TechSpot

Dell Dimension 4600, Netgear WNA3100 WiFi with Malware

By gluttony
Dec 6, 2010
  1. Thank you in advance for all the help with these vexing problems!

    SYMPTOMS:
    Google searches redirect to false searches. Pop-ups from cr0zybanner, for instance. Whitesmoke app downloaded to desktop and startup. WNA3100.exe will not load and I cannot get on Internet. fastprox.dll would not copy during Windows XP Repair Install.

    BACK STORY, ATTEMPTS TO FIX:
    While I was browsing the Internet (mangafox.com if memory serves), IE8 froze. After it started working again, Google searches redirected to false searches and I received pop-ups from cr0zybanner, for example. I quickly attempted a system restore operation, which went through but did not solve the problem. I attempted a restore in safe mode with command prompt which generated the following error : "System restore is not able to protect your computer. Please restart your computer, and then try system restore again." I found a post on this forum with similar symptoms, so I thought a post was in order. However, I found prep instructions at www.techspot.com/vb/topic109461.html. Following these instructions, I downloaded and ran Avira Antivir, Comodo, ATF-Cleaner, Malwarebytes Anti-Malware and SuperAntiSpyware. Here's where it gets interesting. After rebooting, Comodo does not recognize WNA3100.exe and says it is trying to alter "protected registry key HKLM\SYSTEM\ControlSet???\Services\WSWNA3100". WNA3100.exe will not load whether I allowor block and I can't get on the Internet. I've tried to reinstall WNA3100.exe, but I do not have the permissions. I also tried to to perform Windows XP Repair Install to no avail. During this process, fastprox.dll would not copy. So I used a friend's computer to download HiJackThis in an attempt to continue the instructions. However, now I see the updated prep instructions for prep with GMER and DDS. I will run those tonight. In the meantime, I have all the logs from Avira Antivir, Comodo, ATF-Cleaner, Malwarebytes Anti-Malware, SuperAntiSpyware and HJT.

    QUESTIONS:
    How should I proceed? Should I post the logs I have? Since I am using a friend's computer to post, is it safe to transfer the logs via USB stick? What's the best way to post the logs?

    Apologies for the long post, but I wanted to be sure you knew the circumstances around my potentially disruptive attempts at correcting my computer's issues. Many Thanks!
     
  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =======================================================================

    Very smart question :)
    Do this on your friend computer...

    Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)

    *Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
    • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.
    Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

    Windows Vista and Windows 7 users
    Flash Disinfector is not compatible with the above Windows version.
    Please, use Panda USB Vaccine


    Then....

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
     
  3. gluttony

    gluttony TS Rookie Topic Starter Posts: 37

    Logs

    Hello Broni. Thanks for taking on this project... now let's annihilate some malware!

    I tried to follow your instructions to the letter, but ran into some computer behavioral problems detailed below:

    1) Flash Disinfector would not run on the infected computer. After clicking it multiple times, "WinRAR self-extracting archive" windows popped up with the following messages: Cannot create nircmd.exe, Cannot create pv.exe, Cannot create Flash_Disinfector.exe. Also, Flash Disinfector behaved a little strangely on my friends clean computer. After double-clicking, I was asked to insert drive. Inserted drive, screen went blank, screen returned, but I never got an option to "exit the program". Ran it a second time and got a dialogue box saying it had finished. Please advise as to whether I've inadvertantly infected friend's PC.

    2) Avira scan said it found nothing but the log would not save, saying I could not access the drive. I worked around by pasting the contents of the .txt file into a new notepad file and saving. Also, after the scan, I got the following message: Avira Guard: Malware found 'TR/Dropper.Gen was found in file 'C:\Program Files\Common Files\... \0000NAV~.TMP'

    3) GMER would not run, giving me the following message: LoadDriver( "C:\DOCUME~1\SAMUEL~1.SAU\LOCALS~1\Temp\fxliqpow.sys") erroe 0x0000022: Acess is denied. I worked around it by running GMER in Safe Mode.

    4) At the end of the DDS run I got the following error on top of the logs: Windows Script Host Can Not find script file "C:\Documents and Settings\User Name\Local Settings\Temp\MSGB.PIF"

    That just about does it. So without further ado, here are the logs:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    12/7/2010 9:59:13 PM
    mbam-log-2010-12-07 (21-59-13).txt

    Scan type: Quick scan
    Objects scanned: 143542
    Time elapsed: 12 minute(s), 4 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-07 22:31:28
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST340014A rev.3.16
    Running: r86rzteq.exe; Driver: C:\DOCUME~1\SAMUEL~1.SAU\LOCALS~1\Temp\fxliqpow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sectors 78124744 (+255): rootkit-like behavior;

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82F30292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 82F30292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 82F30292
    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST340014A_______________________________3.16____#4a33375857534245202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----



    DDS (Ver_10-12-05.01) - NTFSx86
    Run by Samuel M. Saunders at 22:52:50.54 on Tue 12/07/2010
    Internet Explorer: 6.0.2900.5512

    ============== Running Processes ===============


    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://www.dell4me.com/myway
    uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
    BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
    TB: Web assistant: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
    TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
    EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
    uRun: [CLRHost] c:\blp\api\office~1\bbxlcmd.exe
    uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
    uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    uRun: [EPSON Stylus NX400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiega.exe /fu "c:\windows\temp\E_SE1.tmp" /EF "HKCU"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
    mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\whitesmoke translator\WSTrayDictMode.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna3100\WNA3100.exe
    mPolicies-system: DisableCAD = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=67633
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1095036083890
    DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156591399140
    DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://adobe.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
    DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38128.5721643519
    DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://sigremote.com/dana-cached/setup/JuniperSetupSP1.cab
    TCP: {9210EE3C-4238-4ADD-A7BC-EAC1DB945ED7} = 156.154.70.22,156.154.71.22
    TCP: {ABCCC484-D4E5-441D-84AE-52ADC2261EF3} = 156.154.70.22,156.154.71.22
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    Hosts: 91.212.127.226 osguardpro.microsoft.com
    Hosts: 91.212.127.226 os-guardpro.com
    Hosts: 91.212.127.226 www.os-guardpro.com

