TechSpot

Generic Host Process for win32 issues + wert3.exe Trojan

By Booties
Dec 13, 2010
  1. Hello I am running Windows XP SP3 and have recently been receiving a "generic host process for win32 services has encountered a problem and needs to close" error. When it occurs it turns off my "Sounds and Audio Device Properties" and I am no longer able to select anything due to it all being grayed out. I have attempted to run a simple system restore but after my PC restarts it says "System Restore can not be completed." I have run Malwarebytes, CCleaner, and an AVG virus scan and nothing has come up. It also changes the explorer shell from the XP graphics to the, what looks like, classic Windows shell. When I restart my computer it fixes the problem, only temporarily(It always occurs but it happens randomly). If more information is needed let me know please, and next time I see the error I will get a screen shot of both the error and what my settings are doing.

    AVG also periodically comes up saying I have a trojan infected on my pc and it is alway wert3.exe

    Thanks in advance.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'm working on an almost identical thread. We're still working on it. But I need you to follow this to start:

    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. Booties

    Booties TS Rookie Topic Starter

    Here is all my logs from the scans

    Malwarebytes' Anti-Malware:

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5309

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512

    12/13/2010 10:34:47 PM
    mbam-log-2010-12-13 (22-34-47).txt

    Scan type: Quick scan
    Objects scanned: 167649
    Time elapsed: 3 minute(s), 34 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    --------------

    GMER:

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-12-14 03:38:30
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\nvgts1 Hitachi_ rev.V54O
    Running: 56v8dnfp.exe; Driver: C:\DOCUME~1\Chris\LOCALS~1\Temp\pwliipow.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB0BCC534]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB0BC6782]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB0BE56DC]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB0BCCCC0]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB0BCCDF6]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB0BC7398]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB0BE6FE4]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB0BE693C]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB0BE793C]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB0BE7B44]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB0BC6FAA]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB595F6C0]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB0BE88D2]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB0BE8208]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB0BCC0F4]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB0BE92A4]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB0BC775C]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xB0BE8E12]
    SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB0BE60C4]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB595F770]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB595F810]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB595F8B0]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB840E380, 0x34E2EF, 0xE8000020]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1340] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007F000A
    .text C:\WINDOWS\System32\svchost.exe[1340] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0080000A
    .text C:\WINDOWS\System32\svchost.exe[1340] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007E000C
    .text C:\WINDOWS\System32\svchost.exe[1340] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0151000A
    .text C:\WINDOWS\System32\svchost.exe[1340] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E9000A
    .text C:\WINDOWS\Explorer.EXE[1876] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0163000A
    .text C:\WINDOWS\Explorer.EXE[1876] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0164000A
    .text C:\WINDOWS\Explorer.EXE[1876] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0162000C
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 17, 00]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 17, 00]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 17, 00]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 17, 00]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90ED1A
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 17, 00]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 17, 00]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 17, 00]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90ED8B
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 17, 00]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EEB9
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 17, 00]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 17, 00]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 17, 00]
    .text C:\Program Files\SRWare Iron\iron.exe[3340] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B0BD1672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B0BD14C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B0BD1CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B0BCFC2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B0BCFC2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B0BD1672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B0BD14C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B0BD1CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B0BD1672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B0BCFC2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B0BD1CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B0BD14C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B0BD1CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B0BD14C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B0BD1672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B0BCFC2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B0BD1672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B0BD14C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B0BD1CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [B0BD1CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B0BD14C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [B0BCFC2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [B0BD1672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B0BD1672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B0BCFC2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B0BD1CBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B0BD14C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\SRWare Iron\iron.exe[3340] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00300010

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

    Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)

    Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

    Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
    Device \Driver\nvgts -> DriverStartIo \Device\Scsi\nvgts2Port3Path1Target1Lun0 89C5B292
    Device \Driver\nvgts -> DriverStartIo \Device\Scsi\nvgts1 89C5B292
    Device \Driver\nvgts -> DriverStartIo \Device\Scsi\nvgts2 89C5B292
    Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
    Device \Device\Scsi\nvgts1Port2Path1Target1Lun0 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDT725032VLA&Rev_V54O#4&358dcf36&0&110#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----

    --------------

    DDS:


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Chris at 3:44:40.96 on Tue 12/14/2010
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1073 [GMT -6:00]

    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    FW: ZoneAlarm Firewall *Enabled*

    ============== Running Processes ===============

    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    svchost.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
    C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
    C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
    C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\SRWare Iron\iron.exe
    C:\Program Files\SRWare Iron\iron.exe
    C:\Program Files\SRWare Iron\iron.exe
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\WINDOWS\System32\mshta.exe
    C:\WINDOWS\System32\mshta.exe
    C:\WINDOWS\System32\mshta.exe
    C:\WINDOWS\System32\mshta.exe
    C:\WINDOWS\System32\mshta.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\SRWare Iron\iron.exe
    C:\Documents and Settings\Chris\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [EPSON NX300 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieja.exe /fu "c:\windows\temp\E_SDC.tmp" /EF "HKCU"
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [Ai Nap] "c:\program files\asus\ai suite\ainap\AiNap.exe"
    mRun: [CPU Power Monitor] "c:\program files\asus\ai suite\aigear3\CpuPowerMonitor.exe"
    mRun: [Cpu Level Up help] c:\program files\asus\ai suite\CpuLevelUpHelp.exe
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [Launch LgDeviceAgent] "c:\program files\logitech\gamepanel software\LgDevAgt.exe"
    mRun: [Launch LCDMon] "c:\program files\logitech\gamepanel software\lcd manager\LCDMon.exe"
    mRun: [Launch LGDCore] "c:\program files\logitech\gamepanel software\g-series software\LGDCore.exe" /SHOWHIDE
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
    StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    LSP: %SYSTEMROOT%\system32\nvappfilter.dll
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-9-29 64288]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-9-29 532224]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-9-23 1375992]
    R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-9-23 15264]
    R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 19720]
    R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2010-10-3 14856]
    S0 hxbx;hxbx;c:\windows\system32\drivers\usgqyvr.sys --> c:\windows\system32\drivers\usgqyvr.sys [?]

    =============== Created Last 30 ================

    2010-12-12 23:08:06 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\dOcCl06301
    2010-12-03 10:26:27 -------- d-----w- c:\docume~1\chris\locals~1\applic~1\Identities
    2010-12-03 10:26:25 -------- d-----w- c:\docume~1\chris\applic~1\Viqa
    2010-12-03 10:26:25 -------- d-----w- c:\docume~1\chris\applic~1\Invu
    2010-11-28 02:25:05 388096 ----a-r- c:\docume~1\chris\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2010-11-28 02:25:05 -------- d-----w- c:\program files\Trend Micro
    2010-11-24 04:57:25 -------- d-----w- c:\docume~1\chris\locals~1\applic~1\FalloutNV
    2010-11-23 16:41:02 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-11-23 12:41:22 -------- dc-h--w- c:\docume~1\alluse~1.win\applic~1\{E961CE1B-C3EA-4882-9F67-F859B555D097}
    2010-11-17 20:14:07 -------- d-----w- c:\documents and settings\chris\.grasp_settings
    2010-11-15 17:37:31 -------- d-----w- C:\Swsetup

    ==================== Find3M ====================

    2010-11-04 19:01:14 240592 ----a-w- c:\windows\system32\nvdrsdb1.bin
    2010-11-04 19:01:14 240592 ----a-w- c:\windows\system32\nvdrsdb0.bin
    2010-11-04 19:01:14 1 ----a-w- c:\windows\system32\nvdrssel.bin
    2010-10-16 18:55:00 888424 ----a-w- c:\windows\system32\nvdispco32.dll
    2010-10-16 18:55:00 813672 ----a-w- c:\windows\system32\nvgenco32.dll
    2010-10-16 18:55:00 61440 ----a-w- c:\windows\system32\OpenCL.dll
    2010-10-16 18:55:00 2293194 ----a-w- c:\windows\system32\nvdata.bin
    2010-10-16 18:55:00 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
    2010-09-29 18:37:45 315392 ----a-w- c:\windows\HideWin.exe
    2010-09-28 00:21:29 4082 ----a-w- C:\cc_20100927_192125.reg
    2010-09-28 00:21:14 19684 ----a-w- C:\cc_20100927_192106.reg
    2010-09-28 00:20:49 489676 ----a-w- C:\cc_20100927_192016.reg
    2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-15 09:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Hitachi_ rev.V54O -> Harddisk0\DR0 -> \Device\Scsi\nvgts1

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89C5B446]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89c61504]; MOV EAX, [0x89c61580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89D18AB8]
    3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000065[0x89CCA288]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89D45A38]
    \Driver\nvgts[0x89D97F38] -> IRP_MJ_CREATE -> 0x89C5B446
    error: Read The system cannot find the file specified.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Scsi\nvgts1Port2Path1Target1Lun0 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDT725032VLA&Rev_V54O#4&358dcf36&0&110#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 3:45:14.43 ===============

    --------------

    Attach:


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 9/29/2010 1:10:20 AM
    System Uptime: 12/13/2010 10:24:34 PM (5 hours ago)

    Motherboard: ASUSTeK Computer INC. | | P5N-D
    Processor: Intel Pentium III Xeon processor | Socket 775 | 2666/333mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 298 GiB total, 199.886 GiB free.
    D: is CDROM (CDFS)
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PowerPC Processor
    Device ID: PCI\VEN_1957&DEV_0086&SUBSYS_02011A56&REV_30\4&DC268A3&0&3880
    Manufacturer:
    Name: PowerPC Processor
    PNP Device ID: PCI\VEN_1957&DEV_0086&SUBSYS_02011A56&REV_30\4&DC268A3&0&3880
    Service:

    ==== System Restore Points ===================

    RP1: 9/29/2010 1:14:05 AM - System Checkpoint
    RP2: 9/29/2010 11:22:15 AM - Installed NVIDIA ForceWare Network Access Manager
    RP3: 9/29/2010 2:03:36 PM - Installed AI Suite
    RP4: 9/29/2010 2:06:38 PM - Installed Adobe Reader 8
    RP5: 9/29/2010 2:27:31 PM - Installed AVG Free 9.0
    RP6: 9/29/2010 2:47:17 PM - Software Distribution Service 3.0
    RP7: 9/29/2010 3:36:46 PM - Software Distribution Service 3.0
    RP8: 9/29/2010 7:04:20 PM - Installed Java(TM) 6 Update 20
    RP9: 9/29/2010 7:04:27 PM - Installed OpenOffice.org 3.2
    RP10: 9/29/2010 7:06:55 PM - Installed Ventrilo Client
    RP11: 9/30/2010 12:29:34 AM - Software Distribution Service 3.0
    RP12: 9/30/2010 11:57:02 AM - Avg Update
    RP13: 9/30/2010 11:58:02 AM - Avg Update
    RP14: 9/30/2010 9:29:17 PM - Software Distribution Service 3.0
    RP15: 10/1/2010 9:29:34 PM - System Checkpoint
    RP16: 10/2/2010 5:00:11 AM - Software Distribution Service 3.0
    RP17: 10/3/2010 7:19:02 AM - System Checkpoint
    RP18: 10/4/2010 7:55:26 AM - System Checkpoint
    RP19: 10/5/2010 8:20:39 AM - System Checkpoint
    RP20: 10/5/2010 10:40:52 AM - Avg Update
    RP21: 10/6/2010 11:21:35 AM - System Checkpoint
    RP22: 10/7/2010 12:10:01 PM - System Checkpoint
    RP23: 10/7/2010 3:17:28 PM - Installed Windows Media Format Runtime
    RP24: 10/7/2010 3:18:14 PM - Installed DirectX
    RP25: 10/7/2010 3:38:55 PM - Installed Java(TM) 6 Update 21
    RP26: 10/8/2010 5:00:12 AM - Software Distribution Service 3.0
    RP27: 10/9/2010 11:13:54 AM - System Checkpoint
    RP28: 10/10/2010 11:39:53 AM - System Checkpoint
    RP29: 10/11/2010 12:10:28 PM - System Checkpoint
    RP30: 10/12/2010 12:15:14 PM - System Checkpoint
    RP31: 10/13/2010 7:00:10 AM - Software Distribution Service 3.0
    RP32: 10/14/2010 8:00:02 AM - System Checkpoint
    RP33: 10/15/2010 5:00:11 AM - Software Distribution Service 3.0
    RP34: 10/15/2010 3:31:45 AM - System Checkpoint
    RP35: 10/16/2010 4:18:04 AM - System Checkpoint
    RP36: 10/17/2010 5:29:35 AM - System Checkpoint
    RP37: 10/18/2010 8:46:08 AM - System Checkpoint
    RP38: 10/19/2010 8:49:28 AM - System Checkpoint
    RP39: 10/20/2010 9:34:34 AM - System Checkpoint
    RP40: 10/21/2010 11:58:34 AM - System Checkpoint
    RP41: 10/22/2010 12:21:57 PM - System Checkpoint
    RP42: 10/23/2010 12:33:57 PM - System Checkpoint
    RP43: 10/24/2010 3:11:28 PM - System Checkpoint
    RP44: 10/26/2010 4:56:33 AM - System Checkpoint
    RP45: 10/27/2010 5:36:01 AM - System Checkpoint
    RP46: 10/27/2010 8:23:14 AM - Avg Update
    RP47: 10/28/2010 10:00:48 AM - System Checkpoint
    RP48: 10/29/2010 10:35:00 AM - System Checkpoint
    RP49: 10/30/2010 11:15:30 AM - System Checkpoint
    RP50: 10/31/2010 11:36:05 AM - System Checkpoint
    RP51: 11/1/2010 12:33:59 PM - System Checkpoint
    RP52: 11/2/2010 1:23:30 PM - System Checkpoint
    RP53: 11/3/2010 3:07:43 PM - System Checkpoint
    RP54: 11/3/2010 7:35:24 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    RP55: 11/3/2010 7:35:27 PM - Installed AVG 2011
    RP56: 11/3/2010 7:35:49 PM - Removed AVG Free 9.0
    RP57: 11/3/2010 7:38:54 PM - Installed AVG 2011
    RP58: 11/4/2010 2:01:49 PM - Installed Java(TM) 6 Update 22
    RP59: 11/5/2010 2:16:08 PM - System Checkpoint
    RP60: 11/6/2010 3:04:11 PM - System Checkpoint
    RP61: 11/7/2010 2:52:11 PM - System Checkpoint
    RP62: 11/8/2010 3:26:46 PM - System Checkpoint
    RP63: 11/9/2010 3:40:09 PM - System Checkpoint
    RP64: 11/10/2010 4:40:08 PM - System Checkpoint
    RP65: 11/11/2010 3:00:12 AM - Software Distribution Service 3.0
    RP66: 11/11/2010 11:38:34 PM - Removed Ask Toolbar.
    RP67: 11/13/2010 7:22:40 AM - System Checkpoint
    RP68: 11/13/2010 11:09:26 AM - 12 Nov 2010 Pre-Defrag AM
    RP69: 11/14/2010 11:43:24 AM - System Checkpoint
    RP70: 11/15/2010 12:19:20 PM - System Checkpoint
    RP71: 11/16/2010 12:30:26 PM - System Checkpoint
    RP72: 11/17/2010 1:30:26 PM - System Checkpoint
    RP73: 11/17/2010 1:43:02 PM - Installed Java(TM) SE Development Kit 6 Update 22
    RP74: 11/18/2010 2:26:25 PM - System Checkpoint
    RP75: 11/19/2010 2:28:56 PM - System Checkpoint
    RP76: 11/20/2010 3:28:56 PM - System Checkpoint
    RP77: 11/21/2010 6:20:30 PM - System Checkpoint
    RP78: 11/22/2010 10:31:32 PM - Restore Operation
    RP79: 11/23/2010 10:34:12 PM - Installed Steam
    RP80: 11/23/2010 10:56:11 PM - Installed DirectX
    RP81: 11/23/2010 10:56:54 PM - Installed DirectX
    RP82: 11/27/2010 11:18:25 AM - System Checkpoint
    RP83: 11/28/2010 1:46:48 PM - System Checkpoint
    RP84: 12/2/2010 7:11:05 AM - System Checkpoint
    RP85: 12/3/2010 9:22:18 AM - System Checkpoint
    RP86: 12/4/2010 3:00:10 AM - Installed AVG 2011
    RP87: 12/4/2010 3:00:25 AM - Installed AVG 2011
    RP88: 12/5/2010 1:45:26 PM - System Checkpoint
    RP89: 12/7/2010 5:28:06 AM - System Checkpoint
    RP90: 12/9/2010 5:24:52 AM - System Checkpoint
    RP91: 12/13/2010 10:53:20 PM - System Checkpoint

