Solved Possible virus.patchload.o Infection?

[wisconsin]

Okay, I attempted to run the GMER utility. It ran for a period of time then disappeared as I described in the Malwarebytes example. Attempting to relaunch it brings up the same error message as before.

I tried rebooting the computer in safe mode and attempeted to relaunch GMER again. The same error message came up.

Should I attempt Step 4?

 

[Broni]

Go ahead....

 

[wisconsin]

I ran this in safe mode


.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 6.0.2900.5512
Run by OEM at 17:31:35 on 2011-12-28
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1782 [GMT 13:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\3872222862:1905340953.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uURLSearchHooks: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
uWinlogon: Shell=c:\documents and settings\oem\local settings\application data\8e6ecde6\X
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Groove Folder Synchronization: {4da6114d-3366-1228-057d-509775e46fd4} - c:\windows\system32\Audiio3D.dll
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter4.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [ADSL_A2] A2Installed
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\oem\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adsldi~1.lnk - c:\windows\system32\mapiicon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267652763921
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-12-12 64512]
S2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2009-1-28 59776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [2010-9-19 20328]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-12-2 2152152]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2011-10-10 736672]
S2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2009-1-28 19456]
S2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [2009-1-28 9600]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2011-3-31 23456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-3 135664]
S3 HVWINDR.SYS;HVWINDR.SYS;c:\documents and settings\oem\desktop\hvc alpha 2\hvwindr.sys [2009-8-1 205220]
S3 itexadsla2;ITeX ADSL PCI NIC Service;c:\windows\system32\drivers\TBCIwana.sys [2001-10-5 432640]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-12-2 15232]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2009-9-17 24416]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-12-28 02:33:26 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-28 02:00:42 48016 --sha-w- c:\windows\system32\c_23141.nl_
2011-12-28 01:52:59 82035 -c--a-w- c:\windows\system32\dllcache\fp4anscp.dll
2011-12-28 01:52:59 49210 -c--a-w- c:\windows\system32\dllcache\fp4areg.dll
2011-12-28 01:52:59 147513 -c--a-w- c:\windows\system32\dllcache\fp4apws.dll
2011-12-28 01:52:58 184435 -c--a-w- c:\windows\system32\dllcache\fp4amsft.dll
2011-12-28 01:52:57 46592 -c--a-w- c:\windows\system32\dllcache\coadmin.dll
2011-12-28 01:52:56 188480 -c--a-w- c:\windows\system32\dllcache\cfgwiz.exe
2011-12-28 01:52:55 20540 -c--a-w- c:\windows\system32\dllcache\author.dll
2011-12-28 01:52:55 16439 -c--a-w- c:\windows\system32\dllcache\author.exe
2011-12-28 01:52:54 43520 -c--a-w- c:\windows\system32\dllcache\admwprox.dll
2011-12-28 01:52:54 290816 -c--a-w- c:\windows\system32\dllcache\adsiis51.dll
2011-12-28 01:52:53 16439 -c--a-w- c:\windows\system32\dllcache\admin.exe
2011-12-28 01:52:51 20540 -c--a-w- c:\windows\system32\dllcache\admin.dll
2011-12-28 01:50:13 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe
2011-12-28 01:35:56 13312 ----a-w- c:\windows\system32\irclass.dll
2011-12-28 01:35:55 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-12-28 01:35:31 16535 ----a-r- c:\windows\SETC3.tmp
2011-12-28 01:35:24 1088840 ----a-r- c:\windows\SETB7.tmp
2011-12-28 01:35:21 1296669 ----a-r- c:\windows\SETB4.tmp
2011-12-27 14:49:46 -------- d-----w- C:\_OTL
2011-12-18 01:23:48 110080 ----a-r- c:\documents and settings\oem\application data\microsoft\installer\{1c7cc8e2-cfcf-41e6-a863-7c7a45ce8a78}\IconD7F16134.exe
2011-12-18 01:23:48 110080 ----a-r- c:\documents and settings\oem\application data\microsoft\installer\{1c7cc8e2-cfcf-41e6-a863-7c7a45ce8a78}\IconCF33A0CE.exe
2011-12-18 01:23:47 110080 ----a-r- c:\documents and settings\oem\application data\microsoft\installer\{1c7cc8e2-cfcf-41e6-a863-7c7a45ce8a78}\IconF7A21AF7.exe
2011-12-18 01:23:31 -------- d-----w- C:\sh4ldr
2011-12-18 01:23:31 -------- d-----w- c:\program files\Enigma Software Group
2011-12-18 01:21:18 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2011-12-18 01:21:05 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-12-17 19:31:16 -------- d-----w- c:\documents and settings\oem\application data\MediaWmplay
