Google Redirect Virus Removal

Inactive
By Chinikaylo
Jan 13, 2011
Topic Status:
Not open for further replies.
  1. Hi, I seem to have acquired the google redirect virus, as many others have.

    Ive tried different spyware/adware/malware removal programs, but it still persists. I also tried uninstalling/reinstalling firefox(thats the browser thats infected that I use) but to no avail. Ive tried a couple other things to remove it including using malware bytes.

    One thing that seems to be working for people is using Hijack This, posting the log, and having pros look at it. Well I have already downloaded it and made a log, so if anyone could help me get rid of this it would be greatly appreciated, thanks!

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
  3. Chinikaylo

    Chinikaylo Newcomer, in training Topic Starter

    Here's the Logs

    Ok, I followed the 8-step Removal process, and here are the requested logs, good sirs:

    The MBAM Log:
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5519

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    1/14/2011 10:53:19 AM
    mbam-log-2011-01-14 (10-53-19).txt

    Scan type: Quick scan
    Objects scanned: 153452
    Time elapsed: 9 minute(s), 43 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    ______________________________________________________

    The GMER Log:
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-01-14 11:12:52
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 WDC_WD2500JS-60NCB1 rev.10.02E02
    Running: r6vfkp1c.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\fgldapod.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sectors 488396912 (+254): rootkit-like behavior;

    ---- System - GMER 1.0.15 ----

    SSDT spei.sys ZwEnumerateKey [0xF73D5DA4]
    SSDT spei.sys ZwEnumerateValueKey [0xF73D6132]

    Code F7C9BC9C ZwRequestPort
    Code F7C9BD3C ZwRequestWaitReplyPort
    Code F7C9BBFC ZwTraceEvent
    Code F7C9BC9B NtRequestPort
    Code F7C9BD3B NtRequestWaitReplyPort
    Code F7C9BBFB NtTraceEvent

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 85F1AAEA
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F723CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 85F1AAEA
    Device \Driver\atapi \Device\Ide\IdePort0 [F723CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 85F1AAEA
    Device \Driver\atapi \Device\Ide\IdePort1 [F723CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 85F1AAEA
    Device \Driver\atapi \Device\Ide\IdePort2 [F723CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 85F1AAEA
    Device \Driver\atapi \Device\Ide\IdePort3 [F723CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 85F1AAEA
    Device \Driver\atapi \Device\Ide\IdePort4 [F723CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 85F1AAEA
    Device \Driver\atapi \Device\Ide\IdePort5 [F723CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atyw64k9 \Device\Scsi\atyw64k91Port6Path0Target0Lun0 85A0C500
    Device \Driver\atyw64k9 \Device\Scsi\atyw64k91 85A0C500
    Device \FileSystem\Ntfs \Ntfs 861D71F8

    AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

    Device \FileSystem\Fastfat \Fat 85B1B500

    AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

    Device \Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskWDC_WD2500JS-60NCB1_____________________10.02E02#5&9c402e8&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----
    _________________________________________________________________

    And the DDS Log:

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Compaq_Administrator at 11:48:34.98 on Fri 01/14/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.379 [GMT -5:00]

    AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    FW: Norton Internet Worm Protection *Disabled*

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Sandboxie\SbieSvc.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\ZuneLauncher.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Sandboxie\SbieCtrl.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    svchost.exe
    C:\WINDOWS\arservice.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    svchost.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    c:\WINDOWS\system32\ZuneBusEnum.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    K:\Programs\firefox.exe
    K:\Programs\plugin-container.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Compaq_Administrator\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
    BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\AxAutoMntSrv.exe" -automount
    uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
    uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
    uRun: [SUPERAntiSpyware] k:\programs\SUPERAntiSpyware.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [Zune Launcher] "c:\program files\ZuneLauncher.exe"
    mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - k:\programs\microsoft office cracked\office10\OSA.EXE
    IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
    IE: E&xport to Microsoft Excel - k:\programs\micros~2\office10\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
    Trusted Zone: trymedia.com
    DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Notify: !SASWinLogon - k:\programs\SASWINLO.DLL
    Notify: avgrsstarter - avgrsstx.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - k:\programs\SASSEH.DLL
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\3x3rarsk.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - k:\programs\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com

    ============= SERVICES / DRIVERS ===============

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-24 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-24 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-24 243024]
    R1 SASDIFSV;SASDIFSV;k:\programs\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;k:\programs\SASKUTIL.SYS [2010-5-10 67656]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688]
    R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-7-4 119016]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]

    =============== Created Last 30 ================

    2011-01-13 16:59:27 -------- d-----w- c:\program files\Trend Micro
    2011-01-09 02:04:37 -------- d-----w- c:\docume~1\compaq~1\applic~1\SUPERAntiSpyware.com
    2011-01-09 02:04:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2011-01-05 17:06:35 -------- d-----w- c:\docume~1\compaq~1\applic~1\AskToolbar
    2011-01-03 18:35:53 -------- d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes
    2011-01-03 18:35:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-03 18:35:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-01-03 18:35:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

    ==================== Find3M ====================

    2010-01-07 18:42:02 912192 ----a-w- c:\program files\ZuneDBApi.dll
    2010-01-07 18:42:02 554816 ----a-w- c:\program files\UIXcontrols.dll
    2010-01-07 18:42:02 1521472 ----a-w- c:\program files\UIX.dll
    2010-01-07 18:42:02 1304384 ----a-w- c:\program files\ZuneShell.dll
    2010-01-07 18:42:00 644928 ----a-w- c:\program files\UIX.renderapi.dll
    2010-01-07 18:24:16 232448 ----a-w- c:\program files\l3codecp.acm
    2007-08-27 19:56:58 1089440 ----a-w- c:\program files\msidcrl40.dll

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD2500JS-60NCB1 rev.10.02E02 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85F1AD01]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x50; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8442f85b; SUB DWORD [EBP-0x4], 0x8442f12e; PUSH EDI; CALL 0xffffffffffffe0f7; }
    1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86080AB8]
    3 CLASSPNP[0xF7610FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000078[0x85F84F18]
    5 ACPI[0xF737C620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8612A940]
    [0x8606F268] -> IRP_MJ_CREATE -> 0x85F1AD01
    kernel: MBR read successfully
    _asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
    detected disk devices:
    \Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskWDC_WD2500JS-60NCB1_____________________10.02E02#5&9c402e8&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x85F1AAEA
    IoDeviceObjectType -> ParseProcedure -> 0xf7c7c160
    \Device\Harddisk0\DR0 -> ParseProcedure -> 0xf7c7c160
    user & kernel MBR OK
    sectors 488397166 (+255): user != kernel
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 11:50:22.28 ===============
    __________________________________________________________