    ==== Installed Programs ======================

    Ad-Aware
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8
    AI Suite
    AVG 2011
    CCleaner
    DivX Setup
    EPSON NX300 Series Printer Uninstall
    EPSON Scan
    Fallout: New Vegas
    HiJackThis
    Java Auto Updater
    Java DB 10.5.3.0
    Java(TM) 6 Update 22
    Java(TM) SE Development Kit 6 Update 22
    jGRASP
    Logitech GamePanel Software 3.06.109
    Malwarebytes' Anti-Malware
    ManyCam 2.6.1 (remove only)
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    NVIDIA Drivers
    NVIDIA ForceWare Network Access Manager
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    OpenOffice.org 3.2
    Pando Media Booster
    Realtek High Definition Audio Driver
    Security Update for Windows XP (KB923789)
    Skype Toolbars
    Skype™ 5.0
    SRWare Iron 6.0.475.1
    Steam
    VC 9.0 Runtime
    VC80CRTRedist - 8.0.50727.4053
    Ventrilo Client
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    WebFldrs XP
    Windows Media Format Runtime
    WinRAR archiver
    World of Warcraft
    ZoneAlarm

    ==== Event Viewer Messages From Past Week ========

    12/9/2010 8:53:32 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    12/9/2010 6:53:32 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    12/9/2010 5:53:31 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    12/9/2010 5:23:31 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    12/9/2010 5:08:15 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    12/9/2010 11:02:38 AM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {BC866CF2-5486-41F7-B46B-9AA49CF3EBB1} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.
    12/9/2010 11:02:33 AM, error: Dhcp [1002] - The IP address lease 192.168.1.101 for the Network Card with network address 00248C522936 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
    12/9/2010 1:11:16 AM, error: Service Control Manager [7022] - The Automatic Updates service hung on starting.
    12/8/2010 4:21:22 PM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
    12/13/2010 10:36:41 PM, error: nvgts [9] - The device, \Device\Scsi\nvgts2, did not respond within the timeout period.
    12/13/2010 10:12:01 PM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    12/13/2010 10:12:00 PM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    12/13/2010 10:12:00 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    12/13/2010 10:12:00 PM, error: Service Control Manager [7034] - The ForceWare IP service service terminated unexpectedly. It has done this 1 time(s).
    12/13/2010 10:12:00 PM, error: Service Control Manager [7034] - The ForceWare Intelligent Application Manager (IAM) service terminated unexpectedly. It has done this 1 time(s).
    12/12/2010 11:08:11 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    12/11/2010 8:58:51 PM, error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The system cannot find the file specified.
    12/10/2010 12:27:08 AM, error: DCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {BC866CF2-5486-41F7-B46B-9AA49CF3EBB1} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.
    12/10/2010 11:24:46 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/10/2010 10:59:07 AM, information: Windows File Protection [64004] - The protected system file spoolsv.exe could not be restored to its original, valid version. The file version of the bad file is unknown The specific error code is 0x00000426 [The service has not been started. ].
    12/10/2010 10:03:57 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

    ==== End Of File ===========================
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    For a better understanding of Generic Host Process for Win32 Services and causes of errors, please review the Microsoft site HERE.

    The most obvious of the malware is the rootkit, so I'd like you to begin with this:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    Please leave the log in your next reply.

    I will have to identify the contents of almost all the files showing created in last 30 day- so please don't add more data from those sources.
    ==============================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ======================================
    I'm also going to have you run an early HijackThis so I can see what section an entry is in> it's either an Adult dialer or Adware.Purityscan:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Leave all logs in next reply please.
     
  5. Booties

    Booties TS Rookie Topic Starter

    TDSS Killer


    2010/12/16 00:34:47.0703 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
    2010/12/16 00:34:47.0703 ================================================================================
    2010/12/16 00:34:47.0703 SystemInfo:
    2010/12/16 00:34:47.0703
    2010/12/16 00:34:47.0703 OS Version: 5.1.2600 ServicePack: 3.0
    2010/12/16 00:34:47.0703 Product type: Workstation
    2010/12/16 00:34:47.0703 ComputerName: BOOTIESPC
    2010/12/16 00:34:47.0703 UserName: Chris
    2010/12/16 00:34:47.0703 Windows directory: C:\WINDOWS
    2010/12/16 00:34:47.0703 System windows directory: C:\WINDOWS
    2010/12/16 00:34:47.0703 Processor architecture: Intel x86
    2010/12/16 00:34:47.0703 Number of processors: 4
    2010/12/16 00:34:47.0703 Page size: 0x1000
    2010/12/16 00:34:47.0703 Boot type: Normal boot
    2010/12/16 00:34:47.0703 ================================================================================
    2010/12/16 00:34:48.0140 Initialize success
    2010/12/16 00:34:59.0656 ================================================================================
    2010/12/16 00:34:59.0656 Scan started
    2010/12/16 00:34:59.0656 Mode: Manual;
    2010/12/16 00:34:59.0656 ================================================================================
    2010/12/16 00:35:00.0937 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/12/16 00:35:00.0984 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/12/16 00:35:01.0109 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/12/16 00:35:01.0203 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/12/16 00:35:01.0421 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2010/12/16 00:35:01.0578 AsIO (663f2fb92608073824ee3106886120f3) C:\WINDOWS\system32\drivers\AsIO.sys
    2010/12/16 00:35:01.0703 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/12/16 00:35:01.0750 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/12/16 00:35:01.0812 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/12/16 00:35:01.0859 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/12/16 00:35:01.0953 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
    2010/12/16 00:35:01.0968 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
    2010/12/16 00:35:02.0046 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
    2010/12/16 00:35:02.0093 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
    2010/12/16 00:35:02.0125 Avgldx86 (1119e5bec6e749e0d292f0f84d48edba) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
    2010/12/16 00:35:02.0156 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
    2010/12/16 00:35:02.0203 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
    2010/12/16 00:35:02.0234 Avgtdix (354e0fec3bfdfa9c369e0f67ac362f9f) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
    2010/12/16 00:35:02.0328 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/12/16 00:35:02.0390 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/12/16 00:35:02.0453 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/12/16 00:35:02.0515 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/12/16 00:35:02.0593 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/12/16 00:35:02.0890 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/12/16 00:35:02.0953 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/12/16 00:35:03.0031 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/12/16 00:35:03.0093 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/12/16 00:35:03.0156 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/12/16 00:35:03.0218 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/12/16 00:35:03.0296 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/12/16 00:35:03.0359 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2010/12/16 00:35:03.0437 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/12/16 00:35:03.0468 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2010/12/16 00:35:03.0531 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2010/12/16 00:35:03.0578 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/12/16 00:35:03.0640 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/12/16 00:35:03.0718 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/12/16 00:35:03.0765 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2010/12/16 00:35:03.0859 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/12/16 00:35:03.0953 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/12/16 00:35:04.0078 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
    2010/12/16 00:35:04.0140 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/12/16 00:35:04.0359 IntcAzAudAddService (eb5608fd4f2961517ac9f5cac88b023b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2010/12/16 00:35:04.0468 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/12/16 00:35:04.0515 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2010/12/16 00:35:04.0546 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/12/16 00:35:04.0578 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/12/16 00:35:04.0625 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/12/16 00:35:04.0687 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/12/16 00:35:04.0734 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/12/16 00:35:04.0796 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/12/16 00:35:04.0843 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/12/16 00:35:04.0875 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2010/12/16 00:35:04.0937 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/12/16 00:35:04.0984 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/12/16 00:35:05.0046 Lavasoft Kernexplorer (0bd6d3f477df86420de942a741dabe37) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
    2010/12/16 00:35:05.0109 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
    2010/12/16 00:35:05.0187 LGBusEnum (170e7093a77ad586f3a012a3db651d94) C:\WINDOWS\system32\drivers\LGBusEnum.sys
    2010/12/16 00:35:05.0234 LGVirHid (d2dd04d1c8df65eecd1f2c7fb947d43e) C:\WINDOWS\system32\drivers\LGVirHid.sys
    2010/12/16 00:35:05.0281 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/12/16 00:35:05.0312 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/12/16 00:35:05.0406 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/12/16 00:35:05.0453 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/12/16 00:35:05.0484 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/12/16 00:35:05.0546 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/12/16 00:35:05.0640 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/12/16 00:35:05.0671 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/12/16 00:35:05.0750 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/12/16 00:35:05.0781 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/12/16 00:35:05.0828 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/12/16 00:35:05.0875 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/12/16 00:35:05.0921 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
    2010/12/16 00:35:06.0015 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/12/16 00:35:06.0062 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/12/16 00:35:06.0093 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/12/16 00:35:06.0140 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/12/16 00:35:06.0156 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/12/16 00:35:06.0171 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/12/16 00:35:06.0203 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/12/16 00:35:06.0234 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/12/16 00:35:06.0296 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2010/12/16 00:35:06.0343 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/12/16 00:35:06.0390 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/12/16 00:35:06.0500 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/12/16 00:35:06.0750 nv (29e060897a3179660c49367f52fcaac0) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2010/12/16 00:35:06.0906 NVENETFD (ccd0c2a9a9c4c59441072564b011b546) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
    2010/12/16 00:35:06.0953 nvgts (fa740e97a0fe36e368c2299d9f3c01c1) C:\WINDOWS\system32\DRIVERS\nvgts.sys
    2010/12/16 00:35:06.0984 nvnetbus (a4931d96f111b5a8f3129507ae7bdf12) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
    2010/12/16 00:35:07.0031 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/12/16 00:35:07.0062 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/12/16 00:35:07.0109 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2010/12/16 00:35:07.0140 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/12/16 00:35:07.0171 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/12/16 00:35:07.0234 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/12/16 00:35:07.0281 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/12/16 00:35:07.0328 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/12/16 00:35:07.0390 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/12/16 00:35:07.0734 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/12/16 00:35:07.0781 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/12/16 00:35:07.0812 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/12/16 00:35:07.0875 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2010/12/16 00:35:08.0046 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/12/16 00:35:08.0078 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/12/16 00:35:08.0093 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/12/16 00:35:08.0125 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/12/16 00:35:08.0203 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/12/16 00:35:08.0250 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/12/16 00:35:08.0343 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/12/16 00:35:08.0390 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/12/16 00:35:08.0468 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/12/16 00:35:08.0500 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/12/16 00:35:08.0531 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/12/16 00:35:08.0578 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/12/16 00:35:08.0703 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/12/16 00:35:08.0750 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/12/16 00:35:08.0812 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/12/16 00:35:08.0890 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/12/16 00:35:08.0953 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/12/16 00:35:09.0078 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/12/16 00:35:09.0109 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/12/16 00:35:09.0171 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/12/16 00:35:09.0203 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/12/16 00:35:09.0250 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/12/16 00:35:09.0343 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/12/16 00:35:09.0437 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/12/16 00:35:09.0546 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    2010/12/16 00:35:09.0562 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/12/16 00:35:09.0609 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/12/16 00:35:09.0640 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/12/16 00:35:09.0671 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2010/12/16 00:35:09.0718 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2010/12/16 00:35:09.0796 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/12/16 00:35:09.0859 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/12/16 00:35:09.0968 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/12/16 00:35:10.0046 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/12/16 00:35:10.0140 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys
    2010/12/16 00:35:10.0234 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/12/16 00:35:10.0328 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/12/16 00:35:10.0437 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2010/12/16 00:35:10.0609 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2010/12/16 00:35:10.0609 ================================================================================
    2010/12/16 00:35:10.0609 Scan finished
    2010/12/16 00:35:10.0609 ================================================================================
    2010/12/16 00:35:10.0625 Detected object count: 1
    2010/12/16 00:39:52.0812 \HardDisk0 - copied to quarantine
    2010/12/16 00:39:52.0843 \HardDisk0\TDLFS\cfg.ini - copied to quarantine
    2010/12/16 00:39:52.0843 \HardDisk0\TDLFS\mbr - copied to quarantine
    2010/12/16 00:39:52.0843 \HardDisk0\TDLFS\bckfg.tmp - copied to quarantine
    2010/12/16 00:39:52.0859 \HardDisk0\TDLFS\cmd.dll - copied to quarantine
    2010/12/16 00:39:52.0859 \HardDisk0\TDLFS\ldr16 - copied to quarantine
    2010/12/16 00:39:52.0875 \HardDisk0\TDLFS\ldr32 - copied to quarantine
    2010/12/16 00:39:52.0875 \HardDisk0\TDLFS\ldr64 - copied to quarantine
    2010/12/16 00:39:52.0875 \HardDisk0\TDLFS\drv64 - copied to quarantine
    2010/12/16 00:39:52.0890 \HardDisk0\TDLFS\cmd64.dll - copied to quarantine
    2010/12/16 00:39:52.0906 \HardDisk0\TDLFS\drv32 - copied to quarantine
    2010/12/16 00:39:52.0906 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Quarantine

    ======================================

    Eset NOD32


    ESETSmartInstaller@High as downloader log:
    all ok
    # version=7
    # OnlineScannerApp.exe=1.0.0.1
    # OnlineScanner.ocx=1.0.0.6415
    # api_version=3.0.2
    # EOSSerial=3b1159c3142acc4089982201af84cc03
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-16 07:21:22
    # local_time=2010-12-16 01:21:22 (-0600, Central Standard Time)
    # country="United States"
    # lang=1033
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=512 16777215 100 0 653124 653124 0 0
    # compatibility_mode=1032 16777173 100 96 0 49213483 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # compatibility_mode=9217 16777214 75 81 6606451 65795503 0 0
    # scanned=63752
    # found=12
    # cleaned=0
    # scan_time=1853
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.ADZ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.D trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.D trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0008.dta Win64/Olmarik.A trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0009.dta Win32/Olmarik.AIB trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.ADZ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0006.dta Win64/Olmarik.D trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0007.dta Win64/Olmarik.D trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0008.dta Win64/Olmarik.A trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0009.dta Win32/Olmarik.AIB trojan (unable to clean) 00000000000000000000000000000000 I

    ======================================

    HijackThis


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:48:59 PM, on 12/16/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
    C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
    C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
    C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\SRWare Iron\iron.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Program Files\SRWare Iron\iron.exe
    C:\Program Files\SRWare Iron\iron.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
    O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe"
    O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
    O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
    O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
    O4 - HKCU\..\Run: [EPSON NX300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEJA.EXE /FU "C:\WINDOWS\TEMP\E_SDC.tmp" /EF "HKCU"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 6739 bytes
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, you will need to handle this:
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated


    I've had 3 members with this combination today. I checked the Lavasoft site because when I had the paid AdAware, there was a Real Time protection named AdWatch which would pop up with an Alert if a Registry change was being attempted. But is was not considered an AV. Now I'm seeing it with that label and you should have only one AV.