2011-12-11 22:08:53 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-11 22:08:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-11 21:22:18 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-12-11 20:55:13 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-11 17:55:09 -------- d-----w- c:\documents and settings\oem\local settings\application data\adaware
2011-12-11 17:55:06 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Browsing Protection
2011-12-11 17:55:04 -------- d-----w- c:\program files\Toolbar Cleaner
2011-12-11 17:55:01 -------- d-----w- c:\documents and settings\oem\application data\adawaretb
2011-12-11 17:54:59 -------- d-----w- c:\program files\adawaretb
2011-12-11 17:54:52 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-12-11 17:54:42 -------- d-----w- c:\program files\Lavasoft
.
==================== Find3M ====================
.
2011-11-11 19:57:32 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 17:34:36.53 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/28/2011 2:55:22 PM
System Uptime: 12/28/2011 5:16:11 PM (0 hours ago)
.
Motherboard: | | SiS-661
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | Socket 478 | 3006/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 1.147 GiB free.
D: is FIXED (NTFS) - 37 GiB total, 0.564 GiB free.
E: is FIXED (NTFS) - 37 GiB total, 0.408 GiB free.
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: SiS 900-Based PCI Fast Ethernet Adapter
Device ID: PCI\VEN_1039&DEV_0900&SUBSYS_0C56105B&REV_91\3&61AAA01&0&20
Manufacturer: SiS
Name: SiS 900-Based PCI Fast Ethernet Adapter
PNP Device ID: PCI\VEN_1039&DEV_0900&SUBSYS_0C56105B&REV_91\3&61AAA01&0&20
Service: SISNIC
.
==== System Restore Points ===================
.
RP1: 12/28/2011 3:03:29 PM - System Checkpoint
.
==== Installed Programs ======================
.
7-Zip 9.16 beta
Ad-Aware
Ad-Aware Security Toolbar
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 11 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Stock Photos 1.0
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATI Parental Control & Encoder
ATI Problem Report Wizard
Brother HL-2040
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CPUID CPU-Z 1.55
DriverAgent by eSupport.com
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
IsoBuster 2.5
ITeX ADSL Software
MailWasher Pro
Malwarebytes' Anti-Malware version 1.51.2.1300
METAbolt
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft XML Parser
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MWSnap 3
Nero 6 Enterprise Edition
neroxml
Phoenix Viewer 1.5.2.1102
Realtek AC'97 Audio
SecondLife (remove only)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Side By Side Fix
Skins
Skype™ 4.0
SpyHunter
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
VCRedistSetup
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
WinFast Multimedia Driver Installation
WinRAR archiver
WinZip
Yahoo! Messenger
.
==== Event Viewer Messages From Past Week ========
.
12/28/2011 5:19:36 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Lavasoft Ad-Aware Service service to connect.
12/28/2011 5:19:36 PM, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/28/2011 5:19:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/28/2011 5:18:40 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/28/2011 2:59:27 PM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.
12/28/2011 2:51:46 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SENS with arguments "" in order to run the server: {D3938AB0-5B9D-11D1-8DD2-00AA004ABD5E}
12/26/2011 9:16:22 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
12/26/2011 9:16:22 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/26/2011 9:16:22 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/26/2011 9:16:22 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/26/2011 9:16:22 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/26/2011 8:46:28 AM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952450 (0x80072742).
12/26/2011 8:44:59 AM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: A socket operation encountered a dead network.
12/26/2011 8:44:59 AM, error: Service Control Manager [7023] - The IPSEC Services service terminated with the following error: A socket operation encountered a dead network.
12/26/2011 8:44:59 AM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: %%2147952450
12/26/2011 8:44:59 AM, error: Service Control Manager [7000] - The WinFast TV2000 XP WDM Video Capture service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/26/2011 8:44:59 AM, error: Service Control Manager [7000] - The WinFast TV2000 XP WDM TVTuner service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
12/26/2011 8:44:59 AM, error: Service Control Manager [7000] - The WinFast TV2000 XP WDM Crossbar service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
.
==== End Of File ===========================