    ============= SERVICES / DRIVERS ===============


    =============== Created Last 30 ================

    2010-12-06 21:29:27 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
    2010-12-06 21:29:27 21504 ----a-w- c:\windows\system32\hidserv.dll
    2010-12-06 21:29:20 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
    2010-12-06 21:29:20 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
    2010-12-06 21:13:56 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
    2010-12-06 21:13:53 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
    2010-12-06 21:13:51 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
    2010-12-06 21:13:48 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
    2010-12-06 21:13:32 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
    2010-12-06 21:13:00 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
    2010-12-06 21:12:54 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
    2010-12-06 21:12:48 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
    2010-12-06 21:12:28 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
    2010-12-06 21:12:26 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
    2010-12-06 21:12:22 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
    2010-12-06 21:12:12 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
    2010-12-06 21:12:07 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
    2010-12-06 21:12:04 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
    2010-12-06 21:12:03 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
    2010-12-06 21:12:02 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
    2010-12-06 21:10:58 765884 -c--a-w- c:\windows\system32\dllcache\usrti.sys
    2010-12-06 21:09:59 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
    2010-12-06 21:08:56 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys
    2010-12-06 21:07:58 103936 -c--a-w- c:\windows\system32\dllcache\sx.sys
    2010-12-06 21:06:57 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
    2010-12-06 21:05:54 63547 -c--a-w- c:\windows\system32\dllcache\sla30nd5.sys
    2010-12-06 21:04:59 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
    2010-12-06 21:03:57 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll
    2010-12-06 21:02:54 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
    2010-12-06 21:01:59 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
    2010-12-06 21:00:57 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
    2010-12-06 21:00:54 351616 -c--a-w- c:\windows\system32\dllcache\ovcodek2.sys
    2010-12-06 21:00:51 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
    2010-12-06 21:00:49 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
    2010-12-06 21:00:46 28032 -c--a-w- c:\windows\system32\dllcache\ovcd.sys
    2010-12-06 21:00:43 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
    2010-12-06 21:00:40 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
    2010-12-06 21:00:38 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
    2010-12-06 21:00:35 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
    2010-12-06 21:00:32 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
    2010-12-06 21:00:29 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
    2010-12-06 21:00:25 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
    2010-12-06 21:00:02 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
    2010-12-06 20:58:57 59104 -c--a-w- c:\windows\system32\dllcache\n9i128v2.dll
    2010-12-06 20:57:56 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
    2010-12-06 20:57:54 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
    2010-12-06 20:57:53 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
    2010-12-06 20:57:43 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
    2010-12-06 20:57:40 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
    2010-12-06 20:57:19 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
    2010-12-06 20:57:09 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
    2010-12-06 20:57:08 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
    2010-12-06 20:57:07 34304 -c--a-w- c:\windows\system32\dllcache\migisol.exe
    2010-12-06 20:57:03 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
    2010-12-06 20:57:01 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
    2010-12-06 20:57:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
    2010-12-06 20:57:00 92032 -c--a-w- c:\windows\system32\dllcache\mga.dll
    2010-12-06 20:55:58 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys
    2010-12-06 20:54:59 35328 -c--a-w- c:\windows\system32\dllcache\iprip.dll
    2010-12-06 20:53:58 38528 -c--a-w- c:\windows\system32\dllcache\ibmvcap.sys
    2010-12-06 20:52:59 150239 -c--a-w- c:\windows\system32\dllcache\hsf_amos.sys
    2010-12-06 20:51:57 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
    2010-12-06 20:50:58 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys
    2010-12-06 20:49:59 241206 -c--a-w- c:\windows\system32\dllcache\el656se5.sys
    2010-12-06 20:48:59 103044 -c--a-w- c:\windows\system32\dllcache\digidxb.sys
    2010-12-06 20:47:59 10240 -c--a-w- c:\windows\system32\dllcache\compbatt.sys
    2010-12-06 20:46:53 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
    2010-12-06 20:45:58 96128 -c--a-w- c:\windows\system32\dllcache\ati.dll
    2010-12-06 20:44:57 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
    2010-12-06 19:25:47 388096 ----a-r- c:\docume~1\samuel~1.sau\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2010-12-06 19:25:46 -------- d-----w- c:\program files\Trend Micro
    2010-12-05 01:25:28 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
    2010-12-05 01:25:28 24661 ----a-w- c:\windows\system32\spxcoins.dll
    2010-12-05 01:25:28 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
    2010-12-05 01:25:28 13312 ----a-w- c:\windows\system32\irclass.dll
    2010-12-04 17:04:49 -------- d-----w- c:\windows\Dell
    2010-11-30 08:12:57 -------- d-----w- c:\windows\java
    2010-11-30 05:12:37 348160 ----a-w- c:\windows\system32\msvc5364.rra
    2010-11-29 20:55:53 -------- d-----w- c:\docume~1\samuel~1.sau\applic~1\Avira
    2010-11-28 06:35:22 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2010-11-28 06:35:22 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-11-28 06:33:36 -------- d-----w- c:\program files\iTunes
    2010-11-24 23:26:11 -------- d-----w- c:\program files\iTunes(3)

    ==================== Find3M ====================

    2010-09-11 07:41:40 285480 ----a-w- c:\windows\system32\guard32.dll
    2009-08-13 15:11:17 17260 ----a-w- c:\program files\common files\malyle.bin

    ============= FINISH: 22:55:02.26 ===============



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-05.01)


    ==== Disk Partitions =========================


    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Atmosphere Player for Acrobat and Adobe Reader
    Adobe Flash Player 10 ActiveX
    Adobe Reader 8.1.2
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    Adobe® Photoshop® Album Starter Edition 3.0
    Adobe® Photoshop® Album Starter Edition 3.0.1
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Avira AntiVir Personal - Free Antivirus
    Banctec Service Agreement
    Bonjour
    BUM
    Business Contact Manager for Outlook 2003
    CC_ccProxyMSI
    CC_ccStart
    ccCommon
    COMODO Internet Security
    Compatibility Pack for the 2007 Office system
    Conexant D850 56K V.9x DFVc Modem
    Dell Networking Guide
    Digital Line Detect
    EPSON Scan
    EPSON Stylus NX400 Series Printer Uninstall
    Google Earth Plug-in
    Google Update Helper
    Help and Support Customization
    HiJackThis
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet
    Internet Explorer Default Page
    iTunes
    Java 2 Runtime Environment, SE v1.4.2
    KODAK EASYSHARE Gallery Easy Upload, v2.0
    KODAK EASYSHARE Gallery Upload ActiveX Control
    LiveReg (Symantec Corporation)
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft ActiveSync 4.0
    Microsoft Data Access Components KB870669
    Microsoft Office Small Business Edition 2003
    Microsoft Silverlight
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Modem Helper
    MSRedist
    NETGEAR WNA3100 wireless USB 2.0 adapter
    NetWaiting
    Norton AntiSpam
    Norton AntiVirus
    Norton Internet Security
    Norton Internet Security (Symantec Corporation)
    NVIDIA Windows 2000/XP Display Drivers
    OGA Notifier 2.0.0048.0
    Panda ActiveScan 2.0
    QuickTime
    RealPlayer
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    SUPERAntiSpyware
    Symantec Script Blocking Installer
    TD AMERITRADE StrategyDesk 3.4
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player
    WebFldrs XP
    Whitesmoke Translator
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage v1.3.0254.0
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Media Format 11 runtime
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Media Player 11

    ==== End Of File ===========================
     
  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    I thought, I clearly said to install it on GOOD (your friend) computer to avoid it being infected through USB stick.

    ======================================================================

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

    ======================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.
     