    And the Attach Log:

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 4/16/2010 1:54:41 PM
    System Uptime: 1/14/2011 11:22:16 AM (0 hours ago)

    Motherboard: ASUSTek Computer INC. | | NAGAMI2
    Processor: AMD Athlon(tm) 64 Processor 3800+ | Socket 939 | 2405/199mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 225 GiB total, 148.304 GiB free.
    D: is FIXED (FAT32) - 8 GiB total, 0.509 GiB free.
    E: is CDROM ()
    F: is Removable
    G: is Removable
    H: is Removable
    I: is Removable
    J: is CDROM ()
    K: is FIXED (NTFS) - 932 GiB total, 461.836 GiB free.
    L: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\B71EB011D800
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\B71EB011D800
    Service: NIC1394

    ==== System Restore Points ===================

    RP187: 10/16/2010 6:23:59 PM - System Checkpoint
    RP188: 10/17/2010 8:47:35 PM - System Checkpoint
    RP189: 10/19/2010 1:23:59 AM - System Checkpoint
    RP190: 10/20/2010 9:41:21 AM - System Checkpoint
    RP191: 10/21/2010 2:16:51 PM - System Checkpoint
    RP192: 10/22/2010 2:41:11 PM - System Checkpoint
    RP193: 10/23/2010 7:01:24 PM - System Checkpoint
    RP194: 10/24/2010 11:34:06 PM - System Checkpoint
    RP195: 10/25/2010 11:53:57 PM - System Checkpoint
    RP196: 10/26/2010 9:47:57 AM - Avg Update
    RP197: 10/27/2010 11:54:27 AM - System Checkpoint
    RP198: 10/28/2010 5:18:16 PM - System Checkpoint
    RP199: 10/29/2010 5:25:55 PM - System Checkpoint
    RP200: 10/30/2010 5:28:13 PM - System Checkpoint
    RP201: 10/31/2010 7:14:59 AM - Installed Google SketchUp 8
    RP202: 11/1/2010 7:21:23 AM - System Checkpoint
    RP203: 11/2/2010 7:31:26 AM - System Checkpoint
    RP204: 11/3/2010 9:43:17 AM - System Checkpoint
    RP205: 11/4/2010 11:14:58 AM - System Checkpoint
    RP206: 11/5/2010 12:08:03 PM - System Checkpoint
    RP207: 11/6/2010 4:25:25 PM - System Checkpoint
    RP208: 11/6/2010 5:45:12 PM - Installed Windows XP KB942288-v3.
    RP209: 11/6/2010 5:45:42 PM - Installed DirectX
    RP210: 11/6/2010 5:45:53 PM - Installed DirectX
    RP211: 11/7/2010 8:24:54 PM - System Checkpoint
    RP212: 11/8/2010 9:49:04 PM - System Checkpoint
    RP213: 11/9/2010 10:32:51 AM - Avg Update
    RP214: 11/9/2010 10:34:33 AM - Avg Update
    RP215: 11/10/2010 11:16:21 AM - System Checkpoint
    RP216: 11/11/2010 7:05:59 PM - System Checkpoint
    RP217: 11/12/2010 10:22:44 PM - System Checkpoint
    RP218: 11/14/2010 12:09:04 AM - System Checkpoint
    RP219: 11/15/2010 7:49:21 AM - System Checkpoint
    RP220: 11/16/2010 10:32:05 AM - System Checkpoint
    RP221: 11/17/2010 10:36:35 AM - System Checkpoint
    RP222: 11/18/2010 11:35:35 AM - System Checkpoint
    RP223: 11/19/2010 12:10:49 PM - System Checkpoint
    RP224: 11/20/2010 1:58:31 PM - System Checkpoint
    RP225: 11/21/2010 9:15:09 PM - System Checkpoint
    RP226: 11/23/2010 12:39:43 AM - System Checkpoint
    RP227: 11/24/2010 7:52:55 AM - System Checkpoint
    RP228: 11/24/2010 8:00:57 AM - Avg Update
    RP229: 11/24/2010 8:02:25 AM - Avg Update
    RP230: 11/25/2010 8:38:27 AM - System Checkpoint
    RP231: 11/26/2010 4:43:22 PM - System Checkpoint
    RP232: 11/27/2010 5:59:29 PM - System Checkpoint
    RP233: 11/28/2010 6:32:21 PM - System Checkpoint
    RP234: 11/29/2010 6:52:27 PM - System Checkpoint
    RP235: 11/30/2010 7:05:24 PM - System Checkpoint
    RP236: 12/1/2010 8:44:19 PM - System Checkpoint
    RP237: 12/3/2010 12:39:22 PM - System Checkpoint
    RP238: 12/4/2010 5:20:47 PM - System Checkpoint
    RP239: 12/5/2010 11:30:09 PM - System Checkpoint
    RP240: 12/7/2010 6:54:28 AM - System Checkpoint
    RP241: 12/8/2010 7:54:43 AM - System Checkpoint
    RP242: 12/9/2010 11:45:08 AM - System Checkpoint
    RP243: 12/10/2010 12:46:27 PM - System Checkpoint
    RP244: 12/11/2010 5:07:36 PM - System Checkpoint
    RP245: 12/13/2010 7:53:31 AM - System Checkpoint
    RP246: 12/14/2010 12:21:37 PM - System Checkpoint
    RP247: 12/15/2010 2:27:40 PM - System Checkpoint
    RP248: 12/16/2010 2:53:39 PM - System Checkpoint
    RP249: 12/17/2010 5:52:53 PM - System Checkpoint
    RP250: 12/18/2010 8:19:41 PM - System Checkpoint
    RP251: 12/20/2010 8:11:43 AM - System Checkpoint
    RP252: 12/21/2010 9:00:30 AM - System Checkpoint
    RP253: 12/22/2010 10:00:30 AM - System Checkpoint
    RP254: 12/23/2010 11:49:57 AM - System Checkpoint
    RP255: 12/24/2010 12:46:10 PM - System Checkpoint
    RP256: 12/25/2010 1:38:38 PM - System Checkpoint
    RP257: 12/26/2010 3:12:58 PM - System Checkpoint
    RP258: 12/27/2010 9:51:37 PM - System Checkpoint
    RP259: 12/29/2010 3:04:50 PM - System Checkpoint
    RP260: 12/30/2010 5:24:53 PM - System Checkpoint
    RP261: 12/31/2010 6:14:00 PM - System Checkpoint
    RP262: 1/1/2011 11:12:54 PM - System Checkpoint
    RP263: 1/3/2011 6:14:13 PM - System Checkpoint
    RP264: 1/4/2011 10:00:07 PM - System Checkpoint
    RP265: 1/5/2011 10:36:57 PM - System Checkpoint
    RP266: 1/7/2011 12:55:13 PM - System Checkpoint
    RP267: 1/8/2011 6:39:15 PM - System Checkpoint
    RP268: 1/9/2011 7:18:31 PM - System Checkpoint
    RP269: 1/10/2011 10:25:24 PM - System Checkpoint
    RP270: 1/12/2011 9:05:57 AM - System Checkpoint
    RP271: 1/13/2011 2:23:36 PM - System Checkpoint