    The rootkit has been handled so we'll remove the entries:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      :Files  
      C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0003.dta 
      C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0005.dta 
      C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0006.dta 
      C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0007.dta 
      C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0008.dta 
      C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0009.dta 
      C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0003.dta 
      C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0005.dta 
      C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0006.dta 
      C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0007.dta 
      C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0008.dta 
      C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0009.dta 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =================================================
    I'd like for you to check and see if this process is on the Startup menu and checked to start on boot:
    Name: SystemBoot
    Filename: Mshta.exe ...filename.hta

    • Click on Start> Run> type in msconfig> enter>
    • Choose the Startup tab:
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    This is just a 'look'- don't do anything.
    ================================================
    I'd like you to run Combofix- unfortunately, AVG isn't allowing it to be disabled, so you will have to uninstall it before the scan:
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  7. Booties

    Booties TS Rookie Topic Starter

    OTM


    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    File move failed. C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0003.dta scheduled to be moved on reboot.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    File move failed. C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0005.dta scheduled to be moved on reboot.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    File move failed. C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0006.dta scheduled to be moved on reboot.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    File move failed. C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0007.dta scheduled to be moved on reboot.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    File move failed. C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0008.dta scheduled to be moved on reboot.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    File move failed. C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0009.dta scheduled to be moved on reboot.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    File move failed. C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0003.dta scheduled to be moved on reboot.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    File move failed. C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0005.dta scheduled to be moved on reboot.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    File move failed. C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0006.dta scheduled to be moved on reboot.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    File move failed. C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0007.dta scheduled to be moved on reboot.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    File move failed. C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0008.dta scheduled to be moved on reboot.
    Unable to create HKLM\Software\OldTimer Tools\OTM key.
    File move failed. C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0009.dta scheduled to be moved on reboot.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: All Users.WINDOWS

    User: Chris

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User.WINDOWS
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: IBUYPOWER

    User: LocalService

    User: LocalService.NT AUTHORITY

    User: NetworkService

    User: NetworkService.NT AUTHORITY

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 0.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 12222010_020736

    =================================================

    ComboFix

    ComboFix 10-12-22.01 - Chris 12/22/2010 18:11:13.1.4 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1088 [GMT -6:00]
    Running from: c:\documents and settings\Chris\My Documents\Downloads\ComboFix.exe
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\Chris\LOCALS~1\Temp\winlogon.dat
    c:\documents and settings\Chris\Local Settings\Temp\winlogon.dat
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job

    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\system volume information\_restore{197AAB9C-9D26-40D1-B110-C86BC8825AEB}\RP95\A0109721.exe

    Infected copy of c:\windows\explorer.exe was found and disinfected
    Restored copy from - c:\system volume information\_restore{197AAB9C-9D26-40D1-B110-C86BC8825AEB}\RP95\A0109720.exe

    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\system volume information\_restore{197AAB9C-9D26-40D1-B110-C86BC8825AEB}\RP95\A0109721.exe
    Infected copy of c:\windows\explorer.exe was found and disinfected
    Restored copy from - c:\system volume information\_restore{197AAB9C-9D26-40D1-B110-C86BC8825AEB}\RP95\A0109720.exe
    .
    ((((((((((((((((((((((((( Files Created from 2010-11-23 to 2010-12-23 )))))))))))))))))))))))))))))))
    .

    2010-12-22 08:07 . 2010-12-22 08:07 -------- d-----w- C:\_OTM
    2010-12-19 23:04 . 2010-12-19 23:04 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Yahoo
    2010-12-19 23:00 . 2010-12-19 23:02 -------- d-----w- c:\documents and settings\Chris\Application Data\Yahoo!
    2010-12-19 23:00 . 2010-12-19 23:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
    2010-12-19 22:59 . 2010-12-19 23:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
    2010-12-18 08:07 . 2010-12-18 08:07 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Mozilla
    2010-12-16 06:39 . 2010-12-16 06:39 -------- d-----w- C:\TDSSKiller_Quarantine
    2010-12-12 23:08 . 2010-12-12 23:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\dOcCl06301
    2010-12-03 10:26 . 2010-12-03 10:26 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Identities
    2010-12-03 10:26 . 2010-12-04 09:25 -------- d-----w- c:\documents and settings\Chris\Application Data\Invu
    2010-12-03 10:26 . 2010-12-03 10:51 -------- d-----w- c:\documents and settings\Chris\Application Data\Viqa
    2010-11-28 02:25 . 2010-11-28 02:25 388096 ----a-r- c:\documents and settings\Chris\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-11-28 02:25 . 2010-11-28 02:25 -------- d-----w- c:\program files\Trend Micro
    2010-11-27 05:17 . 2010-11-27 05:17 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Adobe
    2010-11-25 07:29 . 2010-11-25 07:30 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
    2010-11-25 05:39 . 2010-11-25 05:39 -------- d-s---w- c:\documents and settings\LocalService.NT AUTHORITY\UserData
    2010-11-24 04:57 . 2010-11-24 04:57 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\FalloutNV
    2010-11-23 22:15 . 2010-11-23 22:15 -------- d-s---w- c:\documents and settings\NetworkService.NT AUTHORITY\UserData
    2010-11-23 16:41 . 2010-09-23 07:46 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-11-23 12:41 . 2010-11-23 12:41 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{E961CE1B-C3EA-4882-9F67-F859B555D097}

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-29 23:42 . 2010-09-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-29 23:42 . 2010-09-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-23 12:45 . 2010-09-29 19:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-10-16 18:55 . 2010-11-04 18:43 888424 ----a-w- c:\windows\system32\nvdispco32.dll
    2010-10-16 18:55 . 2010-11-04 18:43 813672 ----a-w- c:\windows\system32\nvgenco32.dll
    2010-10-16 18:55 . 2010-10-13 09:03 61440 ----a-w- c:\windows\system32\OpenCL.dll
    2010-10-16 18:55 . 2010-10-13 09:03 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
    2010-09-29 18:37 . 2010-09-29 18:37 315392 ----a-w- c:\windows\HideWin.exe
    2010-09-28 00:21 . 2010-09-28 00:21 4082 ----a-w- C:\cc_20100927_192125.reg
    2010-09-28 00:21 . 2010-09-28 00:21 19684 ----a-w- C:\cc_20100927_192106.reg
    2010-09-28 00:20 . 2010-09-28 00:20 489676 ----a-w- C:\cc_20100927_192016.reg
    2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .

    ------- Sigcheck -------

    [7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
    [7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe

    c:\windows\System32\spoolsv.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]
    "Ai Nap"="c:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-09-06 1426432]
    "CPU Power Monitor"="c:\program files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [2007-10-16 626176]
    "Cpu Level Up help"="c:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-09-11 880640]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
    "Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 358472]
    "Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-08-03 1809992]
    "Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2010-08-03 3649096]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-08 13680640]
    "nwiz"="nwiz.exe" [2009-03-08 1657376]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-08 86016]

    c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
    Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^Chris^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
    path=c:\documents and settings\Chris\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
    backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2010-06-01 16:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    2010-11-24 04:35 1242448 ----a-w- c:\program files\Steam\Steam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\fallout new vegas\\FalloutNVLauncher.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "58706:TCP"= 58706:TCP:pando Media Booster
    "58706:UDP"= 58706:UDP:pando Media Booster

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/29/2010 1:56 PM 64288]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/23/2010 1:46 AM 1375992]
    R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [11/23/2009 4:37 PM 19720]
    R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [10/3/2010 3:23 PM 14856]
    S0 hxbx;hxbx;c:\windows\system32\drivers\usgqyvr.sys --> c:\windows\system32\drivers\usgqyvr.sys [?]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [9/23/2010 1:46 AM 15264]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 16:49]
    .
    .
    ------- Supplementary Scan -------
    .
    LSP: %SYSTEMROOT%\system32\nvappfilter.dll
    FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\9o7f2904.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-22 18:22
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Hitachi_ rev.V54O -> Harddisk0\DR0 -> \Device\Scsi\nvgts1

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89CBC446]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89cc2504]; MOV EAX, [0x89cc2580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89D18AB8]
    3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000065[0x89D16F18]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89D17A38]
    \Driver\nvgts[0x89CF2590] -> IRP_MJ_CREATE -> 0x89CBC446
    error: Read The system cannot find the file specified.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Scsi\nvgts1Port2Path1Target1Lun0 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDT725032VLA&Rev_V54O#4&358dcf36&0&110#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(796)
    c:\windows\system32\nvappfilter.dll

    - - - - - - - > 'explorer.exe'(3600)
    c:\windows\system32\nvappfilter.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
    .
    **************************************************************************
    .
    Completion time: 2010-12-22 18:27:25 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-23 00:27

    Pre-Run: 214,870,810,624 bytes free
    Post-Run: 225,010,294,784 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - 566E35BFFC9BCCD2854A0F859B16CEBE

    ================================================

    Also, when I restart my computer, as soon as the Windows screen comes up, sometimes it loops and restarts over and over about 10 times then logs in normally. This only started happening the past couple of days
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You still have a rootkit infection:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result. Leave log please.
    • A reboot is required after disinfection.
    ================================================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    There are removals from Combofix I'll set up but you need to run the rootkit program again.
     
