:31 -------- d-----w- c:\docume~1\username\applic~1\LolClient
2011-03-17 20:13:00 -------- d-----w- c:\windows\Logs
2011-03-17 20:07:09 -------- d-----w- c:\docume~1\username\locals~1\applic~1\Temp
2011-03-17 19:49:48 -------- d-----w- c:\docume~1\username\locals~1\applic~1\PMB Files
2011-03-17 19:49:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\PMB Files
2011-03-17 19:49:32 -------- d-----w- c:\program files\Pando Networks
2011-03-17 17:52:54 -------- d-----w- c:\docume~1\username\locals~1\applic~1\Jaksta_Technologies_Pty_L
2011-03-17 17:50:58 -------- d-----w- c:\windows\system32\LogFiles
2011-03-17 17:50:44 -------- d-----w- c:\docume~1\username\applic~1\Replay Media Catcher 4
2011-03-17 17:50:40 -------- d-----w- c:\program files\Applian Technologies
2011-03-17 17:29:54 -------- d-----w- c:\program files\VideoLAN
2011-03-17 17:23:12 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)
2011-03-17 17:22:22 -------- d-----w- c:\program files\IrfanView
2011-03-17 17:14:13 11776 ----a-w- c:\program files\mozilla firefox\plugins\nprjplug.dll
2011-03-17 17:14:07 -------- d-----w- c:\program files\common files\xing shared
2011-03-17 17:14:04 150712 ----a-w- c:\program files\mozilla firefox\plugins\nppl3260.dll
2011-03-17 17:14:03 100864 ----a-w- c:\program files\mozilla firefox\plugins\nprpjplug.dll
2011-03-17 17:03:22 -------- d-----w- c:\program files\Steam
2011-03-17 17:01:23 165376 ----a-w- c:\windows\system32\unrar.dll
2011-03-17 17:01:22 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-03-17 16:58:58 -------- d-----w- c:\docume~1\username\locals~1\applic~1\Apple Computer
2011-03-17 16:42:48 -------- d-----w- c:\program files\JDownloader
2011-03-17 16:39:44 -------- d-----w- c:\program files\GRETECH
2011-03-17 16:39:19 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-03-17 16:33:00 -------- d-----w- c:\program files\Gadwin Systems
2011-03-17 16:27:49 -------- d-----w- c:\program files\common files\DivX Shared
2011-03-17 16:27:37 -------- d-----w- c:\program files\DivX
2011-03-17 16:20:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\DivX
2011-03-17 16:19:54 -------- d-----w- c:\program files\DAEMON Tools Lite
2011-03-17 16:19:39 -------- d-----w- c:\docume~1\username\applic~1\DAEMON Tools Lite
2011-03-17 16:19:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2011-03-17 16:14:37 -------- d-----w- c:\program files\BitComet
2011-03-17 16:14:37 -------- d-----w- c:\docume~1\username\applic~1\BitComet
2011-03-17 16:13:37 -------- d-----w- c:\program files\CDisplay
2011-03-17 15:53:31 -------- d-----w- c:\docume~1\username\locals~1\applic~1\Adobe
2011-03-17 15:52:30 497664 ----a-w- c:\windows\system32\ac3filter.acm
2011-03-17 15:52:29 -------- d-----w- c:\program files\AC3Filter
2011-03-17 15:38:26 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2011-03-17 15:38:26 8192 ----a-w- c:\windows\system32\kbdkor.dll
2011-03-17 15:38:26 6144 ----a-w- c:\windows\system32\kbd106.dll
2011-03-17 15:38:26 6144 ----a-w- c:\windows\system32\kbd101c.dll
2011-03-17 15:38:26 6144 ----a-w- c:\windows\system32\kbd101b.dll
2011-03-17 15:38:26 5632 ----a-w- c:\windows\system32\kbd103.dll
2011-03-17 15:27:26 -------- d-sh--w- c:\documents and settings\username\IECompatCache
2011-03-17 09:23:15 -------- d-----w- c:\program files\ATI
2011-03-17 09:22:55 -------- d-----w- c:\program files\ATI Technologies
2011-03-17 09:21:54 -------- d-----w- c:\program files\common files\Hewlett-Packard
2011-03-17 09:21:24 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-03-17 09:21:18 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-03-17 09:19:41 1953792 ----a-w- c:\windows\system32\xRaidSetup.exe
2011-03-17 09:19:41 143360 ----a-w- c:\windows\system32\xRaidAPI.dll
2011-03-17 09:19:39 -------- d-----w- c:\windows\RaidTool
2011-03-17 09:18:25 6912 ----a-w- c:\windows\system32\drivers\JGOGO.sys
2011-03-17 09:18:25 46208 ----a-w- c:\windows\system32\drivers\jraid.sys
2011-03-17 09:18:07 -------- d-----w- c:\windows\system32\Attansic
2011-03-17 09:18:05 57344 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\ctor.dll
2011-03-17 09:18:05 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\DotNetInstaller.exe
2011-03-17 09:18:05 237568 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\iscript.dll
2011-03-17 09:18:05 151552 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\iuser.dll
2011-03-17 09:18:05 -------- d-----w- c:\program files\Attansic
2011-03-17 09:18:04 634880 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\iKernel.dll
2011-03-17 09:18:04 270468 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\Setup.dll
2011-03-17 09:18:04 159876 ----a-w- c:\program files\common files\installshield\professional\runtime\0700\intel32\IGdi.dll
2011-03-17 09:15:27 -------- d-----w- c:\windows\system32\ReinstallBackups
2011-03-17 09:15:25 53248 ----a-w- c:\windows\system32\CSVer.dll
.
==================== Find3M ====================
.
2011-03-17 17:14:01 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-03-17 01:34:57 0 ----a-w- c:\windows\ativpsrm.bin
2011-02-03 01:40:23 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 23:19:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
============= FINISH: 22:20:07.14 ===============
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=========================================================================