    ==== Installed Programs ======================

    ĀµTorrent
    Adobe AIR
    Adobe Flash Player 10 Plugin
    Adobe Reader 7.0.5
    Adobe Shockwave Player 11.5
    Agere Systems PCI-SV92PP Soft Modem
    Ask Toolbar
    AVG Free 9.0
    BufferChm
    Cheat Engine 5.6
    Command & Conquer Generals
    Compaq Connections (remove only)
    CP_AtenaShokunin1Config
    CP_CalendarTemplates1
    cp_LightScribeConfig
    cp_OnlineProjectsConfig
    CP_Package_Basic1
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    CP_Panorama1Config
    cp_PosterPrintConfig
    cp_UpdateProjectsConfig
    Creeper World DEMO
    Creeper World Map Editor
    CueTour
    Customer Experience Enhancement
    Destinations
    DeviceManagementQFolder
    DISCover
    Easy Internet Sign-up
    Enhanced Multimedia Keyboard Solution
    Evil Genius
    ffdshow v1.1.3355 [2010-04-11]
    FullDPAppQFolder
    Garry's Mod
    Google SketchUp 7
    Google SketchUp 8
    Google Toolbar for Internet Explorer
    High Definition Audio Driver Package - KB888111
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 10 (KB903157)
    Hotfix for Windows XP (KB932716-v2)
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB979306)
    HP Boot Optimizer
    HP DVD Play 2.1
    HP Game Console
    HP Imaging Device Functions 7.0
    HP Photosmart Premier Software 6.5
    HP Software Update
    HP Support Overview
    HP Web Helper
    HPPhotoSmartExpress
    HpSdpAppCoreApp
    InstantShareDevices
    J2SE Runtime Environment 5.0 Update 5
    LightScribe System Software
    Linksys EasyLink Advisor 1.5 (1010)
    Macromedia Flash Player 8
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Away Mode
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft Office 2003 Edition 60 Days Trial Welcome Tour
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Standard Edition 2003
    Microsoft Office XP Professional with FrontPage
    Microsoft User-Mode Driver Framework Feature Pack 1.9
    Microsoft Visual C++ 2005 Redistributable
    Microsoft WinUsb 1.0
    Microsoft Works
    Mozilla Firefox (3.6.13)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    Notepad++
    NVIDIA Drivers
    OptionalContentQFolder
    Otto
    PhotoGallery
    Portal
    PowerISO
    Python 2.2 pywin32 extensions (build 203)
    Python 2.2.3
    Quicken 2006
    RandMap
    Realtek High Definition Audio Driver
    Sandboxie 3.46
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980232)
    SkinsHP1
    SlideShow
    SlideShowMusic
    Sonic Express Labeler
    Sonic MyDVD Plus
    Sonic RecordNow Audio
    Sonic RecordNow Copy
    Sonic RecordNow Data
    Sonic Update Manager
    Sonic_PrimoSDK
    SUPERAntiSpyware
    TortoiseSVN 1.6.11.20210 (32 bit)
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Internet Explorer 8 (KB980302)
    Update for Windows Media Player 10 (KB913800)
    Update for Windows Media Player 10 (KB926251)
    Update for Windows XP (KB953356)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB980182)
    Update Rollup 2 for Windows XP Media Center Edition 2005
    VobSub v2.23 (Remove Only)
    WebFldrs XP
    WildTangent Web Driver
    Windows Imaging Component
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows XP Media Center Edition 2005 KB908246
    Windows XP Media Center Edition 2005 KB912067
    Windows XP Media Center Edition 2005 KB973768
    Windows XP Service Pack 3
    WinRAR archiver
    Zune
    Zune Language Pack (DE)
    Zune Language Pack (ES)
    Zune Language Pack (FR)
    Zune Language Pack (IT)

    ==== Event Viewer Messages From Past Week ========

    1/13/2011 11:14:58 AM, error: ipnathlp [30013] - The DHCP allocator has disabled itself on IP address 192.168.1.103, since the IP address is outside the 192.168.0.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, please change the scope to include the IP address, or change the IP address to fall within the scope.
    1/13/2011 11:14:44 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
    1/13/2011 11:14:42 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    1/13/2011 11:14:42 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

    ==== End Of File ===========================

    _____________________________________________________________

    Thats it, hopefully I did everything right, I will be anxiously awaiting your reply.
  4. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
  5. Chinikaylo

    Chinikaylo Newcomer, in training Topic Starter

    TDSSKiller Log

    Here it is:

    2011/01/14 12:25:36.0140 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11
    2011/01/14 12:25:36.0140 ================================================================================
    2011/01/14 12:25:36.0140 SystemInfo:
    2011/01/14 12:25:36.0140
    2011/01/14 12:25:36.0140 OS Version: 5.1.2600 ServicePack: 3.0
    2011/01/14 12:25:36.0140 Product type: Workstation
    2011/01/14 12:25:36.0140 ComputerName: PENIS
    2011/01/14 12:25:36.0140 UserName: Compaq_Administrator
    2011/01/14 12:25:36.0140 Windows directory: C:\WINDOWS
    2011/01/14 12:25:36.0140 System windows directory: C:\WINDOWS
    2011/01/14 12:25:36.0140 Processor architecture: Intel x86
    2011/01/14 12:25:36.0140 Number of processors: 1
    2011/01/14 12:25:36.0140 Page size: 0x1000
    2011/01/14 12:25:36.0140 Boot type: Normal boot
    2011/01/14 12:25:36.0140 ================================================================================
    2011/01/14 12:25:37.0625 Initialize success

    PS, excuse my computer name
  6. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    Hahaha....I don't care, but the log is incomplete.
    Please, repost it.
  7. Chinikaylo