 

[Broni]

Please download DummyCreator.zip and unzip it.

• Run the tool.
• Copy and paste the following into the edit box:

C:\WINDOWS\3872222862

• Press Create button and post the content of the Result.txt.

Important: Restart the computer.

 

[wisconsin]

DummyCreator by Farbar
Ran by OEM (administrator) on 28-12-2011 at 18:02:10
**************************************************************

C:\WINDOWS\3872222862 [28-12-2011 18:02:10]

== End of log ==

 

[Broni]

Good

Download TDSSKiller and save it to your desktop.

• Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

 

[wisconsin]

I first rebooted the computer as per the DummyCreator final step. I rebooted in Safe Mode again. Ran the TDSSKiller in Safe Mode obviously, it asked me to reboot at the completion, and I let the computer restart in normal mode. Here is the log ...

18:15:52.0640 1356 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
18:15:52.0671 1356 ============================================================
18:15:52.0671 1356 Current date / time: 2011/12/28 18:15:52.0671
18:15:52.0671 1356 SystemInfo:
18:15:52.0671 1356
18:15:52.0671 1356 OS Version: 5.1.2600 ServicePack: 3.0
18:15:52.0671 1356 Product type: Workstation
18:15:52.0671 1356 ComputerName: OEM-D6C1D17F45D
18:15:52.0671 1356 UserName: OEM
18:15:52.0671 1356 Windows directory: C:\WINDOWS
18:15:52.0671 1356 System windows directory: C:\WINDOWS
18:15:52.0671 1356 Processor architecture: Intel x86
18:15:52.0671 1356 Number of processors: 2
18:15:52.0671 1356 Page size: 0x1000
18:15:52.0671 1356 Boot type: Safe boot
18:15:52.0671 1356 ============================================================
18:15:56.0984 1356 Initialize success
18:16:20.0015 1376 ============================================================
18:16:20.0015 1376 Scan started
18:16:20.0015 1376 Mode: Manual;
18:16:20.0015 1376 ============================================================
18:16:21.0109 1376 .i8042prt - ok
18:16:21.0359 1376 8e6ecde6 ( Rootkit.Win32.PMax.gen ) - infected
18:16:21.0359 1376 8e6ecde6 - detected Rootkit.Win32.PMax.gen (0)
18:16:21.0750 1376 Abiosdsk - ok
18:16:22.0140 1376 abp480n5 - ok
18:16:22.0718 1376 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:16:22.0828 1376 ACPI - ok
18:16:23.0250 1376 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:16:23.0265 1376 ACPIEC - ok
18:16:23.0656 1376 adpu160m - ok
18:16:24.0187 1376 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:16:24.0281 1376 aec - ok
18:16:24.0812 1376 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
18:16:24.0906 1376 AFD - ok
18:16:25.0281 1376 Aha154x - ok
18:16:25.0671 1376 aic78u2 - ok
18:16:26.0078 1376 aic78xx - ok
18:16:26.0765 1376 ALCXSENS (ba88534a3ceb6161e7432438b9ea4f54) C:\WINDOWS\system32\drivers\ALCXSENS.SYS
18:16:27.0031 1376 ALCXSENS - ok
18:16:27.0828 1376 ALCXWDM (9a6a99f0d75b457e3a2267776ebe9f47) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
18:16:28.0234 1376 ALCXWDM - ok
18:16:28.0640 1376 AliIde - ok
18:16:29.0031 1376 amsint - ok
18:16:29.0437 1376 asc - ok
18:16:29.0828 1376 asc3350p - ok
18:16:30.0218 1376 asc3550 - ok
18:16:30.0718 1376 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:16:30.0718 1376 AsyncMac - ok
18:16:31.0218 1376 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:16:31.0218 1376 atapi - ok
18:16:31.0593 1376 Atdisk - ok
18:16:34.0218 1376 ati2mtag (c06659ff381423d6cb19a91c2a2f80ad) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
18:16:36.0343 1376 ati2mtag - ok
18:16:36.0828 1376 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:16:36.0875 1376 Atmarpc - ok
18:16:37.0296 1376 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:16:37.0296 1376 audstub - ok
18:16:37.0734 1376 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:16:37.0734 1376 Beep - ok
18:16:38.0187 1376 BrPar (2fe6d5be0629f706197b30c0aa05de30) C:\WINDOWS\System32\drivers\BrPar.sys
18:16:38.0203 1376 BrPar - ok
18:16:38.0640 1376 BT848 (df863a3f97a8cbf9e7fbbc2a0854f582) C:\WINDOWS\system32\drivers\wf2kvcap.sys
18:16:38.0687 1376 BT848 - ok
18:16:39.0109 1376 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:16:39.0125 1376 cbidf2k - ok
18:16:39.0546 1376 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
18:16:39.0562 1376 CCDECODE - ok
18:16:39.0937 1376 cd20xrnt - ok
18:16:40.0375 1376 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:16:40.0390 1376 Cdaudio - ok
18:16:40.0859 1376 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:16:40.0906 1376 Cdfs - ok
18:16:41.0375 1376 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:16:41.0421 1376 Cdrom - ok
18:16:41.0796 1376 Changer - ok
18:16:42.0250 1376 CmdIde - ok
18:16:42.0687 1376 Cpqarray - ok
18:16:43.0125 1376 cpuz134 (75fa19142531cbf490770c2988a7db64) C:\WINDOWS\system32\drivers\cpuz134_x32.sys
18:16:43.0140 1376 cpuz134 - ok
18:16:43.0875 1376 ctaud2k (6ea735b0c96190d750be69b1deecd2ef) C:\WINDOWS\system32\drivers\ctaud2k.sys
18:16:44.0187 1376 ctaud2k - ok
18:16:44.0609 1376 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
18:16:44.0625 1376 ctljystk - ok
18:16:45.0015 1376 dac2w2k - ok
18:16:45.0390 1376 dac960nt - ok
18:16:45.0875 1376 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:16:45.0890 1376 Disk - ok