  5. gluttony

    gluttony TS Rookie Topic Starter Posts: 37

    2010/12/10 12:36:40.0328 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
    2010/12/10 12:36:40.0328 ================================================================================
    2010/12/10 12:36:40.0328 SystemInfo:
    2010/12/10 12:36:40.0328
    2010/12/10 12:36:40.0328 OS Version: 5.1.2600 ServicePack: 3.0
    2010/12/10 12:36:40.0328 Product type: Workstation
    2010/12/10 12:36:40.0328 ComputerName: GLUTTONY
    2010/12/10 12:36:40.0328 UserName: Samuel M. Saunders
    2010/12/10 12:36:40.0328 Windows directory: C:\WINDOWS
    2010/12/10 12:36:40.0328 System windows directory: C:\WINDOWS
    2010/12/10 12:36:40.0328 Processor architecture: Intel x86
    2010/12/10 12:36:40.0328 Number of processors: 1
    2010/12/10 12:36:40.0328 Page size: 0x1000
    2010/12/10 12:36:40.0328 Boot type: Normal boot
    2010/12/10 12:36:40.0328 ================================================================================
    2010/12/10 12:36:40.0937 Initialize success
    2010/12/10 12:36:49.0609 ================================================================================
    2010/12/10 12:36:49.0609 Scan started
    2010/12/10 12:36:49.0609 Mode: Manual;
    2010/12/10 12:36:49.0609 ================================================================================
    2010/12/10 12:36:50.0562 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
    2010/12/10 12:36:50.0750 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/12/10 12:36:50.0875 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/12/10 12:36:51.0031 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
    2010/12/10 12:36:51.0187 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
    2010/12/10 12:36:51.0328 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/12/10 12:36:51.0484 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
    2010/12/10 12:36:51.0609 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2010/12/10 12:36:51.0750 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
    2010/12/10 12:36:51.0859 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
    2010/12/10 12:36:52.0046 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
    2010/12/10 12:36:52.0203 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
    2010/12/10 12:36:52.0328 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
    2010/12/10 12:36:52.0453 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys
    2010/12/10 12:36:52.0562 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys
    2010/12/10 12:36:52.0718 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
    2010/12/10 12:36:52.0890 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
    2010/12/10 12:36:53.0046 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
    2010/12/10 12:36:53.0187 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
    2010/12/10 12:36:53.0390 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/12/10 12:36:53.0531 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/12/10 12:36:53.0703 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2010/12/10 12:36:53.0890 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/12/10 12:36:54.0031 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/12/10 12:36:54.0187 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    2010/12/10 12:36:54.0312 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
    2010/12/10 12:36:54.0437 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys
    2010/12/10 12:36:54.0640 BCMH43XX (b770039886598aab7cf5eaeec2409e31) C:\WINDOWS\system32\DRIVERS\bcmwlhigh5.sys
    2010/12/10 12:36:54.0859 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/12/10 12:36:55.0031 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
    2010/12/10 12:36:55.0250 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
    2010/12/10 12:36:55.0359 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/12/10 12:36:55.0500 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
    2010/12/10 12:36:55.0656 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/12/10 12:36:55.0781 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/12/10 12:36:55.0937 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/12/10 12:36:56.0234 cmdGuard (bbe9f023dfd2c4d2755da3fa47e4da08) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
    2010/12/10 12:36:56.0359 cmdHlp (111e6755acb5f236e2465e24508f6367) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
    2010/12/10 12:36:56.0453 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
    2010/12/10 12:36:56.0593 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
    2010/12/10 12:36:56.0718 CVirtA (72f820e457bc8a1c61aeb86df89dd41a) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
    2010/12/10 12:36:56.0875 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
    2010/12/10 12:36:57.0046 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
    2010/12/10 12:36:57.0250 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/12/10 12:36:57.0375 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/12/10 12:36:57.0609 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
    2010/12/10 12:36:57.0750 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/12/10 12:36:57.0875 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/12/10 12:36:58.0015 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
    2010/12/10 12:36:58.0187 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/12/10 12:36:58.0343 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2010/12/10 12:36:58.0500 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
    2010/12/10 12:36:58.0671 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/12/10 12:36:58.0812 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2010/12/10 12:36:58.0953 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/12/10 12:36:59.0078 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2010/12/10 12:36:59.0234 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2010/12/10 12:36:59.0343 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/12/10 12:36:59.0500 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/12/10 12:36:59.0609 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2010/12/10 12:36:59.0781 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/12/10 12:36:59.0921 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/12/10 12:37:00.0046 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
    2010/12/10 12:37:00.0234 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
    2010/12/10 12:37:00.0406 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
    2010/12/10 12:37:00.0656 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/12/10 12:37:00.0843 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
    2010/12/10 12:37:00.0984 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys
    2010/12/10 12:37:01.0156 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/12/10 12:37:01.0296 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
    2010/12/10 12:37:01.0468 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
    2010/12/10 12:37:01.0625 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
    2010/12/10 12:37:01.0750 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
    2010/12/10 12:37:01.0890 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
    2010/12/10 12:37:02.0015 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
    2010/12/10 12:37:02.0187 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
    2010/12/10 12:37:02.0312 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
    2010/12/10 12:37:02.0531 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
    2010/12/10 12:37:02.0656 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
    2010/12/10 12:37:02.0843 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/12/10 12:37:03.0015 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
    2010/12/10 12:37:03.0140 Inspect (343ac4733c1e8b7ab6454178e4fcd4ad) C:\WINDOWS\system32\DRIVERS\inspect.sys
    2010/12/10 12:37:03.0312 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys
    2010/12/10 12:37:03.0484 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/12/10 12:37:03.0625 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/12/10 12:37:03.0781 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/12/10 12:37:03.0921 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/12/10 12:37:04.0046 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/12/10 12:37:04.0234 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/12/10 12:37:04.0406 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/12/10 12:37:04.0546 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/12/10 12:37:04.0687 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/12/10 12:37:04.0859 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/12/10 12:37:05.0015 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/12/10 12:37:05.0250 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2010/12/10 12:37:05.0421 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/12/10 12:37:05.0593 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/12/10 12:37:05.0718 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    2010/12/10 12:37:05.0859 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
    2010/12/10 12:37:06.0000 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/12/10 12:37:06.0140 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/12/10 12:37:06.0281 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