    Chinikaylo Newcomer, in training Topic Starter

    Where do I find the log? I had to reboot after the initial scan. After I just opened up TDSSKiller and clicked on report, and copied that in. Is there a different log elsewhere?
  8. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    It should be located in C:\ directory.
  9. Chinikaylo

    Chinikaylo Newcomer, in training Topic Starter

    Here it is I think

    2011/01/14 12:15:46.0937 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11
    2011/01/14 12:15:46.0937 ================================================================================
    2011/01/14 12:15:46.0937 SystemInfo:
    2011/01/14 12:15:46.0937
    2011/01/14 12:15:46.0937 OS Version: 5.1.2600 ServicePack: 3.0
    2011/01/14 12:15:46.0937 Product type: Workstation
    2011/01/14 12:15:46.0937 ComputerName: PENIS
    2011/01/14 12:15:46.0937 UserName: Compaq_Administrator
    2011/01/14 12:15:46.0937 Windows directory: C:\WINDOWS
    2011/01/14 12:15:46.0937 System windows directory: C:\WINDOWS
    2011/01/14 12:15:46.0937 Processor architecture: Intel x86
    2011/01/14 12:15:46.0937 Number of processors: 1
    2011/01/14 12:15:46.0937 Page size: 0x1000
    2011/01/14 12:15:46.0937 Boot type: Normal boot
    2011/01/14 12:15:46.0937 ================================================================================
    2011/01/14 12:15:47.0640 Initialize success
    2011/01/14 12:15:55.0265 ================================================================================
    2011/01/14 12:15:55.0265 Scan started
    2011/01/14 12:15:55.0265 Mode: Manual;
    2011/01/14 12:15:55.0265 ================================================================================
    2011/01/14 12:15:55.0937 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/01/14 12:15:56.0000 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/01/14 12:15:56.0125 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/01/14 12:15:56.0265 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/01/14 12:15:56.0500 AgereSoftModem (994a42d273c35b43ee9d1e8a5d8bc639) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
    2011/01/14 12:15:56.0953 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
    2011/01/14 12:15:57.0515 aracpi (00523019e3579c8f8a94457fe25f0f24) C:\WINDOWS\system32\DRIVERS\aracpi.sys
    2011/01/14 12:15:57.0703 arhidfltr (9fedaa46eb1a572ac4d9ee6b5f123cf2) C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
    2011/01/14 12:15:57.0750 arkbcfltr (82969576093cd983dd559f5a86f382b4) C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
    2011/01/14 12:15:57.0781 armoucfltr (9b21791d8a78faece999fadbebda6c22) C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
    2011/01/14 12:15:57.0890 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/01/14 12:15:57.0937 ARPolicy (7a2da7c7b0c524ef26a79f17a5c69fde) C:\WINDOWS\system32\DRIVERS\arpolicy.sys
    2011/01/14 12:15:58.0109 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/01/14 12:15:58.0187 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/01/14 12:15:58.0250 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/01/14 12:15:58.0312 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/01/14 12:15:58.0437 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
    2011/01/14 12:15:58.0531 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
    2011/01/14 12:15:58.0578 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\system32\Drivers\avgtdix.sys
    2011/01/14 12:15:58.0796 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys
    2011/01/14 12:15:58.0875 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/01/14 12:15:58.0953 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/01/14 12:15:59.0000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/01/14 12:15:59.0156 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/01/14 12:15:59.0265 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/01/14 12:15:59.0562 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/01/14 12:15:59.0656 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/01/14 12:15:59.0796 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/01/14 12:16:00.0046 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/01/14 12:16:00.0125 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/01/14 12:16:00.0281 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/01/14 12:16:00.0406 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/01/14 12:16:00.0500 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2011/01/14 12:16:00.0578 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/01/14 12:16:00.0640 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/01/14 12:16:00.0734 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/01/14 12:16:00.0812 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/01/14 12:16:00.0859 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/01/14 12:16:00.0953 ftsata2 (a81d26e33d160a4ac09eed0b0bd7d49b) C:\WINDOWS\system32\DRIVERS\ftsata2.sys
    2011/01/14 12:16:00.0953 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ftsata2.sys. Real md5: a81d26e33d160a4ac09eed0b0bd7d49b, Fake md5: 6a628f06225b20975a721ca6b2ed0d37
    2011/01/14 12:16:00.0968 ftsata2 - detected Rootkit.Win32.TDSS.tdl3 (0)
    2011/01/14 12:16:01.0203 GoProto (3800262165ce4a2b9d1ed09e2bce3e9c) C:\WINDOWS\system32\DRIVERS\goprot51.sys
    2011/01/14 12:16:01.0328 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/01/14 12:16:01.0453 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/01/14 12:16:01.0640 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/01/14 12:16:01.0859 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/01/14 12:16:01.0937 iaStor (9a65e42664d1534b68512caad0efe963) C:\WINDOWS\system32\DRIVERS\iaStor.sys
    2011/01/14 12:16:02.0000 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/01/14 12:16:02.0296 IntcAzAudAddService (64be56b8858ca0153c725c720ffd194f) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2011/01/14 12:16:02.0484 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/01/14 12:16:02.0703 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/01/14 12:16:02.0812 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/01/14 12:16:02.0906 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/01/14 12:16:02.0968 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/01/14 12:16:03.0109 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/01/14 12:16:03.0156 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/01/14 12:16:03.0250 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/01/14 12:16:03.0359 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/01/14 12:16:03.0484 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/01/14 12:16:03.0578 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/01/14 12:16:03.0640 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/01/14 12:16:03.0921 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