18:16:46.0890 1376 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:16:47.0406 1376 dmboot - ok
18:16:47.0984 1376 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
18:16:48.0078 1376 dmio - ok
18:16:48.0546 1376 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:16:48.0546 1376 dmload - ok
18:16:49.0031 1376 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:16:49.0062 1376 DMusic - ok
18:16:49.0484 1376 dpti2o - ok
18:16:49.0890 1376 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:16:49.0906 1376 drmkaud - ok
18:16:50.0328 1376 DrvAgent32 (651554e483712b708ede864d0ca1aa73) C:\WINDOWS\system32\Drivers\DrvAgent32.sys
18:16:50.0343 1376 DrvAgent32 - ok
18:16:50.0921 1376 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:16:51.0015 1376 Fastfat - ok
18:16:51.0468 1376 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
18:16:51.0484 1376 Fdc - ok
18:16:51.0937 1376 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:16:51.0953 1376 Fips - ok
18:16:52.0390 1376 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
18:16:52.0406 1376 Flpydisk - ok
18:16:52.0906 1376 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
18:16:52.0984 1376 FltMgr - ok
18:16:53.0531 1376 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:16:53.0546 1376 Fs_Rec - ok
18:16:54.0062 1376 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:16:54.0140 1376 Ftdisk - ok
18:16:54.0562 1376 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
18:16:54.0578 1376 gameenum - ok
18:16:55.0015 1376 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:16:55.0046 1376 Gpc - ok
18:16:56.0031 1376 ha10kx2k (d5735f8a5809d5849b9ac4c0d9d4fdf9) C:\WINDOWS\system32\drivers\ha10kx2k.sys
18:16:56.0562 1376 ha10kx2k - ok
18:16:56.0984 1376 hpn - ok
18:16:57.0593 1376 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
18:16:57.0765 1376 HTTP - ok
18:16:58.0046 1376 HVWINDR.SYS (b2b72ed0b5091f83f4650c2193b1337f) C:\Documents and Settings\OEM\Desktop\hVC Alpha 2\HVWINDR.SYS
18:16:58.0140 1376 HVWINDR.SYS - ok
18:16:58.0546 1376 i2omgmt - ok
18:16:58.0937 1376 i2omp - ok
18:16:59.0390 1376 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:16:59.0421 1376 i8042prt - ok
18:16:59.0890 1376 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:16:59.0921 1376 Imapi - ok
18:17:00.0343 1376 ini910u - ok
18:17:00.0750 1376 IntelIde - ok
18:17:01.0187 1376 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:17:01.0203 1376 intelppm - ok
18:17:01.0656 1376 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
18:17:01.0687 1376 Ip6Fw - ok
18:17:02.0140 1376 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:17:02.0156 1376 IpFilterDriver - ok
18:17:02.0578 1376 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:17:02.0593 1376 IpInIp - ok
18:17:03.0125 1376 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:17:03.0218 1376 IpNat - ok
18:17:03.0687 1376 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:17:03.0750 1376 IPSec - ok
18:17:04.0171 1376 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:17:04.0187 1376 IRENUM - ok
18:17:04.0640 1376 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:17:04.0671 1376 isapnp - ok
18:17:05.0359 1376 itexadsla2 (1727a55f05b75ee0fa2826d6ef131699) C:\WINDOWS\system32\DRIVERS\TBCIwana.sys
18:17:05.0640 1376 itexadsla2 - ok
18:17:06.0046 1376 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:17:06.0062 1376 Kbdclass - ok
18:17:06.0609 1376 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:17:06.0718 1376 kmixer - ok
18:17:07.0218 1376 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
18:17:07.0281 1376 KSecDD - ok
18:17:07.0406 1376 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
18:17:07.0421 1376 Lavasoft Kernexplorer - ok
18:17:07.0921 1376 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
18:17:07.0953 1376 Lbd - ok
18:17:08.0359 1376 lbrtfdc - ok
18:17:08.0859 1376 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:17:08.0875 1376 mnmdd - ok
18:17:09.0328 1376 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:17:09.0343 1376 Modem - ok
18:17:09.0781 1376 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:17:09.0796 1376 Mouclass - ok
18:17:10.0234 1376 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:17:10.0265 1376 MountMgr - ok
18:17:10.0640 1376 mraid35x - ok
18:17:11.0187 1376 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:17:11.0312 1376 MRxDAV - ok
18:17:12.0046 1376 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:17:12.0328 1376 MRxSmb - ok
18:17:12.0781 1376 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:17:12.0796 1376 Msfs - ok
18:17:13.0234 1376 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:17:13.0234 1376 MSKSSRV - ok
18:17:13.0640 1376 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:17:13.0656 1376 MSPCLOCK - ok
18:17:14.0046 1376 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:17:14.0046 1376 MSPQM - ok
18:17:14.0484 1376 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:17:14.0500 1376 mssmbios - ok
18:17:14.0921 1376 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
18:17:14.0921 1376 MSTEE - ok
18:17:15.0406 1376 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
18:17:15.0484 1376 Mup - ok
18:17:15.0937 1376 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