I recently reformatted my computer after AVG's shield started giving warnings about Win32/Heur. Various scanners couldn't find anything then, either.
Click to expand...
Most likely, you wasted your time.
AVG has been plagued lately with that kind of false positives.

Now....
1. Attach.txt part of DDS is missing. Please, post it.
2. I don't see any AV program running.
Please, install one of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html
Update, run full scan, report on any findings.

======================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

========================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
I forgot to add that ComboFix was detecting rootkit activity along with AVG detecting Win32/Heur pre-reformat.

DDS Attach:

DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/16/2011 7:55:21 PM
System Uptime: 3/21/2011 10:11:47 PM (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P5B-E
Processor: Intel(R) Pentium(R) D CPU 3.40GHz | Socket 775 | 3410/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 116 GiB total, 99.454 GiB free.
D: is FIXED (NTFS) - 116 GiB total, 114.028 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 466 GiB total, 328.824 GiB free.
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer:
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
7-Zip 9.20
AC3Filter 1.63b
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader X (10.0.1)
AiO_Scan
Apple Application Support
Apple Software Update
Assassin's Creed Brotherhood
ATI Catalyst Install Manager
Attansic Giga Ethernet Utility
Attansic L1 Gigabit Ethernet Driver
Audacity 1.3.12 (Unicode)
BitComet 1.26
DAEMON Tools Lite
DivX Setup
Gadwin PrintScreen
GOM Player
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
IrfanView (remove only)
Java 3D 1.5.1
Java Auto Updater
Java(TM) 6 Update 24
JDownloader
JMB36X Raid Configurer
K-Lite Codec Pack 7.0.0 (Basic)
League of Legends
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - SP1 x86 8.0.59193
Microsoft Visual C++ 2008 Redistributable - SP1 x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Mozilla Firefox (3.6.15)
Pando Media Booster
PunkBuster Services
QFolder
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Replay Media Catcher 4
Scan
Security Update for CAPICOM (KB931906)
SopCast 3.3.2
SoundMAX
Steam
Ubisoft Game Launcher
Unlocker 1.9.0
VC80CRTRedist - 8.0.50727.4053
Veetle TV 0.9.18
VLC media player 1.1.7
WebFldrs XP
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
3/16/2011 7:58:20 PM, information: Windows File Protection [64032] - Windows File Protection is not active on this system.
.
==== End Of File ===========================

Avira Scan:

Avira AntiVir Personal
Report file date: Tuesday, March 22, 2011 12:35

Scanning for 2521106 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : USER

Version information:
BUILD.DAT : 10.0.0.635 31822 Bytes 3/7/2011 12:15:00
AVSCAN.EXE : 10.0.3.5 435368 Bytes 3/4/2011 18:36:52
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 16:57:04
LUKE.DLL : 10.0.3.2 104296 Bytes 3/4/2011 18:36:59
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 03:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 13:05:36
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 18:37:07
VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 18:37:08
VBASE003.VDF : 7.11.3.1 2048 Bytes 2/9/2011 18:37:08
VBASE004.VDF : 7.11.3.2 2048 Bytes 2/9/2011 18:37:08
VBASE005.VDF : 7.11.3.3 2048 Bytes 2/9/2011 18:37:08
VBASE006.VDF : 7.11.3.4 2048 Bytes 2/9/2011 18:37:08
VBASE007.VDF : 7.11.3.5 2048 Bytes 2/9/2011 18:37:08
VBASE008.VDF : 7.11.3.6 2048 Bytes 2/9/2011 18:37:08
VBASE009.VDF : 7.11.3.7 2048 Bytes 2/9/2011 18:37:08
VBASE010.VDF : 7.11.3.8 2048 Bytes 2/9/2011 18:37:08
VBASE011.VDF : 7.11.3.9 2048 Bytes 2/9/2011 18:37:09
VBASE012.VDF : 7.11.3.10 2048 Bytes 2/9/2011 18:37:09
VBASE013.VDF : 7.11.3.59 157184 Bytes 2/14/2011 18:37:09
VBASE014.VDF : 7.11.3.97 120320 Bytes 2/16/2011 18:37:09
VBASE015.VDF : 7.11.3.148 128000 Bytes 2/19/2011 18:37:09
VBASE016.VDF : 7.11.3.183 140288 Bytes 2/22/2011 18:37:09
VBASE017.VDF : 7.11.3.216 124416 Bytes 2/24/2011 22:02:23
VBASE018.VDF : 7.11.3.251 159232 Bytes 2/28/2011 20:08:03
VBASE019.VDF : 7.11.4.33 148992 Bytes 3/2/2011 22:30:49
VBASE020.VDF : 7.11.4.73 150016 Bytes 3/6/2011 20:14:47
VBASE021.VDF : 7.11.4.108 122880 Bytes 3/8/2011 15:58:46
VBASE022.VDF : 7.11.4.150 133120 Bytes 3/10/2011 15:58:47
VBASE023.VDF : 7.11.4.183 122368 Bytes 3/14/2011 15:58:48
VBASE024.VDF : 7.11.4.228 123392 Bytes 3/16/2011 15:58:49
VBASE025.VDF : 7.11.5.8 246272 Bytes 3/21/2011 15:58:51
VBASE026.VDF : 7.11.5.9 2048 Bytes 3/21/2011 15:58:51
VBASE027.VDF : 7.11.5.10 2048 Bytes 3/21/2011 15:58:51
VBASE028.VDF : 7.11.5.11 2048 Bytes 3/21/2011 15:58:51
VBASE029.VDF : 7.11.5.12 2048 Bytes 3/21/2011 15:58:51
VBASE030.VDF : 7.11.5.13 2048 Bytes 3/21/2011 15:58:52
VBASE031.VDF : 7.11.5.27 89600 Bytes 3/22/2011 16:35:07
Engineversion : 8.2.4.188
AEVDF.DLL : 8.1.2.1 106868 Bytes 3/4/2011 18:36:49
AESCRIPT.DLL : 8.1.3.57 1261947 Bytes 3/22/2011 15:59:07
AESCN.DLL : 8.1.7.2 127349 Bytes 3/4/2011 18:36:48
AESBX.DLL : 8.1.3.2 254324 Bytes 3/4/2011 18:36:48
AERDL.DLL : 8.1.9.8 639346 Bytes 3/22/2011 15:59:05
AEPACK.DLL : 8.2.4.12 520567 Bytes 3/22/2011 15:59:03
AEOFFICE.DLL : 8.1.1.17 205177 Bytes 3/22/2011 15:59:01
AEHEUR.DLL : 8.1.2.87 3371383 Bytes 3/22/2011 15:59:00
AEHELP.DLL : 8.1.16.1 246134 Bytes 3/4/2011 18:36:41
AEGEN.DLL : 8.1.5.3 397684 Bytes 3/22/2011 15:58:54
AEEMU.DLL : 8.1.3.0 393589 Bytes 3/4/2011 18:36:40
AECORE.DLL : 8.1.19.2 196983 Bytes 3/4/2011 18:36:40
AEBB.DLL : 8.1.1.0 53618 Bytes 3/4/2011 18:36:39
AVWINLL.DLL : 10.0.0.0 19304 Bytes 3/4/2011 18:36:53
AVPREF.DLL : 10.0.0.0 44904 Bytes 3/4/2011 18:36:52
AVREP.DLL : 10.0.0.8 62209 Bytes 6/17/2010 18:27:13
AVREG.DLL : 10.0.3.2 53096 Bytes 3/4/2011 18:36:52
AVSCPLR.DLL : 10.0.3.2 84328 Bytes 3/4/2011 18:36:53
AVARKT.DLL : 10.0.22.6 231784 Bytes 3/4/2011 18:36:50
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 3/4/2011 18:36:51
SQLITE3.DLL : 3.6.19.0 355688 Bytes 6/17/2010 18:27:22
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/4/2011 18:36:53
NETNT.DLL : 10.0.0.0 11624 Bytes 6/17/2010 18:27:21
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 3/4/2011 18:37:12
RCTEXT.DLL : 10.0.58.0 97128 Bytes 3/4/2011 18:37:12