    2011/01/14 12:16:03.0968 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/01/14 12:16:04.0125 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/01/14 12:16:04.0203 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/01/14 12:16:04.0343 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/01/14 12:16:04.0484 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/01/14 12:16:04.0609 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/01/14 12:16:04.0765 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/01/14 12:16:04.0953 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/01/14 12:16:05.0109 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/01/14 12:16:05.0218 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/01/14 12:16:05.0265 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/01/14 12:16:05.0343 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/01/14 12:16:05.0421 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/01/14 12:16:05.0515 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/01/14 12:16:05.0609 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/01/14 12:16:05.0812 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/01/14 12:16:06.0015 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/01/14 12:16:06.0218 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/01/14 12:16:06.0328 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/01/14 12:16:06.0515 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/01/14 12:16:06.0609 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/01/14 12:16:06.0687 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/01/14 12:16:06.0796 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/01/14 12:16:07.0078 nv (ce58f42b11be20a47c3d8d2f38da254e) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/01/14 12:16:07.0281 NVENETFD (22eedb34c4d7613a25b10c347c6c4c21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
    2011/01/14 12:16:07.0453 nvnetbus (5e3f6ad5cad0f12d3cccd06fd964087a) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
    2011/01/14 12:16:07.0609 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/01/14 12:16:07.0687 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/01/14 12:16:07.0781 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/01/14 12:16:07.0875 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/01/14 12:16:07.0921 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/01/14 12:16:08.0140 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/01/14 12:16:08.0203 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/01/14 12:16:08.0406 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/01/14 12:16:08.0468 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/01/14 12:16:08.0765 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/01/14 12:16:08.0859 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2011/01/14 12:16:08.0937 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys
    2011/01/14 12:16:09.0000 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/01/14 12:16:09.0062 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/01/14 12:16:09.0140 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/01/14 12:16:09.0390 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/01/14 12:16:09.0468 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/01/14 12:16:09.0546 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/01/14 12:16:09.0718 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/01/14 12:16:09.0859 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/01/14 12:16:09.0937 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/01/14 12:16:10.0046 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/01/14 12:16:10.0234 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/01/14 12:16:10.0421 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/01/14 12:16:10.0531 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
    2011/01/14 12:16:10.0765 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) K:\Programs\SASDIFSV.SYS
    2011/01/14 12:16:10.0828 SASKUTIL (61db0d0756a99506207fd724e3692b25) K:\Programs\SASKUTIL.SYS
    2011/01/14 12:16:11.0000 SbieDrv (2cdab8553e703c7754be9ce1c4454eb5) C:\Program Files\Sandboxie\SbieDrv.sys
    2011/01/14 12:16:11.0140 SCDEmu (16b1abe7f3e35f21dac57592b6c5d464) C:\WINDOWS\system32\drivers\SCDEmu.sys
    2011/01/14 12:16:11.0281 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/01/14 12:16:11.0390 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2011/01/14 12:16:11.0562 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/01/14 12:16:11.0781 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/01/14 12:16:11.0937 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/01/14 12:16:11.0937 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
    2011/01/14 12:16:11.0953 sptd - detected Locked file (1)
    2011/01/14 12:16:12.0000 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/01/14 12:16:12.0093 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/01/14 12:16:12.0265 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
    2011/01/14 12:16:12.0406 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/01/14 12:16:12.0515 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/01/14 12:16:12.0734 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/01/14 12:16:12.0843 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/01/14 12:16:13.0015 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/01/14 12:16:13.0140 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/01/14 12:16:13.0203 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/01/14 12:16:13.0328 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/01/14 12:16:13.0468 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/01/14 12:16:13.0671 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/01/14 12:16:13.0812 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/01/14 12:16:13.0937 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/01/14 12:16:14.0078 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2011/01/14 12:16:14.0187 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/01/14 12:16:14.0359 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/01/14 12:16:14.0437 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/01/14 12:16:14.0515 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/01/14 12:16:14.0656 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/01/14 12:16:14.0750 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/01/14 12:16:14.0812 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/01/14 12:16:14.0906 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/01/14 12:16:15.0031 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
    2011/01/14 12:16:15.0234 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/01/14 12:16:15.0375 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
    2011/01/14 12:16:15.0500 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
    2011/01/14 12:16:15.0609 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/01/14 12:16:15.0687 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/01/14 12:16:15.0828 zumbus (6bfb54f73aae470e9299e66cbc7bb632) C:\WINDOWS\system32\DRIVERS\zumbus.sys
    2011/01/14 12:16:16.0250 ================================================================================
    2011/01/14 12:16:16.0250 Scan finished
    2011/01/14 12:16:16.0250 ================================================================================
    2011/01/14 12:16:16.0265 Detected object count: 2
    2011/01/14 12:16:39.0156 ftsata2 (a81d26e33d160a4ac09eed0b0bd7d49b) C:\WINDOWS\system32\DRIVERS\ftsata2.sys
    2011/01/14 12:16:39.0171 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ftsata2.sys. Real md5: a81d26e33d160a4ac09eed0b0bd7d49b, Fake md5: 6a628f06225b20975a721ca6b2ed0d37
    2011/01/14 12:16:40.0562 Backup copy not found, trying to cure infected file..
    2011/01/14 12:16:40.0562 Cure success, using it..
    2011/01/14 12:16:40.0593 C:\WINDOWS\system32\DRIVERS\ftsata2.sys - will be cured after reboot
    2011/01/14 12:16:40.0593 Rootkit.Win32.TDSS.tdl3(ftsata2) - User select action: Cure
    2011/01/14 12:16:40.0593 Locked file(sptd) - User select action: Skip
    2011/01/14 12:19:29.0625 Deinitialize success
  10. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    Good :)