  9. Booties

    Booties TS Rookie Topic Starter

    TDSS Killer Log


    2010/12/23 19:25:12.0275 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
    2010/12/23 19:25:12.0275 ================================================================================
    2010/12/23 19:25:12.0275 SystemInfo:
    2010/12/23 19:25:12.0275
    2010/12/23 19:25:12.0275 OS Version: 5.1.2600 ServicePack: 3.0
    2010/12/23 19:25:12.0275 Product type: Workstation
    2010/12/23 19:25:12.0275 ComputerName: BOOTIESPC
    2010/12/23 19:25:12.0275 UserName: Chris
    2010/12/23 19:25:12.0275 Windows directory: C:\WINDOWS
    2010/12/23 19:25:12.0275 System windows directory: C:\WINDOWS
    2010/12/23 19:25:12.0275 Processor architecture: Intel x86
    2010/12/23 19:25:12.0275 Number of processors: 4
    2010/12/23 19:25:12.0275 Page size: 0x1000
    2010/12/23 19:25:12.0275 Boot type: Normal boot
    2010/12/23 19:25:12.0275 ================================================================================
    2010/12/23 19:25:12.0650 Initialize success
    2010/12/23 19:25:22.0056 ================================================================================
    2010/12/23 19:25:22.0056 Scan started
    2010/12/23 19:25:22.0056 Mode: Manual;
    2010/12/23 19:25:22.0056 ================================================================================
    2010/12/23 19:25:23.0494 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/12/23 19:25:23.0572 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/12/23 19:25:23.0619 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/12/23 19:25:23.0665 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/12/23 19:25:23.0775 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2010/12/23 19:25:23.0837 AsIO (663f2fb92608073824ee3106886120f3) C:\WINDOWS\system32\drivers\AsIO.sys
    2010/12/23 19:25:23.0853 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/12/23 19:25:23.0869 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/12/23 19:25:23.0884 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/12/23 19:25:23.0915 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/12/23 19:25:23.0962 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/12/23 19:25:24.0072 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/12/23 19:25:24.0103 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/12/23 19:25:24.0119 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/12/23 19:25:24.0165 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/12/23 19:25:24.0259 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/12/23 19:25:24.0306 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/12/23 19:25:24.0384 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/12/23 19:25:24.0415 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/12/23 19:25:24.0431 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/12/23 19:25:24.0462 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/12/23 19:25:24.0509 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/12/23 19:25:24.0525 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2010/12/23 19:25:24.0556 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/12/23 19:25:24.0556 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2010/12/23 19:25:24.0603 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2010/12/23 19:25:24.0619 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/12/23 19:25:24.0634 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/12/23 19:25:24.0650 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/12/23 19:25:24.0744 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2010/12/23 19:25:24.0790 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/12/23 19:25:24.0837 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/12/23 19:25:24.0884 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
    2010/12/23 19:25:24.0900 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/12/23 19:25:25.0087 IntcAzAudAddService (eb5608fd4f2961517ac9f5cac88b023b) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2010/12/23 19:25:25.0228 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/12/23 19:25:25.0244 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2010/12/23 19:25:25.0275 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/12/23 19:25:25.0275 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/12/23 19:25:25.0306 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/12/23 19:25:25.0353 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/12/23 19:25:25.0384 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/12/23 19:25:25.0431 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/12/23 19:25:25.0447 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/12/23 19:25:25.0478 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2010/12/23 19:25:25.0556 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/12/23 19:25:25.0572 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/12/23 19:25:25.0665 Lavasoft Kernexplorer (0bd6d3f477df86420de942a741dabe37) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
    2010/12/23 19:25:25.0712 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
    2010/12/23 19:25:25.0775 LGBusEnum (170e7093a77ad586f3a012a3db651d94) C:\WINDOWS\system32\drivers\LGBusEnum.sys
    2010/12/23 19:25:25.0837 LGVirHid (d2dd04d1c8df65eecd1f2c7fb947d43e) C:\WINDOWS\system32\drivers\LGVirHid.sys
    2010/12/23 19:25:25.0884 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/12/23 19:25:25.0915 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/12/23 19:25:25.0962 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/12/23 19:25:25.0994 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/12/23 19:25:26.0009 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/12/23 19:25:26.0040 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/12/23 19:25:26.0103 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/12/23 19:25:26.0119 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/12/23 19:25:26.0150 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/12/23 19:25:26.0165 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/12/23 19:25:26.0181 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/12/23 19:25:26.0197 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/12/23 19:25:26.0228 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
    2010/12/23 19:25:26.0244 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/12/23 19:25:26.0306 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/12/23 19:25:26.0322 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/12/23 19:25:26.0353 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/12/23 19:25:26.0353 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/12/23 19:25:26.0369 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/12/23 19:25:26.0384 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/12/23 19:25:26.0400 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/12/23 19:25:26.0431 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2010/12/23 19:25:26.0462 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/12/23 19:25:26.0478 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/12/23 19:25:26.0525 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/12/23 19:25:26.0697 nv (29e060897a3179660c49367f52fcaac0) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2010/12/23 19:25:26.0853 NVENETFD (ccd0c2a9a9c4c59441072564b011b546) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
    2010/12/23 19:25:26.0884 nvgts (fa740e97a0fe36e368c2299d9f3c01c1) C:\WINDOWS\system32\DRIVERS\nvgts.sys
    2010/12/23 19:25:26.0931 nvnetbus (a4931d96f111b5a8f3129507ae7bdf12) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
    2010/12/23 19:25:26.0978 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/12/23 19:25:26.0994 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/12/23 19:25:27.0009 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2010/12/23 19:25:27.0040 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/12/23 19:25:27.0040 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/12/23 19:25:27.0087 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/12/23 19:25:27.0087 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/12/23 19:25:27.0119 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/12/23 19:25:27.0150 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/12/23 19:25:27.0259 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/12/23 19:25:27.0275 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/12/23 19:25:27.0291 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/12/23 19:25:27.0322 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2010/12/23 19:25:27.0384 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/12/23 19:25:27.0400 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/12/23 19:25:27.0416 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/12/23 19:25:27.0431 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/12/23 19:25:27.0447 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/12/23 19:25:27.0462 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/12/23 19:25:27.0494 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/12/23 19:25:27.0525 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/12/23 19:25:27.0587 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/12/23 19:25:27.0650 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/12/23 19:25:27.0666 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/12/23 19:25:27.0681 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/12/23 19:25:27.0728 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/12/23 19:25:27.0775 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/12/23 19:25:27.0806 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/12/23 19:25:27.0837 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/12/23 19:25:27.0837 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/12/23 19:25:27.0900 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/12/23 19:25:27.0962 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/12/23 19:25:27.0994 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/12/23 19:25:28.0025 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/12/23 19:25:28.0025 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/12/23 19:25:28.0103 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/12/23 19:25:28.0150 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/12/23 19:25:28.0181 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    2010/12/23 19:25:28.0212 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/12/23 19:25:28.0244 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/12/23 19:25:28.0244 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/12/23 19:25:28.0259 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2010/12/23 19:25:28.0306 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2010/12/23 19:25:28.0322 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/12/23 19:25:28.0353 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/12/23 19:25:28.0384 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/12/23 19:25:28.0431 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/12/23 19:25:28.0494 vsdatant (050c38ebb22512122e54b47dc278bccd) C:\WINDOWS\system32\vsdatant.sys
    2010/12/23 19:25:28.0603 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/12/23 19:25:28.0697 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/12/23 19:25:28.0728 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2010/12/23 19:25:28.0775 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2010/12/23 19:25:28.0775 ================================================================================
    2010/12/23 19:25:28.0775 Scan finished
    2010/12/23 19:25:28.0775 ================================================================================
    2010/12/23 19:25:28.0791 Detected object count: 1
    2010/12/23 19:25:49.0963 \HardDisk0 - copied to quarantine
    2010/12/23 19:25:49.0994 \HardDisk0\TDLFS\cfg.ini - copied to quarantine
    2010/12/23 19:25:49.0994 \HardDisk0\TDLFS\mbr - copied to quarantine
    2010/12/23 19:25:49.0994 \HardDisk0\TDLFS\bckfg.tmp - copied to quarantine
    2010/12/23 19:25:49.0994 \HardDisk0\TDLFS\cmd.dll - copied to quarantine
    2010/12/23 19:25:50.0010 \HardDisk0\TDLFS\ldr16 - copied to quarantine
    2010/12/23 19:25:50.0010 \HardDisk0\TDLFS\ldr32 - copied to quarantine
    2010/12/23 19:25:50.0010 \HardDisk0\TDLFS\ldr64 - copied to quarantine
    2010/12/23 19:25:50.0025 \HardDisk0\TDLFS\drv64 - copied to quarantine
    2010/12/23 19:25:50.0025 \HardDisk0\TDLFS\cmd64.dll - copied to quarantine
    2010/12/23 19:25:50.0025 \HardDisk0\TDLFS\drv32 - copied to quarantine
    2010/12/23 19:25:50.0025 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Quarantine

    ================================================

    HijackThis

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:34:38 PM, on 12/23/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
    C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
    C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
    C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\SRWare Iron\iron.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\SRWare Iron\iron.exe
    C:\Program Files\SRWare Iron\iron.exe
    C:\Program Files\SRWare Iron\iron.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
    O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe"
    O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
    O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
    O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 6617 bytes
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Have you got an antivirus program back running? I don't see it.

    Download bootkitremover.rar and save it to your desktop.
    • Extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip
    • Double-click on the remover.exe file to run the program.
    • Paste the output in your next reply.
     
  11. Booties

    Booties TS Rookie Topic Starter

    I did not reinstall it before I ran TDSSkiller or HijackThis. I have one up and running now.