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, F:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, March 22, 2011 12:35

Starting search for hidden objects.
c:\program files\adobe\reader 10.0\reader\acrord32.exe
c:\program files\adobe\reader 10.0\reader\acrord32.exe
[NOTE] The process is not visible.
c:\program files\adobe\reader 10.0\reader\acrord32.exe
c:\program files\adobe\reader 10.0\reader\acrord32.exe
c:\program files\adobe\reader 10.0\reader\acrord32.exe
c:\program files\adobe\reader 10.0\reader\acrord32.exe
c:\program files\adobe\reader 10.0\reader\acrord32.exe

The scan of running processes will be started
Scan process 'rsmsink.exe' - '30' Module(s) have been scanned
Scan process 'avscan.exe' - '74' Module(s) have been scanned
Scan process 'GOM.exe' - '101' Module(s) have been scanned
Scan process 'avcenter.exe' - '68' Module(s) have been scanned
Scan process 'msdtc.exe' - '46' Module(s) have been scanned
Scan process 'dllhost.exe' - '65' Module(s) have been scanned
Scan process 'dllhost.exe' - '47' Module(s) have been scanned
Scan process 'vssvc.exe' - '50' Module(s) have been scanned
Scan process 'avgnt.exe' - '56' Module(s) have been scanned
Scan process 'sched.exe' - '48' Module(s) have been scanned
Scan process 'avshadow.exe' - '28' Module(s) have been scanned
Scan process 'avguard.exe' - '56' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'explorer.exe' - '131' Module(s) have been scanned
Scan process 'ctfmon.exe' - '30' Module(s) have been scanned
Scan process 'alg.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '41' Module(s) have been scanned
Scan process 'PnkBstrA.exe' - '26' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '20' Module(s) have been scanned
Scan process 'jqs.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '36' Module(s) have been scanned
Scan process 'spoolsv.exe' - '53' Module(s) have been scanned
Scan process 'svchost.exe' - '47' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '35' Module(s) have been scanned
Scan process 'svchost.exe' - '34' Module(s) have been scanned
Scan process 'svchost.exe' - '158' Module(s) have been scanned
Scan process 'svchost.exe' - '45' Module(s) have been scanned
Scan process 'svchost.exe' - '55' Module(s) have been scanned
Scan process 'Ati2evxx.exe' - '30' Module(s) have been scanned
Scan process 'lsass.exe' - '66' Module(s) have been scanned
Scan process 'services.exe' - '40' Module(s) have been scanned
Scan process 'winlogon.exe' - '81' Module(s) have been scanned
Scan process 'csrss.exe' - '17' Module(s) have been scanned
Scan process 'smss.exe' - '2' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '1650' files ).


Starting the file scan:

Begin scan in 'C:\'
Begin scan in 'D:\'
Begin scan in 'F:\' <FreeAgent Drive>


End of the scan: Tuesday, March 22, 2011 12:56
Used time: 20:31 Minute(s)

The scan has been done completely.