    2010/12/10 12:37:06.0421 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/12/10 12:37:06.0593 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/12/10 12:37:06.0765 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/12/10 12:37:06.0890 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/12/10 12:37:07.0000 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/12/10 12:37:07.0125 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/12/10 12:37:07.0312 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/12/10 12:37:07.0468 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/12/10 12:37:07.0687 NAVENG (33f1e35e6d090b6cea1f5f5f4d79fcbb) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040809.037\NAVENG.Sys
    2010/12/10 12:37:07.0921 NAVEX15 (db4e799a537535499394a530f1c3a872) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040809.037\NavEx15.Sys
    2010/12/10 12:37:08.0078 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/12/10 12:37:08.0203 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/12/10 12:37:08.0390 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/12/10 12:37:08.0562 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/12/10 12:37:08.0718 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/12/10 12:37:08.0875 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/12/10 12:37:09.0015 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/12/10 12:37:09.0250 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\DRIVERS\npf.sys
    2010/12/10 12:37:09.0421 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/12/10 12:37:09.0578 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/12/10 12:37:09.0765 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/12/10 12:37:09.0953 nv (66c90afbf0d10a93789f6544be459e72) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2010/12/10 12:37:10.0171 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/12/10 12:37:10.0312 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/12/10 12:37:10.0484 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
    2010/12/10 12:37:10.0656 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
    2010/12/10 12:37:10.0828 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/12/10 12:37:11.0046 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/12/10 12:37:11.0171 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/12/10 12:37:11.0312 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys
    2010/12/10 12:37:11.0437 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/12/10 12:37:11.0640 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/12/10 12:37:11.0765 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/12/10 12:37:12.0171 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
    2010/12/10 12:37:12.0328 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
    2010/12/10 12:37:12.0546 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/12/10 12:37:12.0718 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2010/12/10 12:37:12.0906 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/12/10 12:37:13.0031 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/12/10 12:37:13.0171 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
    2010/12/10 12:37:13.0312 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
    2010/12/10 12:37:13.0484 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
    2010/12/10 12:37:13.0625 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
    2010/12/10 12:37:13.0781 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
    2010/12/10 12:37:13.0953 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/12/10 12:37:14.0078 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/12/10 12:37:14.0250 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/12/10 12:37:14.0406 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/12/10 12:37:14.0593 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/12/10 12:37:14.0734 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/12/10 12:37:14.0875 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/12/10 12:37:15.0109 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/12/10 12:37:15.0296 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/12/10 12:37:15.0578 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2010/12/10 12:37:15.0812 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    2010/12/10 12:37:16.0015 SAVRT (7a1dcba368dacb5ca41e40f97f43aaa8) C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS
    2010/12/10 12:37:16.0140 SAVRTPEL (395df1ccad06b8d47f2d78c2d78f4cd5) C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS
    2010/12/10 12:37:16.0343 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/12/10 12:37:16.0546 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/12/10 12:37:16.0718 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/12/10 12:37:16.0906 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/12/10 12:37:17.0109 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys
    2010/12/10 12:37:17.0281 smwdm (5018a9db5eb62e3edb3110f82f556285) C:\WINDOWS\system32\drivers\smwdm.sys
    2010/12/10 12:37:17.0484 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
    2010/12/10 12:37:17.0625 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/12/10 12:37:17.0765 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/12/10 12:37:17.0921 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/12/10 12:37:18.0062 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
    2010/12/10 12:37:18.0265 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/12/10 12:37:18.0406 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/12/10 12:37:18.0562 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
    2010/12/10 12:37:18.0734 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
    2010/12/10 12:37:18.0875 SYMDNS (2287d8411157815dd202a4f133ae482d) C:\WINDOWS\System32\Drivers\SYMDNS.SYS
    2010/12/10 12:37:19.0031 SymEvent (05d9613efe7809e384c10da26958dfa4) C:\Program Files\Symantec\SYMEVENT.SYS
    2010/12/10 12:37:19.0171 SYMFW (11e32c865f1dfe7c0986900ec7aeb4b8) C:\WINDOWS\System32\Drivers\SYMFW.SYS
    2010/12/10 12:37:19.0312 SYMIDS (157e49ab4f9ccce37361b28ac25096a9) C:\WINDOWS\System32\Drivers\SYMIDS.SYS
    2010/12/10 12:37:19.0453 SYMIDSCO (e9fb63f2fcf05c452dde7280790f37f7) C:\WINDOWS\System32\Drivers\SYMIDSCO.SYS
    2010/12/10 12:37:19.0640 SYMNDIS (ef3ad6fc8a1ef592e4e6409a4b4f4c3a) C:\WINDOWS\System32\Drivers\SYMNDIS.SYS
    2010/12/10 12:37:19.0781 SYMREDRV (121448e97995a6828422cd897c5c7456) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
    2010/12/10 12:37:19.0937 SYMTDI (42bc4d0917737debe50df861fe8cdcb9) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
    2010/12/10 12:37:20.0093 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
    2010/12/10 12:37:20.0250 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
    2010/12/10 12:37:20.0406 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/12/10 12:37:20.0640 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/12/10 12:37:20.0859 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/12/10 12:37:21.0015 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/12/10 12:37:21.0125 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/12/10 12:37:21.0281 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
    2010/12/10 12:37:21.0421 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/12/10 12:37:21.0578 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
    2010/12/10 12:37:21.0734 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/12/10 12:37:21.0937 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2010/12/10 12:37:22.0140 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/12/10 12:37:22.0312 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/12/10 12:37:22.0453 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/12/10 12:37:22.0625 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2010/12/10 12:37:22.0765 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/12/10 12:37:22.0875 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/12/10 12:37:23.0031 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/12/10 12:37:23.0125 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
    2010/12/10 12:37:23.0265 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/12/10 12:37:23.0406 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys
    2010/12/10 12:37:23.0593 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
    2010/12/10 12:37:23.0796 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/12/10 12:37:23.0968 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/12/10 12:37:24.0171 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
    2010/12/10 12:37:24.0453 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/12/10 12:37:24.0687 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    2010/12/10 12:37:25.0062 WpdUsb (c1b3d9d75c3fb735f5fa3a5806aded57) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
    2010/12/10 12:37:25.0265 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2010/12/10 12:37:25.0406 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2010/12/10 12:37:25.0593 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2010/12/10 12:37:25.0843 ================================================================================
    2010/12/10 12:37:25.0843 Scan finished
    2010/12/10 12:37:25.0843 ================================================================================
    2010/12/10 12:37:25.0875 Detected object count: 1
    2010/12/10 12:37:36.0500 \HardDisk0 - will be cured after reboot
    2010/12/10 12:37:36.0515 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2010/12/10 12:38:06.0671 Deinitialize success