    bootkiremover log

    .\debug.cpp(238) : Debug log started at 25.12.2010 - 03:41:19
    .\boot_cleaner.cpp(527) : Bootkit Remover
    .\boot_cleaner.cpp(528) : (c) 2009 eSage Lab
    .\boot_cleaner.cpp(529) : www.esagelab.com
    .\boot_cleaner.cpp(533) : Program version: 1.2.0.0
    .\boot_cleaner.cpp(540) : OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    .\debug.cpp(248) : **********************************************
    .\debug.cpp(249) : *** [ LOADED MODULES INFORMATION ] ***********
    .\debug.cpp(250) : **********************************************
    .\debug.cpp(256) : 0x804d7000 0x0020d000 "\WINDOWS\system32\ntkrnlpa.exe"
    .\debug.cpp(256) : 0x806e4000 0x00020d00 "\WINDOWS\system32\hal.dll"
    .\debug.cpp(256) : 0x89d21000 0x00003000 "\WINDOWS\system32\KDCOM.DLL"
    .\debug.cpp(256) : 0xba4bc000 0x00003000 "\WINDOWS\system32\BOOTVID.dll"
    .\debug.cpp(256) : 0xb9f79000 0x0002e000 "ACPI.sys"
    .\debug.cpp(256) : 0xba5a8000 0x00002000 "\WINDOWS\system32\DRIVERS\WMILIB.SYS"
    .\debug.cpp(256) : 0xb9f68000 0x00011000 "pci.sys"
    .\debug.cpp(256) : 0xba0a8000 0x0000a000 "isapnp.sys"
    .\debug.cpp(256) : 0xba0b8000 0x00010000 "ohci1394.sys"
    .\debug.cpp(256) : 0xba0c8000 0x0000e000 "\WINDOWS\system32\DRIVERS\1394BUS.SYS"
    .\debug.cpp(256) : 0xba670000 0x00001000 "pciide.sys"
    .\debug.cpp(256) : 0xba328000 0x00007000 "\WINDOWS\system32\DRIVERS\PCIIDEX.SYS"
    .\debug.cpp(256) : 0xba0d8000 0x0000b000 "MountMgr.sys"
    .\debug.cpp(256) : 0xb9f49000 0x0001f000 "ftdisk.sys"
    .\debug.cpp(256) : 0xba330000 0x00005000 "PartMgr.sys"
    .\debug.cpp(256) : 0xba0e8000 0x0000d000 "VolSnap.sys"
    .\debug.cpp(256) : 0xb9f31000 0x00018000 "atapi.sys"
    .\debug.cpp(256) : 0xb9f14000 0x0001d000 "nvgts.sys"
    .\debug.cpp(256) : 0xb9efc000 0x00018000 "\WINDOWS\system32\DRIVERS\SCSIPORT.SYS"
    .\debug.cpp(256) : 0xba0f8000 0x00009000 "disk.sys"
    .\debug.cpp(256) : 0xba108000 0x0000d000 "\WINDOWS\system32\DRIVERS\CLASSPNP.SYS"
    .\debug.cpp(256) : 0xb9edc000 0x00020000 "fltMgr.sys"
    .\debug.cpp(256) : 0xb9eca000 0x00012000 "sr.sys"
    .\debug.cpp(256) : 0xba118000 0x0000f000 "Lbd.sys"
    .\debug.cpp(256) : 0xba128000 0x0000a000 "PxHelp20.sys"
    .\debug.cpp(256) : 0xb9eb3000 0x00017000 "KSecDD.sys"
    .\debug.cpp(256) : 0xb9e26000 0x0008d000 "Ntfs.sys"
    .\debug.cpp(256) : 0xb9df9000 0x0002d000 "NDIS.sys"
    .\debug.cpp(256) : 0xb9ddf000 0x0001a000 "Mup.sys"
    .\debug.cpp(256) : 0xba158000 0x00010000 "\SystemRoot\system32\DRIVERS\nic1394.sys"
    .\debug.cpp(256) : 0xba1e8000 0x00009000 "\SystemRoot\system32\DRIVERS\intelppm.sys"
    .\debug.cpp(256) : 0xb823c000 0x00600000 "\SystemRoot\system32\DRIVERS\nv4_mini.sys"
    .\debug.cpp(256) : 0xb8228000 0x00014000 "\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS"
    .\debug.cpp(256) : 0xba1f8000 0x00010000 "\SystemRoot\system32\DRIVERS\serial.sys"
    .\debug.cpp(256) : 0xb990a000 0x00004000 "\SystemRoot\system32\DRIVERS\serenum.sys"
    .\debug.cpp(256) : 0xb8214000 0x00014000 "\SystemRoot\system32\DRIVERS\parport.sys"
    .\debug.cpp(256) : 0xba430000 0x00005000 "\SystemRoot\system32\DRIVERS\usbohci.sys"
    .\debug.cpp(256) : 0xb81f0000 0x00024000 "\SystemRoot\system32\DRIVERS\USBPORT.SYS"
    .\debug.cpp(256) : 0xba438000 0x00008000 "\SystemRoot\system32\DRIVERS\usbehci.sys"
    .\debug.cpp(256) : 0xba208000 0x0000b000 "\SystemRoot\system32\DRIVERS\imapi.sys"
    .\debug.cpp(256) : 0xba218000 0x00010000 "\SystemRoot\system32\DRIVERS\cdrom.sys"
    .\debug.cpp(256) : 0xba228000 0x0000f000 "\SystemRoot\system32\DRIVERS\redbook.sys"
    .\debug.cpp(256) : 0xb81cd000 0x00023000 "\SystemRoot\system32\DRIVERS\ks.sys"
    .\debug.cpp(256) : 0xb81a5000 0x00028000 "\SystemRoot\system32\DRIVERS\HDAudBus.sys"
    .\debug.cpp(256) : 0xba238000 0x0000a000 "\SystemRoot\system32\DRIVERS\nvnetbus.sys"
    .\debug.cpp(256) : 0xb80bf000 0x000e6000 "\SystemRoot\system32\DRIVERS\NVNRM.SYS"
    .\debug.cpp(256) : 0xba5ec000 0x00002000 "\SystemRoot\system32\DRIVERS\ASACPI.sys"
    .\debug.cpp(256) : 0xba711000 0x00001000 "\SystemRoot\system32\DRIVERS\audstub.sys"
    .\debug.cpp(256) : 0xba248000 0x0000d000 "\SystemRoot\system32\DRIVERS\rasl2tp.sys"
    .\debug.cpp(256) : 0xb9902000 0x00003000 "\SystemRoot\system32\DRIVERS\ndistapi.sys"
    .\debug.cpp(256) : 0xb80a8000 0x00017000 "\SystemRoot\system32\DRIVERS\ndiswan.sys"
    .\debug.cpp(256) : 0xba258000 0x0000b000 "\SystemRoot\system32\DRIVERS\raspppoe.sys"
    .\debug.cpp(256) : 0xba268000 0x0000c000 "\SystemRoot\system32\DRIVERS\raspptp.sys"
    .\debug.cpp(256) : 0xba440000 0x00005000 "\SystemRoot\system32\DRIVERS\TDI.SYS"
    .\debug.cpp(256) : 0xb8097000 0x00011000 "\SystemRoot\system32\DRIVERS\psched.sys"
    .\debug.cpp(256) : 0xba278000 0x00009000 "\SystemRoot\system32\DRIVERS\msgpc.sys"
    .\debug.cpp(256) : 0xba448000 0x00005000 "\SystemRoot\system32\DRIVERS\ptilink.sys"
    .\debug.cpp(256) : 0xba450000 0x00005000 "\SystemRoot\system32\DRIVERS\raspti.sys"
    .\debug.cpp(256) : 0xb9857000 0x0000a000 "\SystemRoot\system32\DRIVERS\termdd.sys"
    .\debug.cpp(256) : 0xba458000 0x00006000 "\SystemRoot\system32\DRIVERS\kbdclass.sys"
    .\debug.cpp(256) : 0xba460000 0x00006000 "\SystemRoot\system32\DRIVERS\mouclass.sys"
    .\debug.cpp(256) : 0xba5ee000 0x00002000 "\SystemRoot\system32\DRIVERS\swenum.sys"
    .\debug.cpp(256) : 0xb8039000 0x0005e000 "\SystemRoot\system32\DRIVERS\update.sys"
    .\debug.cpp(256) : 0xb98f6000 0x00004000 "\SystemRoot\system32\DRIVERS\mssmbios.sys"
    .\debug.cpp(256) : 0xb98f2000 0x00004000 "\SystemRoot\system32\drivers\LGBusEnum.sys"
    .\debug.cpp(256) : 0xb9847000 0x0000e000 "\SystemRoot\system32\DRIVERS\NVENETFD.sys"
    .\debug.cpp(256) : 0xb9837000 0x0000a000 "\SystemRoot\System32\Drivers\NDProxy.SYS"
    .\debug.cpp(256) : 0xb2f1d000 0x0000f000 "\SystemRoot\system32\DRIVERS\usbhub.sys"
    .\debug.cpp(256) : 0xba648000 0x00002000 "\SystemRoot\system32\DRIVERS\USBD.SYS"
    .\debug.cpp(256) : 0xb0bdb000 0x00493000 "\SystemRoot\system32\drivers\RtkHDAud.sys"
    .\debug.cpp(256) : 0xb0bb7000 0x00024000 "\SystemRoot\system32\drivers\portcls.sys"
    .\debug.cpp(256) : 0xb2f0d000 0x0000f000 "\SystemRoot\system32\drivers\drmk.sys"
    .\debug.cpp(256) : 0xba64c000 0x00002000 "\SystemRoot\System32\Drivers\Fs_Rec.SYS"
    .\debug.cpp(256) : 0xb2225000 0x00001000 "\SystemRoot\System32\Drivers\Null.SYS"
    .\debug.cpp(256) : 0xba64e000 0x00002000 "\SystemRoot\System32\Drivers\Beep.SYS"
    .\debug.cpp(256) : 0xb3cc7000 0x00007000 "\SystemRoot\system32\DRIVERS\HIDPARSE.SYS"
    .\debug.cpp(256) : 0xb3cbf000 0x00006000 "\SystemRoot\System32\drivers\vga.sys"
    .\debug.cpp(256) : 0xba650000 0x00002000 "\SystemRoot\System32\Drivers\mnmdd.SYS"
    .\debug.cpp(256) : 0xba652000 0x00002000 "\SystemRoot\System32\DRIVERS\RDPCDD.sys"
    .\debug.cpp(256) : 0xb3cb7000 0x00005000 "\SystemRoot\System32\Drivers\Msfs.SYS"
    .\debug.cpp(256) : 0xb3caf000 0x00008000 "\SystemRoot\System32\Drivers\Npfs.SYS"
    .\debug.cpp(256) : 0xb2d6b000 0x00003000 "\SystemRoot\system32\DRIVERS\rasacd.sys"
    .\debug.cpp(256) : 0xb0b17000 0x00013000 "\SystemRoot\system32\DRIVERS\ipsec.sys"
    .\debug.cpp(256) : 0xb0abe000 0x00059000 "\SystemRoot\system32\DRIVERS\tcpip.sys"
    .\debug.cpp(256) : 0xb0a96000 0x00028000 "\SystemRoot\system32\DRIVERS\netbt.sys"
    .\debug.cpp(256) : 0xb0a70000 0x00026000 "\SystemRoot\system32\DRIVERS\ipnat.sys"
    .\debug.cpp(256) : 0xb2eed000 0x00009000 "\SystemRoot\system32\DRIVERS\wanarp.sys"
    .\debug.cpp(256) : 0xb09ef000 0x00081000 "\SystemRoot\System32\vsdatant.sys"
    .\debug.cpp(256) : 0xb2edd000 0x0000f000 "\SystemRoot\system32\DRIVERS\arp1394.sys"
    .\debug.cpp(256) : 0xb23af000 0x00003000 "\SystemRoot\System32\drivers\ws2ifsl.sys"
    .\debug.cpp(256) : 0xb09cd000 0x00022000 "\SystemRoot\System32\drivers\afd.sys"
    .\debug.cpp(256) : 0xb2ecd000 0x00009000 "\SystemRoot\system32\DRIVERS\netbios.sys"
    .\debug.cpp(256) : 0xb09a2000 0x0002b000 "\SystemRoot\system32\DRIVERS\rdbss.sys"
    .\debug.cpp(256) : 0xb090a000 0x00070000 "\SystemRoot\system32\DRIVERS\mrxsmb.sys"
    .\debug.cpp(256) : 0xb2ebd000 0x0000b000 "\SystemRoot\System32\Drivers\Fips.SYS"
    .\debug.cpp(256) : 0xba626000 0x00002000 "\SystemRoot\system32\drivers\AsIO.sys"
    .\debug.cpp(256) : 0xab98f000 0x00008000 "\SystemRoot\system32\DRIVERS\usbccgp.sys"
    .\debug.cpp(256) : 0xac3c9000 0x00003000 "\SystemRoot\system32\DRIVERS\hidusb.sys"
    .\debug.cpp(256) : 0xabbd7000 0x00009000 "\SystemRoot\system32\DRIVERS\HIDCLASS.SYS"
    .\debug.cpp(256) : 0xabbc7000 0x0000f000 "\SystemRoot\system32\drivers\usbaudio.sys"
    .\debug.cpp(256) : 0xabd32000 0x00003000 "\SystemRoot\system32\DRIVERS\mouhid.sys"
    .\debug.cpp(256) : 0xabd2a000 0x00004000 "\SystemRoot\system32\DRIVERS\kbdhid.sys"
    .\debug.cpp(256) : 0xab977000 0x00007000 "\SystemRoot\system32\DRIVERS\USBSTOR.SYS"
    .\debug.cpp(256) : 0xab62b000 0x00010000 "\SystemRoot\System32\Drivers\Cdfs.SYS"
    .\debug.cpp(256) : 0xabd1e000 0x00004000 "\SystemRoot\System32\Drivers\dump_diskdump.sys"
    .\debug.cpp(256) : 0xaad46000 0x0001d000 "\SystemRoot\System32\Drivers\dump_nvgts.sys"
    .\debug.cpp(256) : 0xbf800000 0x001c5000 "\SystemRoot\System32\win32k.sys"
    .\debug.cpp(256) : 0xab899000 0x00003000 "\SystemRoot\System32\drivers\Dxapi.sys"
    .\debug.cpp(256) : 0xab96f000 0x00005000 "\SystemRoot\System32\watchdog.sys"
    .\debug.cpp(256) : 0xbf000000 0x00012000 "\SystemRoot\System32\drivers\dxg.sys"
    .\debug.cpp(256) : 0xb220b000 0x00001000 "\SystemRoot\System32\drivers\dxgthk.sys"
    .\debug.cpp(256) : 0xbf012000 0x005e7000 "\SystemRoot\System32\nv4_disp.dll"
    .\debug.cpp(256) : 0xb8031000 0x00004000 "\SystemRoot\system32\DRIVERS\ndisuio.sys"
    .\debug.cpp(256) : 0xaaa69000 0x00015000 "\SystemRoot\system32\drivers\wdmaud.sys"
    .\debug.cpp(256) : 0xab67b000 0x0000f000 "\SystemRoot\system32\drivers\sysaudio.sys"
    .\debug.cpp(256) : 0xba5ca000 0x00002000 "\SystemRoot\system32\drivers\LGVirHid.sys"
    .\debug.cpp(256) : 0xaa7de000 0x0002d000 "\SystemRoot\system32\DRIVERS\mrxdav.sys"
    .\debug.cpp(256) : 0xba61c000 0x00002000 "\SystemRoot\System32\Drivers\ParVdm.SYS"
    .\debug.cpp(256) : 0xaa696000 0x00058000 "\SystemRoot\system32\DRIVERS\srv.sys"
    .\debug.cpp(256) : 0xaa1a5000 0x00041000 "\SystemRoot\System32\Drivers\HTTP.sys"
    .\debug.cpp(256) : 0xaa48e000 0x00003000 "\??\C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys"
    .\debug.cpp(256) : 0x8a133000 0x0002b000 "\SystemRoot\system32\drivers\kmixer.sys"
    .\debug.cpp(256) : 0xba498000 0x00005000 "\SystemRoot\system32\DRIVERS\avgrkx86.sys"
    .\debug.cpp(256) : 0x8abe6000 0x00048000 "\SystemRoot\system32\DRIVERS\avgtdix.sys"
    .\debug.cpp(256) : 0x8a4ed000 0x0000a000 "\SystemRoot\system32\DRIVERS\AVGIDSShim.Sys"
    .\debug.cpp(256) : 0x8a982000 0x00026000 "\SystemRoot\system32\DRIVERS\avipbb.sys"
    .\debug.cpp(256) : 0xabb99000 0x00002000 "\??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys"
    .\debug.cpp(256) : 0x8a60f000 0x00015000 "\SystemRoot\system32\DRIVERS\avgntflt.sys"
    .\debug.cpp(256) : 0x7c900000 0x000b2000 "\WINDOWS\system32\ntdll.dll"
    .\debug.cpp(263) : **********************************************
    .\debug.cpp(307) : *** [ DEVICE OBJECTS INFORMATION ] ***********
    .\debug.cpp(308) : **********************************************
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\D:"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0d8c&Pid_000e&MI_00#6&2aa226d2&0&0000#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000069"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDIS"
    .\debug.cpp(400) : Destination "\Device\Ndis"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi3:"
    .\debug.cpp(400) : Destination "\Device\Scsi\nvgts2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB#4&15dae351&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY1"
    .\debug.cpp(400) : Destination "\Device\Video0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY2"
    .\debug.cpp(400) : Destination "\Device\Video1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{1a3e09be-1e45-494b-9174-d7385b45bbf5}#NVNET_DEV0269#4&10b48ce1&0&00#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000062"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPPOEMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000002b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_1#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\00000039"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0266&SUBSYS_81BC1043&REV_A1#3&2411e6fe&0&70#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0026"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0C0C#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\0000003c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&42e5594&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk5\DP(1)0-0+b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ip"
    .\debug.cpp(400) : Destination "\Device\Ip"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0d8c&Pid_000e&MI_00#6&2aa226d2&0&0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000069"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY3"
    .\debug.cpp(400) : Destination "\Device\Video2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\E:"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgio"
    .\debug.cpp(400) : Destination "\Device\avgio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPSECDev"
    .\debug.cpp(400) : Destination "\Device\IPSEC"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ATKACPI"
    .\debug.cpp(400) : Destination "\Device\ATKACPI"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\DISPLAY4"
    .\debug.cpp(400) : Destination "\Device\Video3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_NDISWANIP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000002a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_3#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\0000003b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDPROXY"
    .\debug.cpp(400) : Destination "\Device\NDProxy"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CDR4_XP"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0267&SUBSYS_81BC1043&REV_A1#3&2411e6fe&0&78#{2accfe60-c130-11d2-b082-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0027"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{b9e90594-cb51-11df-9db7-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{b9e90595-cb51-11df-9db7-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Harddisk5\DP(1)0-0+b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\$VDMLPT1"
    .\debug.cpp(400) : Destination "\Device\ParallelVdm0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_046d&Pid_c227#6&8236904&0&4#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3c0d501a-140b-11d1-b40f-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{9E5F0E31-CB46-427E-ACC6-B78ADA02BDA4}"
    .\debug.cpp(400) : Destination "\Device\{9E5F0E31-CB46-427E-ACC6-B78ADA02BDA4}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#VID_046D&PID_C232#2&27de21cd&0&0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000007e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WMIDataDevice"
    .\debug.cpp(400) : Destination "\Device\WMIDataDevice"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\F:"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_9722#000000009722&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000076"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\COM1"
    .\debug.cpp(400) : Destination "\Device\Serial0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{3DA07AC7-8D7C-4ADC-86B0-EE495EF8B612}"
    .\debug.cpp(400) : Destination "\Device\{3DA07AC7-8D7C-4ADC-86B0-EE495EF8B612}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_1106&DEV_3044&SUBSYS_81FE1043&REV_C0#4&dc268a3&0&4080#{6bdd1fc1-810f-11d0-bec7-08002be2092f}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\avgntflt"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\avgntflt"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_HL-DT-ST&Prod_DVD-RAM_GH22NS30&Rev_1.00#4&3840d2d&0&110#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\nvgts2Port3Path1Target1Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AvgAntiRootkit"
    .\debug.cpp(400) : Destination "\Device\AvgAntiRootkit"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{dff220f3-f70f-11d0-b917-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ZLTCP"
    .\debug.cpp(400) : Destination "\Device\Tcp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_0#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\00000038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PIPE"
    .\debug.cpp(400) : Destination "\Device\NamedPipe"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&79c0dac&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Lbd"
    .\debug.cpp(400) : Destination "\Device\Lbd"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c5066e-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{2eb07ea0-7e70-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_046d&Pid_c051#5&3a9420b6&0&4#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\UNC"
    .\debug.cpp(400) : Destination "\Device\Mup"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\G:"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PSched"
    .\debug.cpp(400) : Destination "\Device\PSched"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPNAT"
    .\debug.cpp(400) : Destination "\Device\IPNAT"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0883&SUBSYS_1043829E&REV_1000#4&1d86fb08&0&0001#{86841137-ed8e-4d97-9975-f2ed56b4430e}"
    .\debug.cpp(400) : Destination "\Device\00000064"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0613&SUBSYS_C8803842&REV_A2#6&20f9c1f5&0&00000018#{5b45201d-f2f2-4f3b-85bb-30ff1f953599}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0038"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{b9e90592-cb51-11df-9db7-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&307d270e&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgrMsg"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgrMsg"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AvgTdi"
    .\debug.cpp(400) : Destination "\Device\AvgTdi"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD0"
    .\debug.cpp(400) : Destination "\Device\USBFDO-0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0003#{5bada891-842b-4296-a496-68ae931aa16c}"
    .\debug.cpp(400) : Destination "\Device\00000035"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Tcp"
    .\debug.cpp(400) : Destination "\Device\Tcp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_HL-DT-ST&Prod_DVD-RAM_GH22NS30&Rev_1.00#4&3840d2d&0&110#{1186654d-47b8-48b9-beb9-7df113ae3c67}"
    .\debug.cpp(400) : Destination "\Device\Scsi\nvgts2Port3Path1Target1Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LCD"
    .\debug.cpp(400) : Destination "\Device\VideoPdo0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&307d270e&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HCD1"
    .\debug.cpp(400) : Destination "\Device\USBFDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PTIMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000002f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{b9e90591-cb51-11df-9db7-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DP(1)0-0+7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive0"
    .\debug.cpp(400) : Destination "\Device\Harddisk0\DR0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PRN"
    .\debug.cpp(400) : Destination "\DosDevices\LPT1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0001#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000002e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{53172480-4791-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{b9e90593-cb51-11df-9db7-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive1"
    .\debug.cpp(400) : Destination "\Device\Harddisk1\DR2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\H:"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_046d&Pid_c227&Col02#7&332f080a&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000071"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{853D1D42-88DB-4D57-B594-2953A6F0525B}"
    .\debug.cpp(400) : Destination "\Device\{853D1D42-88DB-4D57-B594-2953A6F0525B}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\sysaudio"
    .\debug.cpp(400) : Destination "\Device\sysaudio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#CdRom&Ven_HL-DT-ST&Prod_DVD-RAM_GH22NS30&Rev_1.00#4&3840d2d&0&110#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\nvgts2Port3Path1Target1Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\fsWrap"
    .\debug.cpp(400) : Destination "\Device\FsWrap"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{97ebaacb-95bd-11d0-a3ea-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PSCHEDMP#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000002d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\CdRom0"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive2"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DR3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive3"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DR4"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Global"
    .\debug.cpp(400) : Destination "\GLOBAL??"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_0269&SUBSYS_82211043&REV_A3#3&2411e6fe&0&A0#{c4f6eed3-1c5e-4f43-a768-83ecba42fcc1}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0030"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0d8c&Pid_000e#5&3a9420b6&0&2#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#FixedButton#2&daba3ff&0#{4afa3d53-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000041"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive4"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DR5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\I:"
    .\debug.cpp(400) : Destination "\Device\Harddisk5\DP(1)0-0+b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#VID_046D&PID_C231#2&1087fe56&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\0000007f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0883&SUBSYS_1043829E&REV_1000#4&1d86fb08&0&0001#{dda54a40-1e4c-11d1-a050-405705c10000}"
    .\debug.cpp(400) : Destination "\Device\00000064"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_9722#000000009722&2#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000078"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{86e0d1e0-8089-11d0-9ce4-08003e301f73}"
    .\debug.cpp(400) : Destination "\Device\0000005a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PxHelperDevice0"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PhysicalDrive5"
    .\debug.cpp(400) : Destination "\Device\Harddisk5\DR6"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_046d&Pid_c226&MI_00#8&303af380&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000072"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50671-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#ThermalZone#THRM#{4afa3d51-74a7-11d0-be5e-00a0c9062857}"
    .\debug.cpp(400) : Destination "\Device\00000040"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Kernexplorer"
    .\debug.cpp(400) : Destination "\Device\Kernexplorer"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_046d&Pid_c226&MI_01&Col01#8&1d0ad742&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000073"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{3e227e76-690d-11d2-8161-0000f8775bf1}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad809c00-7b88-11d0-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{9ea331fa-b91b-45f8-9285-bd2bc77afcde}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_9722#000000009722&1#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000077"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ARP1394"
    .\debug.cpp(400) : Destination "\Device\ARP1394"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#VID_046D&PID_C231#2&1087fe56&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000007f"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_046d&Pid_c226#6&8236904&0&1#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-5"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0501#1#{4d36e978-e325-11ce-bfc1-08002be10318}"
    .\debug.cpp(400) : Destination "\Device\0000005a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{745e3264-cbf8-11df-9bf7-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\CdRom0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&2d0f6ef6&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_026E&SUBSYS_81BC1043&REV_A3#3&2411e6fe&0&59#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0024"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MountPointManager"
    .\debug.cpp(400) : Destination "\Device\MountPointManager"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&1a55be51&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{d6c50674-72c1-11d2-9755-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&2d0f6ef6&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk4\DP(1)0-0+a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_L2TPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000029"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#GenuineIntel_-_x86_Family_6_Model_23#_2#{97fadb10-4e33-40ae-359c-8bef029dbdd0}"
    .\debug.cpp(400) : Destination "\Device\0000003a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MbDlDp32"
    .\debug.cpp(400) : Destination "\Device\PxHelperDevice0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\WanArp"
    .\debug.cpp(400) : Destination "\Device\WANARP"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#ftdisk#0000#{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_046d&Pid_c227&Col01#7&332f080a&0&0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000070"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&79c0dac&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk2\DP(1)0-0+8"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPTENUM#MicrosoftRawPort#5&1d62032d&0&LPT1#{811fc6a5-f728-11d0-a537-0000f8753ed1}"
    .\debug.cpp(400) : Destination "\Device\Parallel0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Volume{b9e90596-cb51-11df-9db7-806d6172696f}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AVGIDSShim"
    .\debug.cpp(400) : Destination "\Device\AVGIDSShim"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{5A5E13D9-5FF2-4DF8-A34E-A820EBB20000}"
    .\debug.cpp(400) : Destination "\Device\{5A5E13D9-5FF2-4DF8-A34E-A820EBB20000}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISWANIP"
    .\debug.cpp(400) : Destination "\Device\NdisWanIp"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{91BE01E4-6ABA-4224-8A68-07F702133F92}"
    .\debug.cpp(400) : Destination "\Device\{91BE01E4-6ABA-4224-8A68-07F702133F92}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{bf963d80-c559-11d0-8a2b-00a0c9255ac1}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SW#{a7c7a5b0-5af3-11d1-9ced-00a024bf0407}#{9B365890-165F-11D0-A195-0020AFD156E4}#{fbf6f530-07b9-11d2-a71e-0000f8004788}"
    .\debug.cpp(400) : Destination "\Device\KSENUM#00000002"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_046d&Pid_c051#6&3a6887d5&0&0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\0000006c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi0:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#VID_046D&PID_C232#2&27de21cd&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\0000007e"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_046d&Pid_c051#6&3a6887d5&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\0000006c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&1a55be51&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk3\DP(1)0-0+9"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\1394BUS0"
    .\debug.cpp(400) : Destination "\Device\1394BUS0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\ACPI#PNP0400#1#{97f76ef0-f883-11d0-af1f-0000f800845c}"
    .\debug.cpp(400) : Destination "\Device\0000005b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PCI#VEN_10DE&DEV_026D&SUBSYS_81BC1043&REV_A3#3&2411e6fe&0&58#{3abf6f2d-71c4-462a-8a92-1e6861e6af27}"
    .\debug.cpp(400) : Destination "\Device\NTPNP_PCI0023"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{4747b320-62ce-11cf-a5d6-28db04c10000}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#MS_PPTPMINIPORT#0000#{ad498944-762f-11d0-8dcb-00c04fc3358c}"
    .\debug.cpp(400) : Destination "\Device\0000002c"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{7C864F18-1810-4619-888F-8421772BA702}"
    .\debug.cpp(400) : Destination "\Device\{7C864F18-1810-4619-888F-8421772BA702}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK1"
    .\debug.cpp(400) : Destination "\Device\ParTechInc0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#SYSTEM#0000#{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}"
    .\debug.cpp(400) : Destination "\Device\00000032"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0883&SUBSYS_1043829E&REV_1000#4&1d86fb08&0&0001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000064"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NDISTAPI"
    .\debug.cpp(400) : Destination "\Device\NdisTapi"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NdisWan"
    .\debug.cpp(400) : Destination "\Device\NdisWan"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_9722#000000009722&3#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\00000079"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi1:"
    .\debug.cpp(400) : Destination "\Device\Ide\IdePort1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\IPMULTICAST"
    .\debug.cpp(400) : Destination "\Device\IPMULTICAST"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#ROOT_HUB20#4&6b9ade&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\LPT1"
    .\debug.cpp(400) : Destination "\Device\Parallel0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK2"
    .\debug.cpp(400) : Destination "\Device\ParTechInc1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Shadow"
    .\debug.cpp(400) : Destination "\Device\LanmanRedirector"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\SCSI#Disk&Ven_Hitachi&Prod_HDT725032VLA&Rev_V54O#4&358dcf36&0&110#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Scsi\nvgts1Port2Path1Target1Lun0"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_046d&Pid_c223#5&3a9420b6&0&3#{f18a0e88-c30c-11d0-8815-00a0c906bed8}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-3"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\PTILINK3"
    .\debug.cpp(400) : Destination "\Device\ParTechInc2"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FltMgr"
    .\debug.cpp(400) : Destination "\FileSystem\Filters\FltMgr"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USBSTOR#Disk&Ven_Generic&Prod_STORAGE_DEVICE&Rev_9722#000000009722&4#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\0000007a"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{1DD3A857-DB25-4028-9A04-C22863333512}"
    .\debug.cpp(400) : Destination "\Device\{1DD3A857-DB25-4028-9A04-C22863333512}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\{E187CCFC-C738-4253-94F5-F0662677D4EE}"
    .\debug.cpp(400) : Destination "\Device\{E187CCFC-C738-4253-94F5-F0662677D4EE}"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\FtControl"
    .\debug.cpp(400) : Destination "\Device\FtControl"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\C:"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\MAILSLOT"
    .\debug.cpp(400) : Destination "\Device\MailSlot"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_0d8c&Pid_000e&MI_03#7&379c954c&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\0000006d"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0883&SUBSYS_1043829E&REV_1000#4&1d86fb08&0&0001#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000064"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#RemovableMedia#7&42e5594&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\Harddisk5\DP(1)0-0+b"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_05e3&Pid_0716#000000009722#{a5dcbf10-6530-11d2-901f-00c04fb951ed}"
    .\debug.cpp(400) : Destination "\Device\USBPDO-7"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\AUX"
    .\debug.cpp(400) : Destination "\DosDevices\COM1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\GLOBALROOT"
    .\debug.cpp(400) : Destination ""
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_046d&Pid_c227&Col01#7&332f080a&0&0000#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000070"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\NUL"
    .\debug.cpp(400) : Destination "\Device\Null"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Ndisuio"
    .\debug.cpp(400) : Destination "\Device\Ndisuio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_MOU#0000#{378de44c-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000031"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Scsi2:"
    .\debug.cpp(400) : Destination "\Device\Scsi\nvgts1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\STORAGE#Volume#1&30a96598&0&Signature9D489D48Offset7E00Length4A852F8200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
    .\debug.cpp(400) : Destination "\Device\HarddiskVolume1"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_046d&Pid_c226&MI_01&Col02#8&1d0ad742&0&0001#{4d1e55b2-f16f-11cf-88cb-001111000030}"
    .\debug.cpp(400) : Destination "\Device\00000074"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Root#RDP_KBD#0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000030"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\Asusgio"
    .\debug.cpp(400) : Destination "\Device\Asusgio"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\avipbb"
    .\debug.cpp(400) : Destination "\Device\avipbb"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\USB#Vid_0d8c&Pid_000e&MI_00#6&2aa226d2&0&0000#{65e8773d-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000069"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HDAUDIO#FUNC_01&VEN_10EC&DEV_0883&SUBSYS_1043829E&REV_1000#4&1d86fb08&0&0001#{65e8773e-8f56-11d0-a3b9-00a0c9223196}"
    .\debug.cpp(400) : Destination "\Device\00000064"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\vsdatant"
    .\debug.cpp(400) : Destination "\Device\vsdatant"
    .\debug.cpp(409) : --
    .\debug.cpp(369) : SymbolicLink "\GLOBAL??\HID#Vid_046d&Pid_c226&MI_00#8&303af380&0&0000#{884b96c3-56ef-11d1-bc8c-00a0c91405dd}"
    .\debug.cpp(400) : Destination "\Device\00000072"
    .\debug.cpp(409) : --
    .\debug.cpp(453) : **********************************************
    .\boot_cleaner.cpp(565) : System volume is \\.\C:
    .\boot_cleaner.cpp(600) : \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    .\diskio.cpp(204) : ATA_Read(): DeviceIoControl() ERROR 1
    .\boot_cleaner.cpp(276) : Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd
    .\boot_cleaner.cpp(1060) :
    .\boot_cleaner.cpp(1061) : Size Device Name MBR Status
    .\boot_cleaner.cpp(1062) : --------------------------------------------
    .\boot_cleaner.cpp(1106) : 298 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)
    .\boot_cleaner.cpp(1112) :
    .\boot_cleaner.cpp(1151) : Done;
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please get the current updates for each of the folowing:
    Uninstall any earlier versions of each as they are vulnerabilities.
    ===========================================
    Please do a new scan with Combofix and leave the log in your next reply.
     