18:17:16.0000 1376 NABTSFEC - ok
18:17:16.0562 1376 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:17:16.0687 1376 NDIS - ok
18:17:17.0125 1376 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
18:17:17.0125 1376 NdisIP - ok
18:17:17.0546 1376 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:17:17.0562 1376 NdisTapi - ok
18:17:17.0984 1376 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:17:18.0000 1376 Ndisuio - ok
18:17:18.0468 1376 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:17:18.0531 1376 NdisWan - ok
18:17:18.0953 1376 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
18:17:18.0984 1376 NDProxy - ok
18:17:19.0421 1376 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:17:19.0453 1376 NetBIOS - ok
18:17:19.0984 1376 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:17:20.0078 1376 NetBT - ok
18:17:20.0578 1376 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:17:20.0609 1376 Npfs - ok
18:17:21.0421 1376 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:17:21.0796 1376 Ntfs - ok
18:17:22.0234 1376 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:17:22.0234 1376 Null - ok
18:17:22.0671 1376 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:17:22.0687 1376 NwlnkFlt - ok
18:17:23.0125 1376 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:17:23.0140 1376 NwlnkFwd - ok
18:17:23.0656 1376 ossrv (360f39067fb3efb51c653cc2c9712d99) C:\WINDOWS\system32\drivers\ctoss2k.sys
18:17:23.0734 1376 ossrv - ok
18:17:24.0171 1376 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
18:17:24.0203 1376 P3 - ok
18:17:24.0671 1376 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:17:24.0718 1376 Parport - ok
18:17:25.0140 1376 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:17:25.0140 1376 PartMgr - ok
18:17:25.0546 1376 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:17:25.0562 1376 ParVdm - ok
18:17:26.0031 1376 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:17:26.0062 1376 PCI - ok
18:17:26.0453 1376 PCIDump - ok
18:17:26.0906 1376 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:17:26.0921 1376 PCIIde - ok
18:17:27.0437 1376 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:17:27.0515 1376 Pcmcia - ok
18:17:27.0937 1376 PDCOMP - ok
18:17:28.0328 1376 PDFRAME - ok
18:17:28.0718 1376 PDRELI - ok
18:17:29.0125 1376 PDRFRAME - ok
18:17:29.0515 1376 perc2 - ok
18:17:29.0906 1376 perc2hib - ok
18:17:30.0453 1376 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:17:30.0484 1376 PptpMiniport - ok
18:17:30.0968 1376 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:17:31.0015 1376 PSched - ok
18:17:31.0421 1376 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:17:31.0437 1376 Ptilink - ok
18:17:31.0828 1376 ql1080 - ok
18:17:32.0218 1376 Ql10wnt - ok
18:17:32.0609 1376 ql12160 - ok
18:17:33.0015 1376 ql1240 - ok
18:17:33.0406 1376 ql1280 - ok
18:17:33.0812 1376 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:17:33.0828 1376 RasAcd - ok
18:17:34.0281 1376 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:17:34.0312 1376 Rasl2tp - ok
18:17:34.0765 1376 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:17:34.0796 1376 RasPppoe - ok
18:17:35.0203 1376 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:17:35.0218 1376 Raspti - ok
18:17:35.0765 1376 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:17:35.0890 1376 Rdbss - ok
18:17:36.0281 1376 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:17:36.0296 1376 RDPCDD - ok
18:17:36.0843 1376 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:17:36.0968 1376 rdpdr - ok
18:17:37.0515 1376 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
18:17:37.0609 1376 RDPWD - ok
18:17:38.0062 1376 redbook (bf9b7ce7956c3af6df12be9b6365eea8) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:17:38.0062 1376 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\redbook.sys. Real md5: bf9b7ce7956c3af6df12be9b6365eea8, Fake md5: f828dd7e1419b6653894a8f97a0094c5
18:17:38.0062 1376 redbook ( Rootkit.Win32.ZAccess.e ) - infected
18:17:38.0062 1376 redbook - detected Rootkit.Win32.ZAccess.e (0)
18:17:38.0484 1376 RegGuard (37ecebdd930395a9c399fb18a3c236d3) C:\WINDOWS\system32\Drivers\regguard.sys
18:17:38.0500 1376 RegGuard - ok
18:17:39.0031 1376 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:17:39.0046 1376 Secdrv - ok
18:17:39.0500 1376 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:17:39.0500 1376 serenum - ok
18:17:39.0968 1376 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:17:40.0015 1376 Serial - ok
18:17:40.0500 1376 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:17:40.0500 1376 Sfloppy - ok
18:17:40.0906 1376 Simbad - ok
18:17:41.0375 1376 SISAGP (61ca562def09a782d26b3e7edec5369a) C:\WINDOWS\system32\DRIVERS\SISAGPX.sys
18:17:41.0390 1376 SISAGP - ok
18:17:41.0843 1376 SISNIC (3fbb6ef8b5a71a2fa11f5f461bb73219) C:\WINDOWS\system32\DRIVERS\sisnic.sys
18:17:41.0859 1376 SISNIC - ok
18:17:42.0281 1376 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
18:17:42.0296 1376 SLIP - ok
18:17:42.0703 1376 Sparrow - ok
18:17:43.0140 1376 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:17:43.0140 1376 splitter - ok
18:17:43.0625 1376 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:17:43.0671 1376 sr - ok