    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000001d

    Kernel Drivers (total 139):
    0x804D7000 \WINDOWS\system32\ntoskrnl.exe
    0x806EE000 \WINDOWS\system32\hal.dll
    0xF8C36000 \WINDOWS\system32\KDCOM.DLL
    0xF8B46000 \WINDOWS\system32\BOOTVID.dll
    0xF86E7000 ACPI.sys
    0xF8C38000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF86D6000 pci.sys
    0xF8736000 isapnp.sys
    0xF8CFE000 pciide.sys
    0xF89B6000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF8746000 MountMgr.sys
    0xF86B7000 ftdisk.sys
    0xF8C3A000 dmload.sys
    0xF8691000 dmio.sys
    0xF89BE000 PartMgr.sys
    0xF89C6000 pavboot.sys
    0xF8756000 VolSnap.sys
    0xF8679000 atapi.sys
    0xF8766000 disk.sys
    0xF8776000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
    0xF8659000 fltmgr.sys
    0xF8647000 sr.sys
    0xF8630000 KSecDD.sys
    0xF861D000 WudfPf.sys
    0xF8590000 Ntfs.sys
    0xF857B000 inspect.sys
    0xF854E000 \WINDOWS\System32\DRIVERS\NDIS.SYS
    0xF89CE000 \WINDOWS\System32\DRIVERS\TDI.SYS
    0xF8534000 Mup.sys
    0xF8786000 agp440.sys
    0xF89A6000 \SystemRoot\System32\DRIVERS\intelppm.sys
    0xF83A6000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
    0xF8392000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
    0xF8A86000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF836E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF8A8E000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF833A000 \SystemRoot\System32\DRIVERS\HSFHWBS2.sys
    0xF8317000 \SystemRoot\System32\DRIVERS\ks.sys
    0xF8218000 \SystemRoot\System32\DRIVERS\HSF_DP.sys
    0xF8171000 \SystemRoot\System32\DRIVERS\HSF_CNXT.sys
    0xF8A96000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF814D000 \SystemRoot\System32\DRIVERS\e100b325.sys
    0xF8A9E000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF87A6000 \SystemRoot\System32\DRIVERS\i8042prt.sys
    0xF8AA6000 \SystemRoot\System32\DRIVERS\kbdclass.sys
    0xF8AAE000 \SystemRoot\System32\DRIVERS\mouclass.sys
    0xF87B6000 \SystemRoot\system32\DRIVERS\serial.sys
    0xF8C06000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF8139000 \SystemRoot\System32\DRIVERS\parport.sys
    0xF87C6000 \SystemRoot\System32\DRIVERS\imapi.sys
    0xF87D6000 \SystemRoot\System32\DRIVERS\cdrom.sys
    0xF87E6000 \SystemRoot\System32\DRIVERS\redbook.sys
    0xF8AB6000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xF80AB000 \SystemRoot\system32\drivers\smwdm.sys
    0xF8087000 \SystemRoot\system32\drivers\portcls.sys
    0xF87F6000 \SystemRoot\system32\drivers\drmk.sys
    0xF8C5C000 \SystemRoot\system32\drivers\aeaudio.sys
    0xF8DD8000 \SystemRoot\System32\DRIVERS\audstub.sys
    0xF8806000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
    0xF8C0E000 \SystemRoot\System32\DRIVERS\ndistapi.sys
    0xF8070000 \SystemRoot\System32\DRIVERS\ndiswan.sys
    0xF8816000 \SystemRoot\System32\DRIVERS\raspppoe.sys
    0xF8826000 \SystemRoot\System32\DRIVERS\raspptp.sys
    0xF805F000 \SystemRoot\System32\DRIVERS\psched.sys
    0xF8836000 \SystemRoot\System32\DRIVERS\msgpc.sys
    0xF8ABE000 \SystemRoot\System32\DRIVERS\ptilink.sys
    0xF8AC6000 \SystemRoot\System32\DRIVERS\raspti.sys
    0xF8007000 \SystemRoot\System32\DRIVERS\rdpdr.sys
    0xF8846000 \SystemRoot\System32\DRIVERS\termdd.sys
    0xF8C5E000 \SystemRoot\System32\DRIVERS\swenum.sys
    0xF7FA9000 \SystemRoot\System32\DRIVERS\update.sys
    0xF8ACE000 \SystemRoot\System32\DRIVERS\omci.sys
    0xF8C26000 \SystemRoot\System32\DRIVERS\mssmbios.sys
    0xF8896000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF88A6000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF8C66000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF84DF000 \SystemRoot\system32\drivers\MODEMCSA.sys
    0xF8AD6000 \SystemRoot\System32\DRIVERS\flpydisk.sys
    0xF8BDE000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xEED55000 \SystemRoot\System32\DRIVERS\cmdguard.sys
    0xEED04000 \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS
    0xEECF1000 \??\C:\Program Files\Symantec\SYMEVENT.SYS
    0xF88D6000 \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS
    0xF8C6A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF8DBD000 \SystemRoot\System32\Drivers\Null.SYS
    0xF8C6C000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF8AEE000 \SystemRoot\System32\drivers\vga.sys
    0xF8C7E000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF8C80000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF8AF6000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF8AFE000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF8057000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0xEEC00000 \SystemRoot\System32\DRIVERS\ipsec.sys
    0xEEBA7000 \SystemRoot\System32\DRIVERS\tcpip.sys
    0xF8B06000 \SystemRoot\System32\DRIVERS\cmdhlp.sys
    0xEEB67000 \SystemRoot\System32\Drivers\SYMTDI.SYS
    0xF804F000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
    0xF8C86000 \SystemRoot\System32\Drivers\SYMDNS.SYS
    0xF8906000 \SystemRoot\System32\Drivers\SYMNDIS.SYS
    0xEEB3F000 \SystemRoot\System32\Drivers\SYMFW.SYS
    0xEEB19000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF8916000 \SystemRoot\System32\Drivers\SYMIDS.SYS
    0xEEAF0000 \SystemRoot\System32\Drivers\SYMIDSCO.SYS
    0xEEAC8000 \SystemRoot\System32\DRIVERS\netbt.sys
    0xEEAA6000 \SystemRoot\System32\drivers\afd.sys
    0xF8926000 \SystemRoot\System32\DRIVERS\netbios.sys
    0xF8B0E000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xEEA84000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    0xF8B16000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xF8956000 \SystemRoot\System32\DRIVERS\wanarp.sys
    0xEEA59000 \SystemRoot\System32\DRIVERS\rdbss.sys
    0xEE9E9000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
    0xF8966000 \SystemRoot\System32\Drivers\Fips.SYS
    0xEE9C6000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xF8C98000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xF8986000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xEE8E6000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF8CB4000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF8BDA000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF8B36000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF8D50000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xEE39A000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xEE322000 \SystemRoot\System32\DRIVERS\ndisuio.sys
    0xEE075000 \SystemRoot\System32\DRIVERS\mrxdav.sys
    0xF8C90000 \SystemRoot\System32\Drivers\ParVdm.SYS
    0xEDF48000 \SystemRoot\system32\drivers\wdmaud.sys
    0xEE122000 \SystemRoot\system32\drivers\sysaudio.sys
    0xEDB30000 \SystemRoot\System32\DRIVERS\srv.sys
    0xEDC7E000 \SystemRoot\System32\DRIVERS\mdmxsdk.sys
    0xED37D000 \SystemRoot\System32\Drivers\HTTP.sys
    0xED359000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xF8A66000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
    0xEC307000 \SystemRoot\system32\drivers\kmixer.sys
    0xEC271000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040809.037\NavEx15.Sys
    0xEC3C2000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040809.037\NAVENG.Sys
    0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

    Processes (total 48):
    0 System Idle Process
    4 System
    612 C:\WINDOWS\SYSTEM32\smss.exe
    688 csrss.exe
    744 C:\WINDOWS\SYSTEM32\winlogon.exe
    788 C:\WINDOWS\SYSTEM32\services.exe
    800 C:\WINDOWS\SYSTEM32\lsass.exe
    964 C:\WINDOWS\SYSTEM32\svchost.exe
    1028 svchost.exe
    1068 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    1092 C:\WINDOWS\SYSTEM32\svchost.exe
    1280 C:\WINDOWS\SYSTEM32\svchost.exe
    1440 svchost.exe
    1464 svchost.exe
    1532 C:\WINDOWS\SYSTEM32\LEXBCES.EXE
    1564 C:\WINDOWS\SYSTEM32\spoolsv.exe
    1576 C:\WINDOWS\SYSTEM32\LEXPPS.EXE
    1628 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1748 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1768 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    1780 C:\Program Files\Bonjour\mDNSResponder.exe
    1792 C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
    1808 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    184 C:\Program Files\Google\Update\GoogleUpdate.exe
    252 C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
    420 C:\WINDOWS\explorer.exe
    508 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    664 C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    996 C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
    1228 C:\WINDOWS\SYSTEM32\nvsvc32.exe
    1448 C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    1988 C:\WINDOWS\SYSTEM32\svchost.exe
    2004 C:\Program Files\Viewpoint\Common\ViewpointService.exe
    2020 C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe
    2128 C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
    2348 C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
    2424 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    2472 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    2644 C:\Program Files\iTunes\iTunesHelper.exe
    2664 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    2716 C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    2736 C:\WINDOWS\SYSTEM32\ctfmon.exe
    2868 C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    3164 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    3200 C:\Program Files\Digital Line Detect\DLG.exe
    3432 C:\PROGRA~1\MI3AA1~1\rapimgr.exe
    3692 C:\Program Files\iPod\bin\iPodService.exe
    408 C:\Documents and Settings\Samuel M. Saunders\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

    PhysicalDrive0 Model Number: ST340014A, Rev: 3.16

    Size Device Name MBR Status
    --------------------------------------------
    37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
  6. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Good job :)

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  7. gluttony

    gluttony TS Rookie Topic Starter Posts: 37

    Thanks Broni. I cannot follow the above instructions exactly. I do not have Internet access, so I can't download directly to desktop. Will a copy from USB to desktop work?
     
  8. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Absolutely.
     
  9. gluttony

    gluttony TS Rookie Topic Starter Posts: 37

    Hi Broni. I hope you had a wonderful weekend. FYI:

    1) ComboFix wouldn't run in Normal mode. Claimed it was a corrupt version. It ran in Safe Mode.

    2) Rkill.pif appears to be a broken link.

    Please find ComboFix log below:

    ComboFix 10-12-13.02 - Samuel M. Saunders 12/13/2010 18:29:42.1.1 - x86 MINIMAL
    Running from: c:\documents and settings\Samuel M. Saunders\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Kittie\Desktop\movieland.url
    c:\documents and settings\Samuel M. Saunders\Application Data\Install.dat
    c:\windows\system32\comrepl.exe
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\Packet.dll
    c:\windows\system32\pthreadVC.dll
    c:\windows\system32\wpcap.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_6TO4
    -------\Legacy_NPF
    -------\Service_6to4
    -------\Service_NPF


    ((((((((((((((((((((((((( Files Created from 2010-11-14 to 2010-12-14 )))))))))))))))))))))))))))))))
    .