  13. Booties

    Booties TS Rookie Topic Starter

    ComboFix 10-12-26.01 - Chris 12/26/2010 13:38:40.2.4 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1380 [GMT -6:00]
    Running from: c:\documents and settings\Chris\My Documents\Downloads\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .

    ((((((((((((((((((((((((( Files Created from 2010-11-26 to 2010-12-26 )))))))))))))))))))))))))))))))
    .

    2010-12-26 18:18 . 2010-12-26 18:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-25 06:25 . 2010-12-25 06:25 -------- d-----w- c:\windows\system32\NtmsData
    2010-12-25 03:23 . 2010-12-13 14:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-12-25 03:23 . 2010-12-13 14:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-12-25 03:23 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-12-25 03:23 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-12-25 03:23 . 2010-12-25 03:23 -------- d-----w- c:\program files\Avira
    2010-12-25 03:23 . 2010-12-25 03:23 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
    2010-12-22 08:07 . 2010-12-22 08:07 -------- d-----w- C:\_OTM
    2010-12-19 23:04 . 2010-12-19 23:04 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Yahoo
    2010-12-19 23:00 . 2010-12-19 23:02 -------- d-----w- c:\documents and settings\Chris\Application Data\Yahoo!
    2010-12-19 23:00 . 2010-12-19 23:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
    2010-12-19 22:59 . 2010-12-19 23:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
    2010-12-18 08:07 . 2010-12-18 08:07 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Mozilla
    2010-12-16 06:39 . 2010-12-24 01:25 -------- d-----w- C:\TDSSKiller_Quarantine
    2010-12-12 23:08 . 2010-12-12 23:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\dOcCl06301
    2010-12-03 10:26 . 2010-12-03 10:26 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Identities
    2010-12-03 10:26 . 2010-12-04 09:25 -------- d-----w- c:\documents and settings\Chris\Application Data\Invu
    2010-12-03 10:26 . 2010-12-03 10:51 -------- d-----w- c:\documents and settings\Chris\Application Data\Viqa
    2010-11-28 02:25 . 2010-11-28 02:25 388096 ----a-r- c:\documents and settings\Chris\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-11-28 02:25 . 2010-11-28 02:25 -------- d-----w- c:\program files\Trend Micro
    2010-11-27 05:17 . 2010-11-27 05:17 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Adobe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-26 18:18 . 2010-10-07 20:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-29 23:42 . 2010-09-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-29 23:42 . 2010-09-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-23 12:45 . 2010-09-29 19:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-10-16 18:55 . 2010-11-04 18:43 888424 ----a-w- c:\windows\system32\nvdispco32.dll
    2010-10-16 18:55 . 2010-11-04 18:43 813672 ----a-w- c:\windows\system32\nvgenco32.dll
    2010-10-16 18:55 . 2010-10-13 09:03 61440 ----a-w- c:\windows\system32\OpenCL.dll
    2010-10-16 18:55 . 2010-10-13 09:03 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
    2010-09-29 18:37 . 2010-09-29 18:37 315392 ----a-w- c:\windows\HideWin.exe
    2010-09-28 00:21 . 2010-09-28 00:21 4082 ----a-w- C:\cc_20100927_192125.reg
    2010-09-28 00:21 . 2010-09-28 00:21 19684 ----a-w- C:\cc_20100927_192106.reg
    2010-09-28 00:20 . 2010-09-28 00:20 489676 ----a-w- C:\cc_20100927_192016.reg
    2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .

    ------- Sigcheck -------

    [7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
    [7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe

    c:\windows\System32\spoolsv.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((( SnapShot@2010-12-23_00.22.44 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-12-26 19:00 . 2010-12-26 19:00 16384 c:\windows\Temp\Perflib_Perfdata_1c4.dat
    + 2010-12-25 03:23 . 2010-06-17 20:27 28520 c:\windows\system32\drivers\ssmdrv.sys
    + 2010-12-26 18:18 . 2010-12-26 18:18 157472 c:\windows\system32\javaws.exe
    + 2010-12-26 18:18 . 2010-12-26 18:18 145184 c:\windows\system32\javaw.exe
    - 2010-11-04 19:02 . 2010-09-15 09:50 145184 c:\windows\system32\javaw.exe
    + 2010-12-26 18:18 . 2010-12-26 18:18 145184 c:\windows\system32\java.exe
    - 2010-11-04 19:02 . 2010-09-15 09:50 145184 c:\windows\system32\java.exe
    + 2010-12-26 18:18 . 2010-12-26 18:18 180224 c:\windows\Installer\3bec973.msi
    + 2010-12-26 18:18 . 2010-12-26 18:18 675840 c:\windows\Installer\3bec96e.msi
    + 2010-12-26 18:22 . 2010-12-26 18:22 2519552 c:\windows\Installer\3bec97b.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]
    "Ai Nap"="c:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-09-06 1426432]
    "CPU Power Monitor"="c:\program files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [2007-10-16 626176]
    "Cpu Level Up help"="c:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-09-11 880640]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
    "Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 358472]
    "Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-08-03 1809992]
    "Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2010-08-03 3649096]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-08 13680640]
    "nwiz"="nwiz.exe" [2009-03-08 1657376]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-08 86016]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-16 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-16 932288]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^Chris^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
    path=c:\documents and settings\Chris\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
    backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2010-06-01 16:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    2010-11-24 04:35 1242448 ----a-w- c:\program files\Steam\Steam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\fallout new vegas\\FalloutNVLauncher.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "58706:TCP"= 58706:TCP:pando Media Booster
    "58706:UDP"= 58706:UDP:pando Media Booster

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/29/2010 1:56 PM 64288]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/24/2010 9:23 PM 135336]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/23/2010 1:46 AM 1375992]
    R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [11/23/2009 4:37 PM 19720]
    R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [10/3/2010 3:23 PM 14856]
    S0 hxbx;hxbx;c:\windows\system32\drivers\usgqyvr.sys --> c:\windows\system32\drivers\usgqyvr.sys [?]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [9/23/2010 1:46 AM 15264]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-12-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 16:49]
    .
    .
    ------- Supplementary Scan -------
    .
    LSP: %SYSTEMROOT%\system32\nvappfilter.dll
    FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\9o7f2904.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-26 13:48
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Hitachi_ rev.V54O -> Harddisk0\DR0 -> \Device\Scsi\nvgts1

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D41446]<<
    c:\docume~1\Chris\LOCALS~1\Temp\catchme.sys
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89d47504]; MOV EAX, [0x89d47580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89CC4990]
    3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000063[0x89CC5F18]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89CC6A38]
    \Driver\nvgts[0x89D96DE8] -> IRP_MJ_CREATE -> 0x89D41446
    error: Read The system cannot find the file specified.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Scsi\nvgts1Port2Path1Target1Lun0 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDT725032VLA&Rev_V54O#4&358dcf36&0&110#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(796)
    c:\windows\system32\nvappfilter.dll

    - - - - - - - > 'explorer.exe'(2152)
    c:\windows\system32\nvappfilter.dll
    .
    Completion time: 2010-12-26 13:49:59
    ComboFix-quarantined-files.txt 2010-12-26 19:49
    ComboFix2.txt 2010-12-23 00:27

    Pre-Run: 222,385,594,368 bytes free
    Post-Run: 223,460,061,184 bytes free

    - - End Of File - - B20F4C0B1E010F93081977F729AAC281
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Unfortunately, we haven't gotten a clean log yet. I'd like you to run this program:

    Download Dr.Web CureIt! and save it to your desktop.

    • [1] Double click to Run the utility and press the "Start" button in the opened window.
      [2] Confirm the launch by pressing the "OK" button and wait for the scanning results of the main memory and startup files. (this is express scan)
      [3] Click on the Green Arrow to the right to Select the Complete scan
      [4] When being scanned, infected files are cured, incurable files are moved to the quarantine directory.Answer Yes if asked to move or cure a file.
      [5] When the scanning is finished, save the report to your desktop: it is named DrWeb.csv.
    Close the program.
    Reboot the computer: this is important to complete the moves or deletions.
    Copy the DrWeb.cvs report to Notepad, then paste it in your next reply.
     
  15. Booties

    Booties TS Rookie Topic Starter

    It ran twice as the quick scan and the complete scan so here are both logs for that


    Process in memory: C:\WINDOWS\System32\svchost.exe:1152;;BackDoor.Tdss.565;Eradicated.;
    12543.js;C:\WINDOWS\system32;JS.DownLoader.175;Deleted.;
    ms.dll;C:\WINDOWS\system32;Trojan.Starter.1602;Deleted.;

    A0001387.dll;C:\System Volume Information\_restore{197AAB9C-9D26-40D1-B110-C86BC8825AEB}\RP2;Trojan.Starter.1602;Deleted.;
    tsk0000.dta;C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\mbr0000;BackDoor.Tdss.4005;Incurable.Moved.;
    tsk0003.dta;C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000;Trojan.Redirect.origin;Incurable.Moved.;
    tsk0005.dta;C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000;BackDoor.Tdss.4543;Deleted.;
    tsk0006.dta;C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000;BackDoor.Tdss.4543;Deleted.;
    tsk0007.dta;C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000;BackDoor.Tdss.4321;Deleted.;
    tsk0008.dta;C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000;BackDoor.Tdss.4005;Deleted.;
    tsk0000.dta;C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\mbr0000;BackDoor.Tdss.4005;Incurable.Moved.;
    tsk0003.dta;C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000;Trojan.Redirect.origin;Incurable.Moved.;
    tsk0005.dta;C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000;BackDoor.Tdss.4543;Deleted.;
    tsk0006.dta;C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000;BackDoor.Tdss.4543;Deleted.;
    tsk0007.dta;C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000;BackDoor.Tdss.4321;Deleted.;
    tsk0008.dta;C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000;BackDoor.Tdss.4005;Deleted.;
    tsk0000.dta;C:\TDSSKiller_Quarantine\23.12.2010_19.25.12\boot0000\mbr0000;BackDoor.Tdss.4005;Incurable.Moved.;
    tsk0003.dta;C:\TDSSKiller_Quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000;Trojan.Redirect.origin;Incurable.Moved.;
    tsk0005.dta;C:\TDSSKiller_Quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000;BackDoor.Tdss.4543;Deleted.;
    tsk0006.dta;C:\TDSSKiller_Quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000;BackDoor.Tdss.4543;Deleted.;
    tsk0007.dta;C:\TDSSKiller_Quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000;BackDoor.Tdss.4321;Deleted.;
    tsk0008.dta;C:\TDSSKiller_Quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000;BackDoor.Tdss.4005;Deleted.;
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, looks like it got routed out! Please repeat both if these- if any of the quarantined TDS file show up, I can move them:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ============================================
    And repeat:

    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
     
  17. Booties

    Booties TS Rookie Topic Starter

    ESET


    C:\Documents and Settings\Chris\DoctorWeb\Quarantine\tsk0003.dta a variant of Win32/Olmarik.ADZ trojan
    C:\Documents and Settings\Chris\DoctorWeb\Quarantine\tsk00030.dta a variant of Win32/Olmarik.ADZ trojan
    C:\Documents and Settings\Chris\DoctorWeb\Quarantine\tsk00031.dta a variant of Win32/Olmarik.ADZ trojan
    C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir Win32/Patched.GO trojan
    C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir Win32/Patched.GN trojan
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0004.dta probably a variant of Win32/Agent.FJFPNNI trojan
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0009.dta Win32/Olmarik.AIB trojan
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0004.dta probably a variant of Win32/Agent.FJFPNNI trojan
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0009.dta Win32/Olmarik.AIB trojan
    C:\TDSSKiller_Quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0004.dta probably a variant of Win32/Agent.FJFPNNI trojan
    C:\TDSSKiller_Quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0009.dta Win32/Olmarik.AIB trojan

    ============================================

    COMBOFIX

    ComboFix 11-01-04.01 - Chris 01/04/2011 13:26:43.5.4 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1389 [GMT -6:00]
    Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .

    ((((((((((((((((((((((((( Files Created from 2010-12-04 to 2011-01-04 )))))))))))))))))))))))))))))))
    .

    2011-01-02 19:50 . 2011-01-02 19:50 -------- d-----w- c:\documents and settings\Chris\Application Data\Avira
    2011-01-02 19:49 . 2011-01-02 19:49 -------- d-----w- c:\program files\ESET
    2010-12-29 06:36 . 2010-12-29 06:36 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Temp
    2010-12-29 06:27 . 2010-12-29 06:27 -------- d-----w- c:\documents and settings\Chris\DoctorWeb
    2010-12-28 23:15 . 2010-12-28 23:15 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Temp
    2010-12-27 02:13 . 2010-12-27 05:28 -------- d-----w- c:\documents and settings\Chris\Application Data\.minecraft
    2010-12-26 22:30 . 2010-12-30 16:24 -------- d-----w- C:\Minecraft
    2010-12-26 18:18 . 2010-12-26 18:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-25 06:25 . 2010-12-31 06:55 -------- d-----w- c:\windows\system32\NtmsData
    2010-12-25 03:23 . 2010-12-13 14:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-12-25 03:23 . 2010-12-13 14:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-12-25 03:23 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-12-25 03:23 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-12-25 03:23 . 2010-12-25 03:23 -------- d-----w- c:\program files\Avira
    2010-12-25 03:23 . 2010-12-25 03:23 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
    2010-12-22 08:07 . 2010-12-22 08:07 -------- d-----w- C:\_OTM
    2010-12-19 23:04 . 2010-12-19 23:04 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Yahoo
    2010-12-19 23:00 . 2010-12-19 23:02 -------- d-----w- c:\documents and settings\Chris\Application Data\Yahoo!
    2010-12-19 23:00 . 2010-12-19 23:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
    2010-12-19 22:59 . 2010-12-19 23:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
    2010-12-18 08:07 . 2010-12-18 08:07 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Mozilla
    2010-12-16 06:39 . 2010-12-24 01:25 -------- d-----w- C:\TDSSKiller_Quarantine
    2010-12-12 23:08 . 2010-12-12 23:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\dOcCl06301

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-26 18:18 . 2010-10-07 20:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-29 23:42 . 2010-09-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-29 23:42 . 2010-09-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-28 02:25 . 2010-11-28 02:25 388096 ----a-r- c:\documents and settings\Chris\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-11-23 12:45 . 2010-09-29 19:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-10-16 18:55 . 2010-11-04 18:43 888424 ----a-w- c:\windows\system32\nvdispco32.dll
    2010-10-16 18:55 . 2010-11-04 18:43 813672 ----a-w- c:\windows\system32\nvgenco32.dll
    2010-10-16 18:55 . 2010-10-13 09:03 61440 ----a-w- c:\windows\system32\OpenCL.dll
    2010-10-16 18:55 . 2010-10-13 09:03 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
    2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .

    ------- Sigcheck -------

    [7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
    [7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe

    c:\windows\System32\spoolsv.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((( SnapShot@2010-12-23_00.22.44 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-01-04 16:21 . 2011-01-04 16:21 16384 c:\windows\Temp\Perflib_Perfdata_208.dat
    + 2010-12-25 03:23 . 2010-06-17 20:27 28520 c:\windows\system32\drivers\ssmdrv.sys
    + 2010-12-26 18:18 . 2010-12-26 18:18 157472 c:\windows\system32\javaws.exe
    + 2010-12-26 18:18 . 2010-12-26 18:18 145184 c:\windows\system32\javaw.exe
    - 2010-11-04 19:02 . 2010-09-15 09:50 145184 c:\windows\system32\javaw.exe
    - 2010-11-04 19:02 . 2010-09-15 09:50 145184 c:\windows\system32\java.exe
    + 2010-12-26 18:18 . 2010-12-26 18:18 145184 c:\windows\system32\java.exe
    + 2010-12-26 18:18 . 2010-12-26 18:18 180224 c:\windows\Installer\3bec973.msi
    + 2010-12-26 18:18 . 2010-12-26 18:18 675840 c:\windows\Installer\3bec96e.msi
    + 2010-12-30 20:38 . 2010-12-30 20:38 689152 c:\windows\Installer\1bd424.msi
    + 2010-12-30 20:38 . 2010-12-30 20:38 371272 c:\windows\Installer\{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}\SkypeIcon.exe
    - 2010-12-13 02:48 . 2010-12-13 02:48 371272 c:\windows\Installer\{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}\SkypeIcon.exe
    + 2010-12-26 18:22 . 2010-12-26 18:22 2519552 c:\windows\Installer\3bec97b.msi
    + 2010-12-30 20:38 . 2010-12-30 20:38 1580544 c:\windows\Installer\1bd41b.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]
    "Ai Nap"="c:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-09-06 1426432]
    "CPU Power Monitor"="c:\program files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [2007-10-16 626176]
    "Cpu Level Up help"="c:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-09-11 880640]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
    "Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 358472]
    "Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-08-03 1809992]
    "Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2010-08-03 3649096]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-08 13680640]
    "nwiz"="nwiz.exe" [2009-03-08 1657376]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-08 86016]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-16 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-16 932288]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^Chris^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
    path=c:\documents and settings\Chris\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
    backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2010-06-01 16:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    2010-11-24 04:35 1242448 ----a-w- c:\program files\Steam\Steam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\fallout new vegas\\FalloutNVLauncher.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "58706:TCP"= 58706:TCP:pando Media Booster
    "58706:UDP"= 58706:UDP:pando Media Booster

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/29/2010 1:56 PM 64288]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/24/2010 9:23 PM 135336]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/23/2010 1:46 AM 1375992]
    R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [9/23/2010 1:46 AM 15264]
    R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [11/23/2009 4:37 PM 19720]
    R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [10/3/2010 3:23 PM 14856]
    S0 hxbx;hxbx;c:\windows\system32\drivers\usgqyvr.sys --> c:\windows\system32\drivers\usgqyvr.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 16:49]
    .
    .
    ------- Supplementary Scan -------
    .
    LSP: %SYSTEMROOT%\system32\nvappfilter.dll
    FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\9o7f2904.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-04 13:41
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Hitachi_ rev.V54O -> Harddisk0\DR0 -> \Device\Scsi\nvgts1