    How is redirection?

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ===================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  11. Chinikaylo

    Chinikaylo Newcomer, in training Topic Starter

    Heres the MBR Check

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x00000ffc

    Kernel Drivers (total 133):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806D0000 \WINDOWS\system32\hal.dll
    0xF7AB0000 \WINDOWS\system32\KDCOM.DLL
    0xF79C0000 \WINDOWS\system32\BOOTVID.dll
    0xF749D000 klmdb.sys
    0xF73AA000 spbp.sys
    0xF7AB2000 \WINDOWS\System32\Drivers\WMILIB.SYS
    0xF7392000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
    0xF7364000 ACPI.sys
    0xF7353000 pci.sys
    0xF75B0000 ohci1394.sys
    0xF75C0000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF75D0000 isapnp.sys
    0xF7B78000 pciide.sys
    0xF7830000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF75E0000 MountMgr.sys
    0xF7334000 ftdisk.sys
    0xF7AB8000 dmload.sys
    0xF730E000 dmio.sys
    0xF7838000 PartMgr.sys
    0xF75F0000 VolSnap.sys
    0xF7221000 atapi.sys
    0xF71DE000 tsk48.tmp
    0xF7600000 disk.sys
    0xF7610000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF71BE000 fltmgr.sys
    0xF71AC000 sr.sys
    0xF7620000 bb-run.sys
    0xF7630000 PxHelp20.sys
    0xF7195000 KSecDD.sys
    0xF7108000 Ntfs.sys
    0xF70DB000 NDIS.sys
    0xF70C1000 Mup.sys
    0xF6623000 \SystemRoot\system32\DRIVERS\AmdK8.sys
    0xF7940000 \SystemRoot\system32\DRIVERS\aracpi.sys
    0xF621E000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xF620A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF7948000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF61E6000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7950000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF6613000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF6603000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF65F3000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF61C3000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF60AA000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0xF7AE8000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF7958000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF605A000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF7AA0000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
    0xF600F000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
    0xF5FD8000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
    0xF5FA1000 \SystemRoot\System32\Drivers\ap7toycn.SYS
    0xF65E3000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF7840000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7AEE000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
    0xF7880000 \SystemRoot\system32\DRIVERS\PS2.sys
    0xF7888000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF7AF0000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
    0xF709D000 \SystemRoot\system32\DRIVERS\arpolicy.sys
    0xF7AF2000 \SystemRoot\system32\DRIVERS\serscan.sys
    0xF7CB0000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF65D3000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7099000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF5F8A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF65C3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF65B3000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7890000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF5F79000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF7670000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF7898000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF78A0000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF5F49000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF7680000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF7AF4000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF5EEB000 \SystemRoot\system32\DRIVERS\update.sys
    0xF707D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF7690000 \SystemRoot\system32\DRIVERS\zumbus.sys
    0xF76A0000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
    0xF5E52000 \SystemRoot\System32\Drivers\wdf01000.sys
    0xF76B0000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF76C0000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF3477000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xF3453000 \SystemRoot\system32\drivers\portcls.sys
    0xF76E0000 \SystemRoot\system32\drivers\drmk.sys
    0xF76F0000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
    0xF7AF8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF7B97000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7AFA000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF78D8000 \SystemRoot\System32\drivers\vga.sys
    0xF7AFC000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7AFE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF78E0000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF78E8000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF6086000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xF33F8000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xF339F000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF3365000 \SystemRoot\System32\Drivers\avgtdix.sys
    0xF333F000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF7700000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF78F0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xF32EF000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF32CD000 \SystemRoot\System32\drivers\afd.sys
    0xF7720000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF7740000 \SystemRoot\System32\Drivers\SCDEmu.SYS
    0xF31DA000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xF3142000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF7750000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF7900000 \SystemRoot\System32\Drivers\avgmfx86.sys
    0xF310E000 \SystemRoot\System32\Drivers\avgldx86.sys
    0xF30EA000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xF30D2000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF7B3C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF3225000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF7938000 \SystemRoot\System32\watchdog.sys
    0xBF9C4000 \SystemRoot\System32\drivers\dxg.sys
    0xF7C9D000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF9D6000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xBACD1000 \SystemRoot\system32\DRIVERS\WudfPf.sys
    0xBAC3A000 \??\C:\Program Files\Sandboxie\SbieDrv.sys
    0xBACE8000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xBA12D000 \SystemRoot\system32\drivers\wdmaud.sys
    0xBABBA000 \SystemRoot\system32\drivers\sysaudio.sys
    0xBADD0000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB9E82000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB9D01000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB9C82000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB95F8000 \??\K:\Programs\SASKUTIL.SYS
    0xF7920000 \??\K:\Programs\SASDIFSV.SYS
    0xB5A89000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll
    0x10000000 \Program Files\Alcohol Soft\Alcohol 120\Alcoholx.dll

    Processes (total 48):
    0 System Idle Process
    4 System
    732 C:\WINDOWS\system32\smss.exe
    820 csrss.exe
    844 C:\WINDOWS\system32\winlogon.exe
    888 C:\WINDOWS\system32\services.exe
    900 C:\WINDOWS\system32\lsass.exe
    1060 C:\WINDOWS\system32\svchost.exe
    1120 svchost.exe
    1212 C:\Program Files\Sandboxie\SbieSvc.exe
    1232 C:\WINDOWS\system32\svchost.exe
    1304 C:\WINDOWS\system32\svchost.exe
    1404 C:\Program Files\AVG\AVG9\avgchsvx.exe
    1412 C:\Program Files\AVG\AVG9\avgrsx.exe
    1520 C:\Program Files\AVG\AVG9\avgcsrvx.exe
    1536 svchost.exe
    1708 svchost.exe
    2020 C:\WINDOWS\explorer.exe
    212 C:\WINDOWS\system32\spoolsv.exe
    320 C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    564 C:\Program Files\ZuneLauncher.exe
    572 C:\Program Files\PowerISO\PWRISOVM.EXE
    584 C:\PROGRA~1\AVG\AVG9\avgtray.exe
    596 C:\WINDOWS\system32\ctfmon.exe
    748 C:\Program Files\Sandboxie\SbieCtrl.exe
    760 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    784 K:\Programs\SUPERAntiSpyware.exe
    1176 svchost.exe
    1224 C:\WINDOWS\arservice.exe
    1324 C:\Program Files\AVG\AVG9\avgwdsvc.exe
    1532 C:\WINDOWS\ehome\ehrecvr.exe
    1768 C:\WINDOWS\ehome\ehSched.exe
    2140 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    2168 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    2388 C:\WINDOWS\system32\nvsvc32.exe
    2448 C:\Program Files\AVG\AVG9\avgnsx.exe
    2588 svchost.exe
    2764 C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    2900 C:\WINDOWS\system32\svchost.exe
    2980 C:\WINDOWS\system32\ZuneBusEnum.exe
    3084 mcrdsvc.exe
    3496 C:\WINDOWS\system32\dllhost.exe
    3648 alg.exe
    224 C:\WINDOWS\system32\svchost.exe
    3708 K:\Programs\firefox.exe
    308 K:\Programs\plugin-container.exe
    2324 C:\Program Files\Zune.exe
    1440 C:\Documents and Settings\Compaq_Administrator\My Documents\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000038`2bf5a600 (FAT32)
    \\.\K: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD2500JS-60NCB1, Rev: 10.02E02
    PhysicalDrive1 Model Number: FANTOMWD10EAVS-00D7B1, Rev: 2.10

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Unknown MBR code
    SHA1: 3FA1BAC1D7FD18071BE2B53E6001CD7DFE278CEB
    931 GB \\.\PhysicalDrive1 RE: Unknown MBR code
    SHA1: 7B673ACE7D764F99598D604CA48490D0A72DF547


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!

    _________________________________________________________________________________________________

    The redirect seems to be gone, hopefuly it wont come back. Thanks! Also, I didnt do the combofix yet, just the MBR Check
     
  12. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    Good news, but we need to keep checking.