18:17:44.0343 1376 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
18:17:44.0562 1376 Srv - ok
18:17:45.0000 1376 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
18:17:45.0015 1376 streamip - ok
18:17:45.0437 1376 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:17:45.0437 1376 swenum - ok
18:17:45.0890 1376 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:17:45.0921 1376 swmidi - ok
18:17:46.0328 1376 symc810 - ok
18:17:46.0718 1376 symc8xx - ok
18:17:47.0125 1376 sym_hi - ok
18:17:47.0515 1376 sym_u3 - ok
18:17:48.0000 1376 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:17:48.0031 1376 sysaudio - ok
18:17:48.0734 1376 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:17:48.0968 1376 Tcpip - ok
18:17:49.0375 1376 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:17:49.0390 1376 TDPIPE - ok
18:17:49.0812 1376 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:17:49.0828 1376 TDTCP - ok
18:17:50.0265 1376 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:17:50.0296 1376 TermDD - ok
18:17:50.0718 1376 TosIde - ok
18:17:51.0203 1376 tv2ktunr (dec0e131b20f36246549c0db2b23a677) C:\WINDOWS\system32\drivers\wf2ktunr.sys
18:17:51.0218 1376 tv2ktunr - ok
18:17:51.0625 1376 Tv2kXbar (53db0d251b022c034a1eb0b8b7264cc5) C:\WINDOWS\system32\drivers\wf2kxbar.sys
18:17:51.0640 1376 Tv2kXbar - ok
18:17:52.0093 1376 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
18:17:52.0125 1376 uagp35 - ok
18:17:52.0593 1376 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:17:52.0640 1376 Udfs - ok
18:17:53.0046 1376 ultra - ok
18:17:53.0734 1376 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:17:53.0984 1376 Update - ok
18:17:54.0468 1376 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:17:54.0500 1376 usbehci - ok
18:17:54.0953 1376 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:17:54.0984 1376 usbhub - ok
18:17:55.0421 1376 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
18:17:55.0437 1376 usbohci - ok
18:17:55.0859 1376 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:17:55.0890 1376 usbprint - ok
18:17:56.0312 1376 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:17:56.0312 1376 USBSTOR - ok
18:17:56.0750 1376 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:17:56.0765 1376 usbuhci - ok
18:17:57.0187 1376 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:17:57.0187 1376 VgaSave - ok
18:17:57.0640 1376 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
18:17:57.0656 1376 viaagp - ok
18:17:58.0078 1376 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
18:17:58.0078 1376 ViaIde - ok
18:17:58.0531 1376 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:17:58.0562 1376 VolSnap - ok
18:17:59.0046 1376 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:17:59.0062 1376 Wanarp - ok
18:17:59.0453 1376 WDICA - ok
18:17:59.0937 1376 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:18:00.0000 1376 wdmaud - ok
18:18:00.0640 1376 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
18:18:00.0656 1376 WSTCODEC - ok
18:18:01.0125 1376 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:18:01.0187 1376 WudfPf - ok
18:18:01.0640 1376 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:18:01.0687 1376 WudfRd - ok
18:18:01.0796 1376 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
18:18:02.0125 1376 \Device\Harddisk0\DR0 - ok
18:18:02.0140 1376 MBR (0x1B8) (08b26729634452d0c2889c002b1bb97c) \Device\Harddisk1\DR6
18:18:02.0218 1376 \Device\Harddisk1\DR6 - ok
18:18:02.0234 1376 Boot (0x1200) (efacb4d1b5059efb8c6c2abf05610e58) \Device\Harddisk0\DR0\Partition0
18:18:02.0250 1376 \Device\Harddisk0\DR0\Partition0 - ok
18:18:02.0281 1376 Boot (0x1200) (24eef166046c2aa98024a4c47632b1e7) \Device\Harddisk0\DR0\Partition1
18:18:02.0281 1376 \Device\Harddisk0\DR0\Partition1 - ok
18:18:02.0312 1376 Boot (0x1200) (cb4ebfc7839fc5a37b5ebb9fcb99ca60) \Device\Harddisk0\DR0\Partition2
18:18:02.0312 1376 \Device\Harddisk0\DR0\Partition2 - ok
18:18:02.0328 1376 Boot (0x1200) (b8026ec61f8dc128371c7a72d4375fdf) \Device\Harddisk1\DR6\Partition0
18:18:02.0328 1376 \Device\Harddisk1\DR6\Partition0 - ok
18:18:02.0343 1376 ============================================================
18:18:02.0343 1376 Scan finished
18:18:02.0343 1376 ============================================================
18:18:02.0390 1368 Detected object count: 2
18:18:02.0390 1368 Actual detected object count: 2
18:18:46.0859 1368 HKLM\SYSTEM\ControlSet001\services\8e6ecde6 - will be deleted on reboot
18:18:46.0890 1368 HKLM\SYSTEM\ControlSet002\services\8e6ecde6 - will be deleted on reboot
18:18:46.0921 1368 C:\WINDOWS\3872222862:1905340953.exe - will be deleted on reboot
18:18:46.0921 1368 8e6ecde6 ( Rootkit.Win32.PMax.gen ) - User select action: Delete
18:18:47.0968 1368 Backup copy found, using it..
18:18:48.0015 1368 C:\WINDOWS\system32\DRIVERS\redbook.sys - will be cured on reboot
18:19:00.0578 1368 C:\WINDOWS\system32\c_23141.nls - will be deleted on reboot
18:19:01.0000 1368 C:\WINDOWS\system32\c_23141.nl_ - will be deleted on reboot
18:19:02.0750 1368 C:\WINDOWS\system32\c_285933.nls - will be deleted on reboot
18:19:21.0203 1368 redbook ( Rootkit.Win32.ZAccess.e ) - User select action: Cure
18:19:45.0796 1352 Deinitialize success