    2010-12-06 21:29 . 2008-04-14 13:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
    2010-12-06 21:29 . 2008-04-14 13:41 21504 ----a-w- c:\windows\system32\hidserv.dll
    2010-12-06 21:29 . 2008-04-14 08:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
    2010-12-06 21:29 . 2008-04-14 08:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
    2010-12-06 21:13 . 2008-04-14 13:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
    2010-12-06 21:13 . 2001-08-18 06:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
    2010-12-06 21:13 . 2008-04-14 13:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
    2010-12-06 21:13 . 2001-08-18 06:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
    2010-12-06 21:13 . 2001-08-18 06:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
    2010-12-06 21:13 . 2001-08-18 06:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
    2010-12-06 21:12 . 2001-08-17 20:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
    2010-12-06 21:12 . 2008-04-14 13:42 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
    2010-12-06 21:12 . 2008-04-14 08:06 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
    2010-12-06 21:12 . 2008-04-14 06:05 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
    2010-12-06 21:12 . 2001-08-17 20:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
    2010-12-06 21:12 . 2001-08-17 21:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
    2010-12-06 21:12 . 2001-08-18 06:36 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
    2010-12-06 21:12 . 2001-08-18 06:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
    2010-12-06 21:12 . 2008-04-14 07:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
    2010-12-06 21:12 . 2008-04-14 07:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
    2010-12-06 21:10 . 2001-08-17 21:28 765884 -c--a-w- c:\windows\system32\dllcache\usrti.sys
    2010-12-06 21:09 . 2001-08-18 06:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
    2010-12-06 21:08 . 2001-08-17 22:02 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys
    2010-12-06 21:07 . 2001-08-17 21:50 103936 -c--a-w- c:\windows\system32\dllcache\sx.sys
    2010-12-06 21:06 . 2001-08-17 20:51 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
    2010-12-06 21:05 . 2008-04-14 06:05 63547 -c--a-w- c:\windows\system32\dllcache\sla30nd5.sys
    2010-12-06 21:04 . 2001-08-18 06:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
    2010-12-06 21:03 . 2001-08-17 22:56 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll
    2010-12-06 21:02 . 2001-08-17 21:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
    2010-12-06 21:01 . 2001-08-18 06:36 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
    2010-12-06 21:00 . 2001-08-18 06:36 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
    2010-12-06 21:00 . 2001-08-17 22:05 351616 -c--a-w- c:\windows\system32\dllcache\ovcodek2.sys
    2010-12-06 21:00 . 2001-08-18 06:36 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
    2010-12-06 21:00 . 2001-08-17 22:05 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
    2010-12-06 21:00 . 2001-08-17 22:05 28032 -c--a-w- c:\windows\system32\dllcache\ovcd.sys
    2010-12-06 21:00 . 2001-08-17 22:05 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
    2010-12-06 21:00 . 2001-08-17 22:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
    2010-12-06 21:00 . 2001-08-17 21:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
    2010-12-06 21:00 . 2001-08-17 20:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
    2010-12-06 21:00 . 2001-08-17 20:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
    2010-12-06 21:00 . 2001-08-17 20:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
    2010-12-06 21:00 . 2008-04-14 08:16 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
    2010-12-06 21:00 . 2001-08-17 20:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
    2010-12-06 20:58 . 2001-08-18 06:36 59104 -c--a-w- c:\windows\system32\dllcache\n9i128v2.dll
    2010-12-06 20:57 . 2001-08-17 22:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
    2010-12-06 20:57 . 2008-04-14 08:24 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
    2010-12-06 20:57 . 2008-04-14 07:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
    2010-12-06 20:57 . 2001-08-17 22:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
    2010-12-06 20:57 . 2001-08-17 21:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
    2010-12-06 20:57 . 2001-08-17 21:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
    2010-12-06 20:57 . 2001-08-17 21:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
    2010-12-06 20:57 . 2008-04-14 07:00 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
    2010-12-06 20:57 . 2008-04-14 07:00 34304 -c--a-w- c:\windows\system32\dllcache\migisol.exe
    2010-12-06 20:57 . 2001-08-17 20:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
    2010-12-06 20:57 . 2001-08-17 22:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
    2010-12-06 20:57 . 2008-04-14 07:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
    2010-12-06 20:57 . 2008-04-14 07:00 92032 -c--a-w- c:\windows\system32\dllcache\mga.dll
    2010-12-06 20:55 . 2001-08-17 20:12 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys
    2010-12-06 20:54 . 2008-04-14 07:00 35328 -c--a-w- c:\windows\system32\dllcache\iprip.dll
    2010-12-06 20:53 . 2001-08-17 22:06 38528 -c--a-w- c:\windows\system32\dllcache\ibmvcap.sys
    2010-12-06 20:52 . 2001-08-17 21:28 150239 -c--a-w- c:\windows\system32\dllcache\hsf_amos.sys
    2010-12-06 20:51 . 2008-04-14 08:15 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
    2010-12-06 20:50 . 2001-08-17 21:52 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys
    2010-12-06 20:49 . 2001-08-17 21:28 241206 -c--a-w- c:\windows\system32\dllcache\el656se5.sys
    2010-12-06 20:48 . 2001-08-17 20:13 103044 -c--a-w- c:\windows\system32\dllcache\digidxb.sys
    2010-12-06 20:47 . 2008-04-14 08:06 10240 -c--a-w- c:\windows\system32\dllcache\compbatt.sys
    2010-12-06 20:46 . 2001-08-17 21:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
    2010-12-06 20:45 . 2001-08-17 22:55 96128 -c--a-w- c:\windows\system32\dllcache\ati.dll
    2010-12-06 20:44 . 2008-04-14 07:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
    2010-12-06 19:25 . 2010-12-06 19:25 388096 ----a-r- c:\documents and settings\Samuel M. Saunders\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-12-06 19:25 . 2010-12-06 19:25 -------- d-----w- c:\program files\Trend Micro
    2010-12-05 01:25 . 2008-04-14 07:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
    2010-12-05 01:25 . 2008-04-14 07:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
    2010-12-05 01:25 . 2008-04-14 07:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
    2010-12-05 01:25 . 2008-04-14 07:00 13312 ----a-w- c:\windows\system32\irclass.dll
    2010-12-04 17:04 . 2010-12-04 17:04 -------- d-----w- c:\windows\Dell
    2010-11-30 08:12 . 2010-11-30 08:12 -------- d-----w- c:\windows\java
    2010-11-30 05:12 . 2006-10-13 00:28 348160 ----a-w- c:\windows\system32\msvc5364.rra
    2010-11-29 20:55 . 2010-11-29 20:55 -------- d-----w- c:\documents and settings\Samuel M. Saunders\Application Data\Avira
    2010-11-28 06:35 . 2010-11-28 06:35 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-11-28 06:33 . 2010-11-28 06:34 -------- d-----w- c:\program files\iTunes
    2010-11-27 22:51 . 2010-11-27 22:51 -------- d-sh--w- c:\documents and settings\Guest\IETldCache
    2010-11-27 20:44 . 2010-11-27 20:44 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-08-13 15:11 . 2009-08-13 15:11 17260 ----a-w- c:\program files\Common Files\malyle.bin
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2004-06-30 95344]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "combofix"="c:\combofix\CF26865.cfxxe" [X]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 70816]
    "URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 70800]
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-03 185896]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-03 281768]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-09-11 2500552]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-5-13 24576]
    Launch Whitesmoke Translator.lnk - c:\program files\WhiteSmoke Translator\WSTrayDictMode.exe [2004-2-20 671744]
    NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2010-8-5 4562944]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
    "c:\\blp\\Wintrv\\wintrv.exe"=
    "c:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\blp\\API\\bbcomm.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    R0 cerc6;cerc6; [x]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 135664]
    R2 WSWNA3100;WSWNA3100;c:\program files\NETGEAR\WNA3100\WifiSvc.exe [2010-01-12 278528]
    R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh5.sys [2009-11-06 642432]
    S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
    S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-09-11 239240]
    S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-09-11 25240]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-08-03 135336]
    S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