    You seem to have MBR issue and I still need Combofix log.
  13. Chinikaylo

    Chinikaylo Newcomer, in training Topic Starter

    Hey there

    Sorry I didnt post this right away but I was gone over the weekend. Anyway, here's the ComoboFix report:
    ----------------------------------------------------------------------------------------------------------------------------------------------------

    ComboFix 11-01-17.05 - Compaq_Administrator 01/18/2011 10:38:43.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.599 [GMT -5:00]
    Running from: c:\documents and settings\Compaq_Administrator\My Documents\Downloads\ComboFix.exe
    FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Compaq_Administrator\Application Data\chrtmp
    c:\program files\background.jpg
    c:\windows\Install
    c:\windows\install\server.exe
    D:\Autorun.inf
    K:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-18 to 2011-01-18 )))))))))))))))))))))))))))))))
    .

    2011-01-16 02:06 . 2011-01-16 02:08 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\.minecraft
    2011-01-16 01:00 . 2011-01-16 01:00 -------- d-----w- c:\program files\7-Zip
    2011-01-14 21:08 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
    2011-01-14 21:08 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
    2011-01-14 21:02 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
    2011-01-14 20:59 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2011-01-14 20:58 . 2010-11-06 00:26 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
    2011-01-14 20:57 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
    2011-01-14 20:37 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
    2011-01-13 16:59 . 2011-01-13 16:59 -------- d-----w- c:\program files\Trend Micro
    2011-01-09 02:04 . 2011-01-09 02:04 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com
    2011-01-09 02:04 . 2011-01-09 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-01-05 17:06 . 2011-01-05 17:06 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\AskToolbar
    2011-01-05 00:37 . 2011-01-05 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
    2011-01-03 18:35 . 2011-01-03 18:35 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
    2011-01-03 18:35 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-03 18:35 . 2011-01-03 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-03 18:35 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-14 17:20 . 2005-06-30 00:03 175104 ----a-w- c:\windows\system32\drivers\ftsata2.sys
    2010-11-18 18:12 . 2004-08-10 04:00 81920 ------w- c:\windows\system32\isign32.dll
    2010-11-09 14:52 . 2004-08-10 04:00 249856 ----a-w- c:\windows\system32\odbc32.dll
    2010-11-06 00:26 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2004-08-10 04:00 40960 ------w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2004-08-10 04:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2004-08-10 04:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-01-07 18:42 . 2010-01-07 18:42 912192 ----a-w- c:\program files\ZuneDBApi.dll
    2010-01-07 18:42 . 2010-01-07 18:42 554816 ----a-w- c:\program files\UIXcontrols.dll
    2010-01-07 18:42 . 2010-01-07 18:42 1521472 ----a-w- c:\program files\UIX.dll
    2010-01-07 18:42 . 2010-01-07 18:42 1304384 ----a-w- c:\program files\ZuneShell.dll
    2010-01-07 18:42 . 2010-01-07 18:42 644928 ----a-w- c:\program files\UIX.renderapi.dll
    2010-01-07 18:38 . 2010-01-07 18:38 87792 ----a-w- c:\program files\ZuneTaskbar.dll
    2010-01-07 18:38 . 2010-01-07 18:38 320224 ----a-w- c:\program files\ZuneSrcWrp.dll
    2010-01-07 18:38 . 2010-01-07 18:38 134384 ----a-w- c:\program files\ZuneZMDB.Library.dll
    2010-01-07 18:38 . 2010-01-07 18:38 133872 ----a-w- c:\program files\ZuneZMDB.ZuneHD.dll
    2010-01-07 18:38 . 2010-01-07 18:38 129264 ----a-w- c:\program files\ZuneZMDB.Classic.dll
    2010-01-07 18:38 . 2010-01-07 18:38 747248 ----a-w- c:\program files\ZuneService.dll
    2010-01-07 18:38 . 2010-01-07 18:38 61664 ----a-w- c:\program files\ZuneShellExt.dll
    2010-01-07 18:38 . 2010-01-07 18:38 609504 ----a-w- c:\program files\ZuneSH.dll
    2010-01-07 18:38 . 2010-01-07 18:38 410336 ----a-w- c:\program files\ZuneSP.dll
    2010-01-07 18:38 . 2010-01-07 18:38 381168 ----a-w- c:\program files\ZuneSE.dll
    2010-01-07 18:38 . 2010-01-07 18:38 17632 ----a-w- c:\program files\ZuneShare.exe
    2010-01-07 18:38 . 2010-01-07 18:38 1674992 ----a-w- c:\program files\ZuneSetup.exe
    2010-01-07 18:38 . 2010-01-07 18:38 16674032 ----a-w- c:\program files\ZuneShellResources.dll
    2010-01-07 18:38 . 2010-01-07 18:38 1454832 ----a-w- c:\program files\ZuneResources.dll
    2010-01-07 18:38 . 2010-01-07 18:38 142560 ----a-w- c:\program files\ZuneSA.dll
    2010-01-07 18:38 . 2010-01-07 18:38 682736 ----a-w- c:\program files\ZuneQP.dll
    2010-01-07 18:38 . 2010-01-07 18:38 626928 ----a-w- c:\program files\ZUNEMP4SDECD.dll
    2010-01-07 18:38 . 2010-01-07 18:38 57584 ----a-w- c:\program files\ZuneDXVA2.dll
    2010-01-07 18:38 . 2010-01-07 18:38 46304 ----a-w- c:\program files\ZuneConfig.exe
    2010-01-07 18:38 . 2010-01-07 18:38 19696 ----a-w- c:\program files\ZunePS.dll
    2010-01-07 18:38 . 2010-01-07 18:38 121056 ----a-w- c:\program files\ZuneEffects.dll
    2010-01-07 18:38 . 2010-01-07 18:38 945904 ----a-w- c:\program files\ZuneMarketplaceResources.dll
    2010-01-07 18:38 . 2010-01-07 18:38 842480 ----a-w- c:\program files\ZuneMde.dll
    2010-01-07 18:38 . 2010-01-07 18:38 6790384 ----a-w- c:\program files\ZuneNativeLib.dll
    2010-01-07 18:38 . 2010-01-07 18:38 5950704 ----a-w- c:\program files\ZuneNss.exe
    2010-01-07 18:38 . 2010-01-07 18:38 50416 ----a-w- c:\program files\ZuneCfg.dll
    2010-01-07 18:38 . 2010-01-07 18:38 38624 ----a-w- c:\program files\ZuneEnc.exe
    2010-01-07 18:38 . 2010-01-07 18:38 30960 ----a-w- c:\program files\UIXsup.dll
    2010-01-07 18:38 . 2010-01-07 18:38 297200 ----a-w- c:\program files\ZuneEvr.dll
    2010-01-07 18:38 . 2010-01-07 18:38 272112 ----a-w- c:\program files\ZuneNssci.dll
    2010-01-07 18:38 . 2010-01-07 18:38 209120 ----a-w- c:\program files\Zune.exe
    2010-01-07 18:38 . 2010-01-07 18:38 181984 ----a-w- c:\program files\ZuneHost.exe
    2010-01-07 18:38 . 2010-01-07 18:38 173808 ----a-w- c:\program files\ZuneDB.dll
    2010-01-07 18:38 . 2010-01-07 18:38 1692384 ----a-w- c:\program files\ZuneEncEng.dll
    2010-01-07 18:38 . 2010-01-07 18:38 158448 ----a-w- c:\program files\ZuneLauncher.exe
    2010-01-07 18:38 . 2010-01-07 18:38 1342192 ----a-w- c:\program files\UIXrender.dll
    2010-01-07 18:38 . 2010-01-07 18:38 120048 ----a-w- c:\program files\ZunePresenter.dll
    2010-01-07 18:38 . 2010-01-07 18:38 116448 ----a-w- c:\program files\ZuneAACDec.dll
    2010-01-07 18:38 . 2010-01-07 18:38 1053936 ----a-w- c:\program files\ZuneH264Dec.dll
    2010-01-07 18:38 . 2010-01-07 18:38 1025264 ----a-w- c:\program files\ZuneCore.dll
    2010-01-07 18:24 . 2010-01-07 18:24 232448 ----a-w- c:\program files\l3codecp.acm
    2007-08-27 19:56 . 2007-08-27 19:56 1089440 ----a-w- c:\program files\msidcrl40.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    2010-10-11 21:12 1244040 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-10-11 1244040]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-10-11 1244040]