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D3A446]<<
    c:\docume~1\Chris\LOCALS~1\Temp\catchme.sys
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89d40504]; MOV EAX, [0x89d40580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89D2CAB8]
    3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000063[0x89D6B558]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89D00A38]
    \Driver\nvgts[0x89D54AD8] -> IRP_MJ_CREATE -> 0x89D3A446
    error: Read The system cannot find the file specified.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Scsi\nvgts1Port2Path1Target1Lun0 -> \??\SCSI#Disk&Ven_Hitachi&Prod_HDT725032VLA&Rev_V54O#4&358dcf36&0&110#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(800)
    c:\windows\system32\nvappfilter.dll

    - - - - - - - > 'explorer.exe'(3456)
    c:\windows\system32\nvappfilter.dll
    .
    Completion time: 2011-01-04 13:43:49
    ComboFix-quarantined-files.txt 2011-01-04 19:43
    ComboFix2.txt 2010-12-26 19:49
    ComboFix3.txt 2010-12-23 00:27

    Pre-Run: 223,068,901,376 bytes free
    Post-Run: 223,824,371,712 bytes free

    - - End Of File - - D845C5CFA45AB661F9980B1BF36C7E1C
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There appears to still be a rootkit on the system that hasn't been found and removed. And evidence of an incurable backdoor Trojan. It is possible that you may need to reformat/reinstall the OS because the system has been compromised. I'll try 2 move programs for removals- if that doesn't reach it, I will recommend the reinstall:
    ==========================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Files  
      C:\Documents and Settings\Chris\DoctorWeb\Quarantine\tsk0003.dta 
      C:\Documents and Settings\Chris\DoctorWeb\Quarantine\tsk00030.dta 
      C:\Documents and Settings\Chris\DoctorWeb\Quarantine\tsk00031.dta 
      C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0004.dta 
      C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0009.dta 
      C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0004.dta 
      C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0009.dta 
      C:\TDSSKiller_Quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0004.dta 
      C:\TDSSKiller_Quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0009.dta 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ==============================================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\drivers\usgqyvr.sys
    Folder::
    c:\documents and settings\Chris\DoctorWeb
    C:\TDSSKiller_Quarantine
    c:\documents and settings\All Users.WINDOWS\Application Data\dOcCl06301
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    
    Driver::
    hxbx  
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
     
  19. Booties

    Booties TS Rookie Topic Starter

    OTMLog


    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\Documents and Settings\Chris\DoctorWeb\Quarantine\tsk0003.dta moved successfully.
    C:\Documents and Settings\Chris\DoctorWeb\Quarantine\tsk00030.dta moved successfully.
    C:\Documents and Settings\Chris\DoctorWeb\Quarantine\tsk00031.dta moved successfully.
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0004.dta moved successfully.
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0009.dta moved successfully.
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0004.dta moved successfully.
    C:\TDSSKiller_Quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0009.dta moved successfully.
    C:\TDSSKiller_Quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0004.dta moved successfully.
    C:\TDSSKiller_Quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0009.dta moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: All Users.WINDOWS

    User: Chris
    ->Temp folder emptied: 1904874 bytes
    ->Temporary Internet Files folder emptied: 3199086 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 13196301 bytes
    ->Flash cache emptied: 4272 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User.WINDOWS
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: IBUYPOWER
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Opera cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService.NT AUTHORITY
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 406303450 bytes
    ->Java cache emptied: 14301 bytes
    ->Flash cache emptied: 111402 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: NetworkService.NT AUTHORITY
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 178431513 bytes
    ->Java cache emptied: 15309 bytes
    ->Flash cache emptied: 85854 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 935 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 59345242 bytes

    Total Files Cleaned = 632.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 01052011_131404

    Files moved on Reboot...
    C:\Documents and Settings\Chris\Local Settings\Temp\~DF68AB.tmp moved successfully.
    File C:\WINDOWS\temp\ZLT06211.TMP not found!

    Registry entries deleted on Reboot...

    ==============================================================

    ComboFix Log

    ComboFix 11-01-05.06 - Chris 01/06/2011 11:04:43.6.4 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1357 [GMT -6:00]
    Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Chris\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
    FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    FILE ::
    "c:\windows\system32\drivers\usgqyvr.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users.WINDOWS\Application Data\dOcCl06301
    c:\documents and settings\All Users.WINDOWS\Application Data\dOcCl06301\dOcCl06301
    c:\documents and settings\Chris\DoctorWeb
    c:\documents and settings\Chris\DoctorWeb\CureIt.log
    C:\TDSSKiller_Quarantine
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\mbr0000\object.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\mbr0000\tsk0000.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\object.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\object.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0000.dta
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0000.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0001.dta
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0001.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0002.dta
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0002.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0003.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0004.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0005.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0006.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0007.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0008.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0000\tdlfs0000\tsk0009.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\mbr0000\object.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\mbr0000\tsk0000.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\object.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\object.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0000.dta
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0000.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0001.dta
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0001.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0002.dta
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0002.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0003.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0004.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0005.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0006.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0007.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0008.ini
    c:\tdsskiller_quarantine\16.12.2010_00.34.47\boot0001\tdlfs0000\tsk0009.ini
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\mbr0000\object.ini
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\mbr0000\tsk0000.ini
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\object.ini
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\object.ini
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0000.dta
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0000.ini
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0001.dta
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0001.ini
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0002.dta
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0002.ini
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0003.ini
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0004.ini
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0005.ini
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0006.ini
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0007.ini
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0008.ini
    c:\tdsskiller_quarantine\23.12.2010_19.25.12\boot0000\tdlfs0000\tsk0009.ini

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_hxbx


    ((((((((((((((((((((((((( Files Created from 2010-12-06 to 2011-01-06 )))))))))))))))))))))))))))))))
    .

    2011-01-02 19:50 . 2011-01-02 19:50 -------- d-----w- c:\documents and settings\Chris\Application Data\Avira
    2011-01-02 19:49 . 2011-01-02 19:49 -------- d-----w- c:\program files\ESET
    2010-12-29 06:36 . 2010-12-29 06:36 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Temp
    2010-12-28 23:15 . 2010-12-28 23:15 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Temp
    2010-12-27 02:13 . 2010-12-27 05:28 -------- d-----w- c:\documents and settings\Chris\Application Data\.minecraft
    2010-12-26 22:30 . 2011-01-05 18:34 -------- d-----w- C:\Minecraft
    2010-12-26 18:18 . 2010-12-26 18:18 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-12-25 06:25 . 2011-01-06 00:47 -------- d-----w- c:\windows\system32\NtmsData
    2010-12-25 03:23 . 2010-12-13 14:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-12-25 03:23 . 2010-12-13 14:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-12-25 03:23 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-12-25 03:23 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-12-25 03:23 . 2010-12-25 03:23 -------- d-----w- c:\program files\Avira
    2010-12-25 03:23 . 2010-12-25 03:23 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Avira
    2010-12-22 08:07 . 2010-12-22 08:07 -------- d-----w- C:\_OTM
    2010-12-19 23:04 . 2010-12-19 23:04 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Yahoo
    2010-12-19 23:00 . 2010-12-19 23:02 -------- d-----w- c:\documents and settings\Chris\Application Data\Yahoo!
    2010-12-19 23:00 . 2010-12-19 23:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo! Companion
    2010-12-19 22:59 . 2010-12-19 23:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Yahoo!
    2010-12-18 08:07 . 2010-12-18 08:07 -------- d-----w- c:\documents and settings\Chris\Local Settings\Application Data\Mozilla

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-26 18:18 . 2010-10-07 20:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-29 23:42 . 2010-09-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-29 23:42 . 2010-09-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-28 02:25 . 2010-11-28 02:25 388096 ----a-r- c:\documents and settings\Chris\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-11-23 12:45 . 2010-09-29 19:56 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-10-16 18:55 . 2010-11-04 18:43 888424 ----a-w- c:\windows\system32\nvdispco32.dll
    2010-10-16 18:55 . 2010-11-04 18:43 813672 ----a-w- c:\windows\system32\nvgenco32.dll
    2010-10-16 18:55 . 2010-10-13 09:03 61440 ----a-w- c:\windows\system32\OpenCL.dll
    2010-10-16 18:55 . 2010-10-13 09:03 13012992 ----a-w- c:\windows\system32\nvcompiler.dll
    2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .

    ------- Sigcheck -------

    [7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
    [7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe

    c:\windows\System32\spoolsv.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((( SnapShot@2010-12-23_00.22.44 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-01-06 17:11 . 2011-01-06 17:11 16384 c:\windows\Temp\Perflib_Perfdata_71c.dat
    + 2010-12-25 03:23 . 2010-06-17 20:27 28520 c:\windows\system32\drivers\ssmdrv.sys
    + 2010-12-26 18:18 . 2010-12-26 18:18 157472 c:\windows\system32\javaws.exe
    + 2010-12-26 18:18 . 2010-12-26 18:18 145184 c:\windows\system32\javaw.exe
    - 2010-11-04 19:02 . 2010-09-15 09:50 145184 c:\windows\system32\javaw.exe
    - 2010-11-04 19:02 . 2010-09-15 09:50 145184 c:\windows\system32\java.exe
    + 2010-12-26 18:18 . 2010-12-26 18:18 145184 c:\windows\system32\java.exe
    + 2010-12-26 18:18 . 2010-12-26 18:18 180224 c:\windows\Installer\3bec973.msi
    + 2010-12-26 18:18 . 2010-12-26 18:18 675840 c:\windows\Installer\3bec96e.msi
    + 2010-12-30 20:38 . 2010-12-30 20:38 689152 c:\windows\Installer\1bd424.msi
    + 2010-12-30 20:38 . 2010-12-30 20:38 371272 c:\windows\Installer\{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}\SkypeIcon.exe
    - 2010-12-13 02:48 . 2010-12-13 02:48 371272 c:\windows\Installer\{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}\SkypeIcon.exe
    + 2010-12-26 18:22 . 2010-12-26 18:22 2519552 c:\windows\Installer\3bec97b.msi
    + 2010-12-30 20:38 . 2010-12-30 20:38 1580544 c:\windows\Installer\1bd41b.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2007-10-25 16855552]
    "Ai Nap"="c:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-09-06 1426432]
    "CPU Power Monitor"="c:\program files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe" [2007-10-16 626176]
    "Cpu Level Up help"="c:\program files\ASUS\Ai Suite\CpuLevelUpHelp.exe" [2007-09-11 880640]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
    "Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 358472]
    "Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-08-03 1809992]
    "Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2010-08-03 3649096]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-08 13680640]
    "nwiz"="nwiz.exe" [2009-03-08 1657376]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-08 86016]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-13 281768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-16 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-16 932288]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^Chris^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
    path=c:\documents and settings\Chris\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
    backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    2010-06-01 16:17 5252408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    2010-11-24 04:35 1242448 ----a-w- c:\program files\Steam\Steam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Steam\\steamapps\\common\\fallout new vegas\\FalloutNVLauncher.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "58706:TCP"= 58706:TCP:pando Media Booster
    "58706:UDP"= 58706:UDP:pando Media Booster

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/29/2010 1:56 PM 64288]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/24/2010 9:23 PM 135336]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/23/2010 1:46 AM 1375992]
    R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [11/23/2009 4:37 PM 19720]
    R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [10/3/2010 3:23 PM 14856]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [9/23/2010 1:46 AM 15264]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-09-23 16:49]
    .
    .
    ------- Supplementary Scan -------
    .
    LSP: %SYSTEMROOT%\system32\nvappfilter.dll
    FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\9o7f2904.default\
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-06 11:12
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(796)
    c:\windows\system32\nvappfilter.dll

    - - - - - - - > 'explorer.exe'(3044)
    c:\windows\system32\nvappfilter.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    c:\windows\system32\wbem\unsecapp.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-06 11:15:59 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-01-06 17:15
    ComboFix2.txt 2011-01-04 19:43
    ComboFix3.txt 2010-12-26 19:49
    ComboFix4.txt 2010-12-23 00:27

    Pre-Run: 223,524,212,736 bytes free
    Post-Run: 223,485,419,520 bytes free

    - - End Of File - - 9AE879F1205687B65C49F3C74223FEB2
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Sorry for delay- internet was down.

    A recommendation> it appears that there are multiple users on this system. Considering that OTM Total files cleaned=632mb, do maintenance more often. (There is a Command in OTM to [emptytemp])

    It looks like we have finally uprooted the rootkits! How is the system running now?

    You need to update Java and remove the old versions: Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    And we need to look for a file:

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      
      :filefind
      spoolsv.*
      
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
    ===============================================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  21. Booties

    Booties TS Rookie Topic Starter

    Its running just fine, It still sometimes does the original issue where it shuts off the sound and doesnt let me adjust it.

    SystemLook

    SystemLook 04.09.10 by jpshortstuff
    Log created at 19:42 on 07/01/2011 by Chris
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "spoolsv.*"
    C:\WINDOWS\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe --a---- 58880 bytes [13:19 17/08/2010] [13:19 17/08/2010] 258DD5D4283FD9F9A7166BE9AE45CE73
    C:\WINDOWS\system32\dllcache\spoolsv.exe --a--c- 58880 bytes [12:00 14/04/2008] [13:17 17/08/2010] 60784F891563FB1B767F70117FC2428F

    -= EOF =-

    ===============================================

    HijackThis


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 7:46:50 PM, on 1/7/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
    C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe
    C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
    C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\Program Files\SRWare Iron\iron.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\SRWare Iron\iron.exe
    C:\Program Files\SRWare Iron\iron.exe
    C:\Program Files\SRWare Iron\iron.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
    O4 - HKLM\..\Run: [CPU Power Monitor] "C:\Program Files\ASUS\Ai Suite\AiGear3\CpuPowerMonitor.exe"
    O4 - HKLM\..\Run: [Cpu Level Up help] C:\Program Files\ASUS\Ai Suite\CpuLevelUpHelp.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
    O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
    O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 7209 bytes
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, that's a system problem. But the malware has been cleaned. I need to replace one file:

    Please run this :Custom CFScript

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]"DisableMonitoring"=-
    Extra::
    File::
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    Firefox::
    Firefox-; - Profile-  c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\9o7f2904.default\
    
    FCopy::
    C:\WINDOWS\system32\dllcache\spoolsv.exe | c:\windows\System32\spoolsv.exe
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . No log needed unless there is a problem. But please check the following:

    Reboot the computer:
    Click on Start> Run> type in services.msc> double click on Print Spooler> make sure Startup type is set to Automatice and process is Started.
    Exit Services.

    If there is any problem or if there is a problem with printing, please come back to me.
    ====================================
    HJT is fine.
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin

    Let me know if you have any questions.
    ====================
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...