 

[Broni]

Restart in normal mode.

Please download Rootkit Unhooker from one of the following links and save it to your desktop.

• Link 1 (.exe file)
  Link 2 (zipped file)
  Link 3 (.rar file)

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

• Double-click on RKUnhookerLE.exe to start the program.
  Vista/Windows 7 users right-click and select Run As Administrator.
• Click the Report tab, then click Scan.
• Check Drivers, Stealth, and uncheck the rest.
• Click OK.
• Wait until it's finished and then go to File > Save Report.
• Save the report to your Desktop.
• Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Then see if you can update and run MBAM (normal mode would be preferred).

 

[wisconsin]

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB9605000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 5300224 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xBF19B000 C:\WINDOWS\System32\ati3duag.dll 4096000 bytes (ATI Technologies Inc. , ati3duag.dll)
0xBF583000 C:\WINDOWS\System32\ativvaxx.dll 2379776 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2260992 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2260992 bytes
0x804D7000 RAW 2260992 bytes
0x804D7000 WMIxWDM 2260992 bytes
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB953A000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 606208 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))
0xF7B52000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xBF062000 C:\WINDOWS\System32\ati2cqag.dll 561152 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xA87C9000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xBF0EB000 C:\WINDOWS\System32\atikvmag.dll 446464 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xB9426000 C:\WINDOWS\system32\DRIVERS\TBCIwana.sys 434176 bytes (ITeX, NDIS 4.0/5.0 ADSL driver)
0xB94B4000 C:\WINDOWS\system32\drivers\ALCXSENS.SYS 401408 bytes (Sensaura, Sensaura WDM 3D Audio Driver)
0xB8B58000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA88FC000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xA5F66000 C:\WINDOWS\system32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 327680 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xBF158000 C:\WINDOWS\System32\atiok3x2.dll 274432 bytes (ATI Technologies Inc., Ring 0 x2 component)
0xA5AA2000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB8BB6000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF75A8000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xA60F8000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF7424000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xA8839000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xA88AC000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF74B2000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA8886000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA5E15000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB9516000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9490000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB95CE000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA8864000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806FF000 ACPI_HAL 134400 bytes
0x806FF000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF747A000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF74D8000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xBA746000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF749A000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xA86BD000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7451000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB93FB000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xA5E39000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB9412000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB95F1000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA8955000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7468000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7597000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB93EA000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA7D0000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA780000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA0EC000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xBA760000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF7647000 Lbd.sys 61440 bytes (Lavasoft AB, Boot Driver)
0xBA770000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA5ECE000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF76B7000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF7637000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA0DC000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA0CC000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF7617000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA0AC000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF7557000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7607000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA0BC000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF7667000 uagp35.sys 45056 bytes (Microsoft Corporation, MS AGPv3.5 Filter)
0xF7657000 viaagp.sys 45056 bytes (Microsoft Corporation, VIA NT AGP Filter)
0xF75F7000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA07C000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7677000 SISAGPX.sys 40960 bytes (Silicon Integrated Systems Corporation, SiS AGPv3.5 Filter)
0xBA08C000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xA61CD000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF7627000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA790000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA09C000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF7587000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF76F7000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF774F000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF77C7000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF77D7000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xF7707000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF7797000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF77E7000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF77DF000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF773F000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7757000 C:\WINDOWS\System32\drivers\BrPar.sys 20480 bytes (Brother Industries Ltd., Brother Parallel class Driver version 1.01)
0xF781F000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xF7747000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF770F000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF77F7000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF77FF000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xF77EF000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF77BF000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xF779F000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xA61F1000 C:\WINDOWS\system32\drivers\cpuz134_x32.sys 16384 bytes (Windows (R) Win 7 DDK provider, CPUID Driver)
0xBA6F6000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA6429000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA716000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF7897000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB8B44000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA712000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA014000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF79B5000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF798D000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF79CF000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF79B3000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7987000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF79B7000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF79A3000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xF79B9000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF79AB000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF79AF000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF798B000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7989000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7A51000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7A71000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7ABF000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A4F000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================

 

[wisconsin]

Attempting to run MBAM brings up the same "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." box on the screen.

Should I download the latest copy of MBAM and updated rules to a USB stick and reinstall it that way?

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.

**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[wisconsin]

Hi Broni, I may have screwed this up. I haven't been able to reestablish my internet connection on the infected computer yet as my saved settings were wiped when I ran the repair windows step earlier. I launched the Combofix as per your instructions but am now stuck with Combofix wanting to access the internet to install the Recovery Console.

Am I able to cancel out of Combofix, figure out my internet connection, reboot the machine and run the same Combofix.exe file saved on the desktop?

 

[Broni]

Skip recovery console installation for now.
Give me Combofix log and see what you can do about your connection.
Let me know if you need any help there.

 

[wisconsin]