    [HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
    @="{C5994560-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
    @="{C5994561-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
    @="{C5994562-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
    @="{C5994563-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
    @="{C5994564-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
    @="{C5994565-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
    @="{C5994566-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
    @="{C5994567-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
    @="{C5994568-53D9-4125-87C9-F193FC689CB2}"
    [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
    2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2009-11-15 33120]
    "SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-07-04 398568]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-25 7311360]
    "Zune Launcher"="c:\program files\ZuneLauncher.exe" [2010-01-07 158448]
    "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - k:\programs\Microsoft Office Cracked\Office10\OSA.EXE [2001-2-13 83360]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "k:\programs\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- k:\programs\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
    backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
    2005-08-03 06:19 77312 ------w- c:\windows\arpwrmsg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
    2006-03-16 09:12 1077248 ----a-w- c:\program files\DISC\DISCover.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
    2006-03-16 09:11 61440 ----a-w- c:\program files\DISC\DISCUpdMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
    2006-04-03 00:07 389120 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2005-09-30 04:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2005-02-17 13:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
    2006-02-16 05:34 249856 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-01-25 02:15 7311360 ----a-w- c:\windows\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2006-01-25 02:15 1519616 ----a-w- c:\windows\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    2005-07-23 05:14 237568 ----a-w- c:\windows\SMINST\Recguard.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2006-03-08 11:54 16010240 ----a-w- c:\windows\RTHDCPL.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\DISC\\DISCover.exe"=
    "c:\\Program Files\\DISC\\DiscStreamHub.exe"=
    "c:\\Program Files\\DISC\\myFTP.exe"=
    "c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "k:\\Programs\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
    "k:\\Programs\\THQ\\Dawn of War\\W40kWA.exe"=
    "k:\\Programs\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"=
    "k:\\Programs\\Steam\\SteamApps\\crippin_blood\\day of defeat source\\hl2.exe"=
    "c:\\Documents and Settings\\Compaq_Administrator\\Desktop\\?\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
    "k:\\Programs\\Steam\\Steam.exe"=
    "k:\\Programs\\Steam\\SteamApps\\crippin_blood\\counter-strike source\\hl2.exe"=
    "c:\\Documents and Settings\\Compaq_Administrator\\Desktop\\Minecraft.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "443:TCP"= 443:TCP:https
    "21:TCP"= 21:TCP:FTP

    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/17/2010 10:28 PM 691696]
    S1 SASDIFSV;SASDIFSV;k:\programs\sasdifsv.sys [2/17/2010 1:25 PM 12872]
    S1 SASKUTIL;SASKUTIL;k:\programs\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2009-06-17 16:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-18 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
    - c:\program files\Ask.com\UpdateTask.exe [2010-10-11 21:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride = <local>
    IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
    IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
    IE: E&xport to Microsoft Excel - k:\programs\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
    Trusted Zone: trymedia.com
    FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\3x3rarsk.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - k:\programs\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
    FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe
    Notify-avgrsstarter - (no file)
    SafeBoot-klmdb.sys
    SafeBoot-WudfPf
    SafeBoot-WudfRd
    MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-18 10:42
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(828)
    k:\programs\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    Completion time: 2011-01-18 10:44:29
    ComboFix-quarantined-files.txt 2011-01-18 15:44

    Pre-Run: 158,281,789,440 bytes free
    Post-Run: 158,351,314,944 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

    - - End Of File - - A98F3F50837A9F7218D76EEDE17F2F9B
  14. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    We need to double check your MBR.

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
  15. Chinikaylo

    Chinikaylo Newcomer, in training Topic Starter

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.2.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 53b87386f68c4cb2306da5ba771dbe8b

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
  16. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    Yeah, we need to fix it....

    Please download NTBR by noahdfear and save it to your Desktop.
    File size: 2.44 MB (2,565,432 bytes)

    • Place a blank CD in your CD drive.
    • Double click on NTBR_CD.exe file and a folder of the same name will appear.
    • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
    • Follow the prompts to burn the CD.
    • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
    • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
    • Insert the newly created CD into your infected PC and reboot your computer.
    • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
    • Read the warning and then continue as prompted.
    • You first need to select your keyboard layout - press Enter for English.
    • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
    • On the following screen enter 5 to select Install Standard MBR code.
    • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
    • When asked to confirm please do so.
    • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
    • Eject the disc and then press ctrl+alt+del to reboot the PC.
    Once rebooted, run MBRCheck again and post its log.

    **Important note to Dell users - fixing the MBR may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. If this is Dell computer, let me know before proceeding.
  17. Chinikaylo

    Chinikaylo Newcomer, in training Topic Starter

    I have work soon, so I cant finish this, I will continue when I have free time again, thanks.
  18. Broni

    Broni Malware Annihilator Posts: 46,329   +252

    No problem :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.