    2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:45]

    2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:45]

    2010-12-11 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
    - c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2004-05-20 22:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    TCP: {9210EE3C-4238-4ADD-A7BC-EAC1DB945ED7} = 156.154.70.22,156.154.71.22
    TCP: {ABCCC484-D4E5-441D-84AE-52ADC2261EF3} = 156.154.70.22,156.154.71.22
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-CLRHost - c:\blp\API\OFFICE~1\bbxlcmd.exe
    HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
    HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
    HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-13 18:41
    Windows 5.1.2600 Service Pack 3 NTFS

    detected NTDLL code modification:
    ZwClose, ZwOpenFile

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(732)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    - - - - - - - > 'lsass.exe'(788)
    c:\windows\system32\guard32.dll

    - - - - - - - > 'Explorer.EXE'(660)
    c:\windows\system32\guard32.dll
    c:\program files\SUPERAntiSpyware\SASSEH.DLL
    c:\windows\system32\ieframe.dll
    c:\progra~1\WINDOW~2\wmpband.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\progra~1\COMMON~1\SYMANT~1\ANTISPAM\asOEHook.dll
    .
    Completion time: 2010-12-13 18:54:45 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-14 02:54

    Pre-Run: 5,981,376,512 bytes free
    Post-Run: 6,606,585,856 bytes free

    - - End Of File - - 73C748650A5EF3A37B97353E4BB6D1C2
     
  10. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Which one is your current security program?
    I can see Norton, Comodo and Avira installed.

    ==================================================================

    Unless you installed Viewpoint Manager knowledgeably...
    Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
    Uninstall any of the following programs associated with Viewpoint:
    * Viewpoint Manager
    * Viewpoint Media Player
    * Viewpoint Toolbar
    This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

    ====================================================================

    Still no internet?

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\msvc5364.rra
    c:\program files\Common Files\malyle.bin
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  11. gluttony

    gluttony TS Rookie Topic Starter Posts: 37

    Hi Broni. Thanks for responding so quickly. Viewpoint Manager has been removed Norton, Comodo and Avira are all running. Should I remove any of them? What about that Whitesmoke Translator program?

    WNA3100 remains inoperable with "Failed to run Service" message.
     
  12. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    You can be running only one AV program.
    Before you do anything, let me know, which one you want to KEEP.

    I don't know. Do you use it?
     
  13. gluttony

    gluttony TS Rookie Topic Starter Posts: 37

    I'll keep Comodo, unless you suggest otherwise. Whitesmoke was downloaded by the malware, so I'd like to get rid of it.
     
  14. Broni

    Broni Malware Annihilator Posts: 52,898   +344

  15. gluttony

    gluttony TS Rookie Topic Starter Posts: 37

    When attempting to remove Whitesmoke, Comodo alerts InstallScript Setup Launcher setup.exe could not be recognized and requests unlimited access to your computer. Should I allow?

    Since I don't have access to the Internet right now (replying on a phone), is there any way to work around Norton?

    Avira uninstalled.

    Comodo Firewall and Defense+ installed.

    Am I running ComboFix through the CFScript procedure detailed earlier?
     
  16. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Leave it for now. We'll try to re-establish your internet connection in a moment...

    Yes.
     
  17. gluttony

    gluttony TS Rookie Topic Starter Posts: 37

    Still getting that corrupt version ComboFix message in normal mode. Ok to run in safe mode?
     
  18. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Perfectly fine....
     
  19. gluttony

    gluttony TS Rookie Topic Starter Posts: 37

    Ok, ran ComboFix. I'll post the log tomorrow. Is there anything else we can do? Thanks for all the help tonight.
     
  20. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    I can't comment until I see Combofix log....
     
  21. gluttony

    gluttony TS Rookie Topic Starter Posts: 37

    Good day to you Broni. Please find log below:

    ComboFix 10-12-13.02 - Samuel M. Saunders 12/14/2010 20:32:30.2.1 - x86 MINIMAL
    Running from: c:\documents and settings\Samuel M. Saunders\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Samuel M. Saunders\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    "c:\program files\Common Files\malyle.bin"
    "c:\windows\system32\msvc5364.rra"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Common Files\malyle.bin
    c:\windows\system32\msvc5364.rra

    .
    ((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
    .