8769 Scanned directories
328391 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
328391 Files not concerned
3710 Archives were scanned
0 Warnings
0 Notes
227775 Objects were scanned with rootkit scan
6 Hidden objects were found

MBRCheck:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000007d

Kernel Drivers (total 137):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF74C6000 sptd.sys
0xF7989000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF74AE000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF7480000 ACPI.sys
0xF746F000 pci.sys
0xF75F7000 ohci1394.sys
0xF7607000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7617000 isapnp.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7627000 MountMgr.sys
0xF7858000 ftdisk.sys
0xF798B000 dmload.sys
0xF7832000 dmio.sys
0xF770F000 PartMgr.sys
0xF7637000 VolSnap.sys
0xF796F000 atapi.sys
0xF7647000 jraid.sys
0xBA7EA000 Si3112.sys
0xF7657000 disk.sys
0xF7667000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xBA72A000 fltMgr.sys
0xBA718000 sr.sys
0xBA701000 KSecDD.sys
0xBA674000 Ntfs.sys
0xBA647000 NDIS.sys
0xBA62D000 Mup.sys
0xF798D000 JGOGO.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA029000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xBA015000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB9FED000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7757000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9FC9000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7767000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\atl01_xp.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF745F000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF744F000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9F06000 \SystemRoot\system32\DRIVERS\ks.sys
0xF743F000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF742F000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7937000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7787000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB9ECA000 \SystemRoot\system32\DRIVERS\parport.sys
0xF741F000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7797000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB9E8D000 \SystemRoot\System32\Drivers\ah3xsqtl.SYS
0xBA5B6000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF740F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA609000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9E76000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7887000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7877000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF781F000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9E64000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA7DA000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF774F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF776F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA7CA000 \SystemRoot\system32\DRIVERS\appliand.sys
0xB9D94000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA7BA000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF778F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7999000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9CE6000 \SystemRoot\system32\DRIVERS\update.sys
0xBA5E5000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA7AA000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xADC80000 \SystemRoot\system32\drivers\AtihdXP3.sys
0xADC5C000 \SystemRoot\system32\drivers\portcls.sys
0xBA77A000 \SystemRoot\system32\drivers\drmk.sys
0xBA76A000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79A1000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xADC0E000 \SystemRoot\system32\drivers\ADIHdAud.sys
0xADBF6000 \SystemRoot\system32\drivers\AEAudio.sys
0xADB96000 \SystemRoot\system32\drivers\Senfilt.sys
0xF77CF000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xB9EF2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7A53000 \SystemRoot\System32\Drivers\Null.SYS
0xF79A7000 \SystemRoot\System32\Drivers\Beep.SYS
0xF77E7000 \SystemRoot\System32\drivers\vga.sys
0xF79AB000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79AF000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF77F7000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7807000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB9EEA000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xADAFB000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xADAA2000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xADA7A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xADA54000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA74A000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xADA0A000 \SystemRoot\System32\drivers\afd.sys
0xB9FB9000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB9FA9000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAD93F000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAD8CF000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB9F99000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7777000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB9D8C000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB9CD2000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB9F79000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB9D7C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB9CCA000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB9F69000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xAD8B7000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79B7000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xADB52000 \SystemRoot\System32\drivers\Dxapi.sys
0xB9D54000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7A61000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF060000 \SystemRoot\System32\ati2cqag.dll
0xBF108000 \SystemRoot\System32\atikvmag.dll
0xBF1B1000 \SystemRoot\System32\atiok3x2.dll
0xBF216000 \SystemRoot\System32\ati3duag.dll
0xBF9C7000 \SystemRoot\System32\ativvaxx.dll
0xAAD72000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAAA38000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF79EB000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xAAD1A000 \SystemRoot\System32\Drivers\Aspi32.SYS
0xAA97C000 \SystemRoot\system32\DRIVERS\srv.sys
0xAA827000 \SystemRoot\system32\drivers\wdmaud.sys
0xAA914000 \SystemRoot\system32\drivers\sysaudio.sys
0xF77D7000 \??\C:\DOCUME~1\username\LOCALS~1\Temp\catchme.sys
0xF79E3000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xAA3C4000 \SystemRoot\System32\Drivers\HTTP.sys
0xA9E29000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF79C5000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xA9E14000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xA9D28000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA9C5D000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
0x10000000 \Program Files\DAEMON Tools Lite\Engine.dll