    2010-12-06 21:29 . 2008-04-14 13:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
    2010-12-06 21:29 . 2008-04-14 13:41 21504 ----a-w- c:\windows\system32\hidserv.dll
    2010-12-06 21:29 . 2008-04-14 08:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
    2010-12-06 21:29 . 2008-04-14 08:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
    2010-12-06 21:13 . 2008-04-14 13:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
    2010-12-06 21:13 . 2001-08-18 06:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
    2010-12-06 21:13 . 2008-04-14 13:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
    2010-12-06 21:13 . 2001-08-18 06:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
    2010-12-06 21:13 . 2001-08-18 06:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
    2010-12-06 21:13 . 2001-08-18 06:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
    2010-12-06 21:12 . 2001-08-17 20:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
    2010-12-06 21:12 . 2008-04-14 13:42 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
    2010-12-06 21:12 . 2008-04-14 08:06 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
    2010-12-06 21:12 . 2008-04-14 06:05 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
    2010-12-06 21:12 . 2001-08-17 20:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
    2010-12-06 21:12 . 2001-08-17 21:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
    2010-12-06 21:12 . 2001-08-18 06:36 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
    2010-12-06 21:12 . 2001-08-18 06:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
    2010-12-06 21:12 . 2008-04-14 07:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
    2010-12-06 21:12 . 2008-04-14 07:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
    2010-12-06 21:10 . 2001-08-17 21:28 765884 -c--a-w- c:\windows\system32\dllcache\usrti.sys
    2010-12-06 21:09 . 2001-08-18 06:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
    2010-12-06 21:08 . 2001-08-17 22:02 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys
    2010-12-06 21:07 . 2001-08-17 21:50 103936 -c--a-w- c:\windows\system32\dllcache\sx.sys
    2010-12-06 21:06 . 2001-08-17 20:51 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
    2010-12-06 21:05 . 2008-04-14 06:05 63547 -c--a-w- c:\windows\system32\dllcache\sla30nd5.sys
    2010-12-06 21:04 . 2001-08-18 06:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
    2010-12-06 21:03 . 2001-08-17 22:56 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll
    2010-12-06 21:02 . 2001-08-17 21:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
    2010-12-06 21:01 . 2001-08-18 06:36 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
    2010-12-06 21:00 . 2001-08-18 06:36 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
    2010-12-06 21:00 . 2001-08-17 22:05 351616 -c--a-w- c:\windows\system32\dllcache\ovcodek2.sys
    2010-12-06 21:00 . 2001-08-18 06:36 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
    2010-12-06 21:00 . 2001-08-17 22:05 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
    2010-12-06 21:00 . 2001-08-17 22:05 28032 -c--a-w- c:\windows\system32\dllcache\ovcd.sys
    2010-12-06 21:00 . 2001-08-17 22:05 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
    2010-12-06 21:00 . 2001-08-17 22:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
    2010-12-06 21:00 . 2001-08-17 21:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
    2010-12-06 21:00 . 2001-08-17 20:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
    2010-12-06 21:00 . 2001-08-17 20:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
    2010-12-06 21:00 . 2001-08-17 20:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
    2010-12-06 21:00 . 2008-04-14 08:16 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
    2010-12-06 21:00 . 2001-08-17 20:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
    2010-12-06 20:58 . 2001-08-18 06:36 59104 -c--a-w- c:\windows\system32\dllcache\n9i128v2.dll
    2010-12-06 20:57 . 2001-08-17 22:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
    2010-12-06 20:57 . 2008-04-14 08:24 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
    2010-12-06 20:57 . 2008-04-14 07:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
    2010-12-06 20:57 . 2001-08-17 22:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
    2010-12-06 20:57 . 2001-08-17 21:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
    2010-12-06 20:57 . 2001-08-17 21:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
    2010-12-06 20:57 . 2001-08-17 21:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
    2010-12-06 20:57 . 2008-04-14 07:00 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
    2010-12-06 20:57 . 2008-04-14 07:00 34304 -c--a-w- c:\windows\system32\dllcache\migisol.exe
    2010-12-06 20:57 . 2001-08-17 20:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
    2010-12-06 20:57 . 2001-08-17 22:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
    2010-12-06 20:57 . 2008-04-14 07:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
    2010-12-06 20:57 . 2008-04-14 07:00 92032 -c--a-w- c:\windows\system32\dllcache\mga.dll
    2010-12-06 20:55 . 2001-08-17 20:12 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys
    2010-12-06 20:54 . 2008-04-14 07:00 35328 -c--a-w- c:\windows\system32\dllcache\iprip.dll
    2010-12-06 20:53 . 2001-08-17 22:06 38528 -c--a-w- c:\windows\system32\dllcache\ibmvcap.sys
    2010-12-06 20:52 . 2001-08-17 21:28 150239 -c--a-w- c:\windows\system32\dllcache\hsf_amos.sys
    2010-12-06 20:51 . 2008-04-14 08:15 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
    2010-12-06 20:50 . 2001-08-17 21:52 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys
    2010-12-06 20:49 . 2001-08-17 21:28 241206 -c--a-w- c:\windows\system32\dllcache\el656se5.sys
    2010-12-06 20:48 . 2001-08-17 20:13 103044 -c--a-w- c:\windows\system32\dllcache\digidxb.sys
    2010-12-06 20:47 . 2008-04-14 08:06 10240 -c--a-w- c:\windows\system32\dllcache\compbatt.sys
    2010-12-06 20:46 . 2001-08-17 21:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
    2010-12-06 20:45 . 2001-08-17 22:55 96128 -c--a-w- c:\windows\system32\dllcache\ati.dll
    2010-12-06 20:44 . 2008-04-14 07:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
    2010-12-06 19:25 . 2010-12-06 19:25 388096 ----a-r- c:\documents and settings\Samuel M. Saunders\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-12-06 19:25 . 2010-12-06 19:25 -------- d-----w- c:\program files\Trend Micro
    2010-12-05 01:25 . 2008-04-14 07:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
    2010-12-05 01:25 . 2008-04-14 07:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
    2010-12-05 01:25 . 2008-04-14 07:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
    2010-12-05 01:25 . 2008-04-14 07:00 13312 ----a-w- c:\windows\system32\irclass.dll
    2010-12-04 17:04 . 2010-12-04 17:04 -------- d-----w- c:\windows\Dell
    2010-11-30 08:12 . 2010-11-30 08:12 -------- d-----w- c:\windows\java
    2010-11-28 06:35 . 2010-11-28 06:35 -------- d-----w- c:\windows\system32\wbem\Repository
    2010-11-28 06:33 . 2010-11-28 06:34 -------- d-----w- c:\program files\iTunes
    2010-11-27 22:51 . 2010-11-27 22:51 -------- d-sh--w- c:\documents and settings\Guest\IETldCache
    2010-11-27 20:44 . 2010-11-27 20:44 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2004-06-30 95344]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 70816]
    "URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 70800]
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-03 185896]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-09-11 2500552]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-5-13 24576]
    Launch Whitesmoke Translator.lnk - c:\program files\WhiteSmoke Translator\WSTrayDictMode.exe [2004-2-20 671744]
    NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2010-8-5 4562944]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "DisableCAD"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

    R0 cerc6;cerc6; [x]
    R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-09-11 239240]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-09-11 25240]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 135664]
    R2 WSWNA3100;WSWNA3100;c:\program files\NETGEAR\WNA3100\WifiSvc.exe [2010-01-12 278528]
    R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh5.sys [2009-11-06 642432]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

    2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:45]

    2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:45]

    2010-12-11 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
    - c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2004-05-20 22:22]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    TCP: {9210EE3C-4238-4ADD-A7BC-EAC1DB945ED7} = 156.154.70.22,156.154.71.22
    TCP: {ABCCC484-D4E5-441D-84AE-52ADC2261EF3} = 156.154.70.22,156.154.71.22
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-14 20:42
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(256)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    Completion time: 2010-12-14 20:47:02
    ComboFix-quarantined-files.txt 2010-12-15 04:46
    ComboFix2.txt 2010-12-14 02:54

    Pre-Run: 7,266,643,968 bytes free
    Post-Run: 7,258,415,104 bytes free

    - - End Of File - - 4435CFB4D809A5407B0DD70C169FE6B8
     
  22. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Good :)

    Let's see what we can do about your internet connection.

    1. Click Start>Run (Start>"Start search" in Vista).

    2. Type in (or copy and paste):

    cmd /c ping google.com>%temp%\$.$&notepad %temp%\$.$

    and press Enter.

    3. Notepad will open.

    4. Copy all text in Notepad ([Ctrl-A], then [Ctrl-C]), and then post it (paste = [Ctrl-V]) in your next reply.

    ====================================================================

    Go Start>Run ("Start search" in Vista), type in:
    cmd
    Click OK (hit Enter in Vista).

    At Command Prompt, paste this:
    ipconfig /all>c:\ipconfig_all.txt&notepad c:\ipconfig_all.txt&exit
    Hit Enter.

    Copy and paste what you see in Notepad into a Reply here.
     
  23. gluttony

    gluttony TS Rookie Topic Starter Posts: 37

    Hi Broni. Is that light I see at the end of the tunnel?

    FYI: PC is connecting to the internet via WiFi Netgear N300 Wireless USB Adapter. The driver (WNA3100.exe) will not run, producing a message box "Failed to run Service".

    All text in Notepad as follows:

    Ping request could not find host google.com. Please check the name and try again.
     
  24. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please, post a log from the second command, I mentioned in my previous reply.

    Did you try to reinstall wireless driver?

    Will your computer connect, if hardwired, using ethernet cable?
     
  25. gluttony

    gluttony TS Rookie Topic Starter Posts: 37

    PC wouldn't allow Wna3100 install when infected. Ok to try now? Modem is in another room, so quite difficult to connect via Ethernet.

    Whoops. Second command log:

    Windows IP Configuration
    Host Name............: Gluttony
    Primary Dns Suffix:
    Node Type............: Hybrid
    IP Routing Enabled: No
    WINS Proxy Enabled: No

    Ethernet adapter Local Area Connection 2:

    Media State...........: Media disconnected
    Description ...........: Intel(R) PRO/100 VE Network Connection
    Physical Address..: 00-0C-F1-D1-99-6F
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...