Processes (total 31):
0 System Idle Process
4 System
864 C:\WINDOWS\system32\smss.exe
936 csrss.exe
968 C:\WINDOWS\system32\winlogon.exe
1016 C:\WINDOWS\system32\services.exe
1028 C:\WINDOWS\system32\lsass.exe
1192 C:\WINDOWS\system32\ati2evxx.exe
1224 C:\WINDOWS\system32\svchost.exe
1300 svchost.exe
1440 C:\WINDOWS\system32\svchost.exe
1560 svchost.exe
1692 C:\WINDOWS\system32\ati2evxx.exe
1712 svchost.exe
1948 C:\WINDOWS\system32\spoolsv.exe
2008 svchost.exe
172 C:\Program Files\Java\jre6\bin\jqs.exe
232 C:\WINDOWS\system32\HPZipm12.exe
256 C:\WINDOWS\system32\PnkBstrA.exe
292 C:\WINDOWS\system32\svchost.exe
1516 alg.exe
1648 C:\WINDOWS\system32\ctfmon.exe
608 C:\WINDOWS\explorer.exe
1536 C:\WINDOWS\system32\svchost.exe
2692 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
4020 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
3564 C:\Program Files\Avira\AntiVir Desktop\sched.exe
2648 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
660 C:\WINDOWS\system32\dllhost.exe
1576 msdtc.exe
3512 C:\Documents and Settings\username\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001d`1c073e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST3250823NS, Rev: 5.00
PhysicalDrive1 Model Number: SeagateFreeAgent, Rev: 102F

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
465 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

ComboFix log:

ComboFix 11-03-21.02 - username 03/22/2011 13:30:45.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2599 [GMT -4:00]
Running from: c:\documents and settings\username\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-22 to 2011-03-22 )))))))))))))))))))))))))))))))
.
.
2011-03-21 00:50 . 2011-03-21 00:51 -------- d-----w- C:\glassfish3
2011-03-17 15:26 . 2011-03-22 17:22 -------- d-----w- C:\Downloads
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
------- Sigcheck -------
.
[-] 2010-10-13 . 474D3DCCB57DEFCD917311EEC47204B9 . 361600 . . [5.1.2600.6009] . . c:\windows\system32\drivers\tcpip.sys
.
.
c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2011-01-20 1305408]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2010-10-14 487424]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-03-16 868352]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-02-15 1230704]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-03-17 273544]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-07 128512]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, credssp.dll, digest.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"d:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"d:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17698:TCP"= 17698:TCP:BitComet 17698 TCP
"17698:UDP"= 17698:UDP:BitComet 17698 UDP
"56872:TCP"= 56872:TCP:pando Media Booster
"56872:UDP"= 56872:UDP:pando Media Booster
"8381:TCP"= 8381:TCP:League of Legends Launcher
"8381:UDP"= 8381:UDP:League of Legends Launcher
.
R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/22/2011 11:55 AM 135336]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [6/24/2010 1:46 PM 28256]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [3/17/2011 5:17 AM 35840]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [10/13/2010 12:47 AM 101904]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [6/24/2010 1:46 PM 28256]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - SSMDRV
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1614895754-527237240-1417001333-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
2011-03-17 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1614895754-527237240-1417001333-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 18:25]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://www.google.com/
Trusted Zone: google.ca\www
FF - ProfilePath - c:\documents and settings\username\Application Data\Mozilla\Firefox\Profiles\tzjge6wq.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Linkification: {35106bca-6c78-48c7-ac28-56df30b51d2a} - %profile%\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}
FF - Ext: Password Exporter: {B17C1C5A-04B1-11DB-9804-B622A1EF5492} - %profile%\extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 13:34
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(972)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2011-03-22 13:35:25
ComboFix-quarantined-files.txt 2011-03-22 17:35
ComboFix2.txt 2011-03-22 02:38
.
Pre-Run: 115,048,419,328 bytes free
Post-Run: 115,398,103,040 bytes free
.
- - End Of File - - C32AEA0158291A92D46F52B7DE2E4ADB
 
I don't see anything malicious in your logs, but you have a problem with couple of system files.

What kind of disk did you use to reinstall Windows?
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
792
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni

Latest posts

Back