ComboFix 11-12-28.03 - OEM 12/29/2011 12:33:35.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1635 [GMT 13:00]
Running from: c:\documents and settings\OEM\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\OEM\WINDOWS
c:\windows\$NtUninstallKB48247$
c:\windows\$NtUninstallKB48247$\2389626342\@
c:\windows\$NtUninstallKB48247$\2389626342\L\oetpsktr
c:\windows\$NtUninstallKB48247$\2540838901
c:\windows\3872222862
c:\windows\system32\
c:\windows\system32\drivers\ROTSCXQIRIDMRF.SYS.del
c:\windows\system32\SET14.tmp
c:\windows\system32\SET15.tmp
.
Infected copy of c:\program files\Lavasoft\Ad-Aware\AAWService.exe was found and disinfected
Restored copy from - c:\program files\Lavasoft\Ad-Aware\
.
c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE . . . is infected!!
c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE . . . was deleted!! You should re-install the program it pertains to
.
Infected copy of c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe was found and disinfected
Restored copy from - c:\program files\Common Files\Ulead Systems\DVD\
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_.i8042prt
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-28 )))))))))))))))))))))))))))))))
.
.
2011-12-28 01:53 . 2001-08-23 12:00 45568 -c--a-w- c:\windows\system32\dllcache\browscap.dll
2011-12-28 01:52 . 2003-03-24 03:52 82035 -c--a-w- c:\windows\system32\dllcache\fp4anscp.dll
2011-12-28 01:52 . 2003-03-24 03:52 49210 -c--a-w- c:\windows\system32\dllcache\fp4areg.dll
2011-12-28 01:52 . 2003-03-24 03:52 147513 -c--a-w- c:\windows\system32\dllcache\fp4apws.dll
2011-12-28 01:52 . 2004-05-12 11:39 184435 -c--a-w- c:\windows\system32\dllcache\fp4amsft.dll
2011-12-28 01:52 . 2008-04-13 16:41 46592 -c--a-w- c:\windows\system32\dllcache\coadmin.dll
2011-12-28 01:52 . 2003-03-24 03:52 188480 -c--a-w- c:\windows\system32\dllcache\cfgwiz.exe
2011-12-28 01:52 . 2003-03-24 03:52 20540 -c--a-w- c:\windows\system32\dllcache\author.dll
2011-12-28 01:52 . 2003-03-24 03:52 16439 -c--a-w- c:\windows\system32\dllcache\author.exe
2011-12-28 01:52 . 2008-04-13 16:41 43520 -c--a-w- c:\windows\system32\dllcache\admwprox.dll
2011-12-28 01:52 . 2008-04-13 16:41 290816 -c--a-w- c:\windows\system32\dllcache\adsiis51.dll
2011-12-28 01:52 . 2003-03-24 03:52 16439 -c--a-w- c:\windows\system32\dllcache\admin.exe
2011-12-28 01:52 . 2003-03-24 03:52 20540 -c--a-w- c:\windows\system32\dllcache\admin.dll
2011-12-28 01:50 . 2001-08-23 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2011-12-28 01:35 . 2001-08-23 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2011-12-28 01:35 . 2001-08-23 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-12-28 01:35 . 2008-04-13 18:34 16535 ----a-r- c:\windows\SETC3.tmp
2011-12-28 01:35 . 2008-04-13 18:34 1088840 ----a-r- c:\windows\SETB7.tmp
2011-12-28 01:35 . 2008-04-13 18:40 1296669 ----a-r- c:\windows\SETB4.tmp
2011-12-27 14:49 . 2011-12-27 14:49 -------- d-----w- C:\_OTL
2011-12-18 01:23 . 2011-12-18 01:23 110080 ----a-r- c:\documents and settings\OEM\Application Data\Microsoft\Installer\{1C7CC8E2-CFCF-41E6-A863-7C7A45CE8A78}\IconD7F16134.exe
2011-12-18 01:23 . 2011-12-18 01:23 110080 ----a-r- c:\documents and settings\OEM\Application Data\Microsoft\Installer\{1C7CC8E2-CFCF-41E6-A863-7C7A45CE8A78}\IconCF33A0CE.exe
2011-12-18 01:23 . 2011-12-18 01:23 110080 ----a-r- c:\documents and settings\OEM\Application Data\Microsoft\Installer\{1C7CC8E2-CFCF-41E6-A863-7C7A45CE8A78}\IconF7A21AF7.exe
2011-12-18 01:23 . 2011-12-18 01:24 -------- d-----w- C:\sh4ldr
2011-12-18 01:23 . 2011-12-18 01:23 -------- d-----w- c:\program files\Enigma Software Group
2011-12-18 01:21 . 2011-12-18 01:23 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2011-12-18 01:21 . 2011-12-18 01:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-12-18 00:15 . 2011-12-18 00:15 -------- d-s---w- c:\documents and settings\LocalService\UserData
2011-12-17 21:49 . 2011-12-17 22:22 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\adawaretb
2011-12-17 19:31 . 2011-12-17 21:41 -------- d-----w- c:\documents and settings\OEM\Application Data\MediaWmplay
2011-12-11 22:08 . 2011-12-11 22:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-11 22:08 . 2011-08-31 04:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-11 21:22 . 2011-12-11 18:02 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-12-11 20:55 . 2011-12-11 18:02 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-11 17:55 . 2011-12-11 17:55 -------- d-----w- c:\documents and settings\OEM\Local Settings\Application Data\adaware
2011-12-11 17:55 . 2011-12-11 17:55 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Sunbelt Software
2011-12-11 17:55 . 2011-12-11 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
2011-12-11 17:55 . 2011-12-11 17:55 -------- d-----w- c:\program files\Toolbar Cleaner
2011-12-11 17:55 . 2011-12-18 01:51 -------- d-----w- c:\documents and settings\OEM\Application Data\adawaretb
2011-12-11 17:54 . 2011-12-11 17:55 -------- d-----w- c:\program files\adawaretb
2011-12-11 17:54 . 2011-12-01 18:49 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-12-11 17:54 . 2011-12-11 17:54 -------- d-----w- c:\program files\Lavasoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 05:20 . 2008-10-08 18:57 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-11-11 19:57 . 2011-05-15 20:19 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-11-29 86696]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2011-11-29 19:15 86696 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-11-29 86696]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ADSL_A2"="A2Installed" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-08 155648]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-11-14 197288]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2011-10-10 4712864]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]
.
c:\documents and settings\OEM\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ADSL Diagnostic Tools.LNK - c:\windows\system32\mapiicon.exe [2001-10-5 377856]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Phoenix Viewer\\SLVoice.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\METAbolt\\METAbolt Auto Updater.exe"=
"c:\\Program Files\\METAbolt\\METAbolt.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\adawaretb\\dtUser.exe"=
"c:\\Program Files\\Phoenix Viewer\\SLPlugin.exe"=
"c:\\Program Files\\Phoenix Viewer\\PhoenixViewer.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Ad-Aware Browsing Protection\\adawarebp.exe"=
"c:\\Documents and Settings\\OEM\\Desktop\\SpyHunter-Installer.exe"=
"c:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter4.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/12/2011 6:54 AM 64512]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [9/19/2010 12:07 PM 20328]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/29/2011 12:49 PM 2152152]
R3 itexadsla2;ITeX ADSL PCI NIC Service;c:\windows\system32\drivers\TBCIwana.sys [10/5/2001 6:00 PM 432640]
S2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [1/28/2009 2:36 PM 59776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 8:21 AM 135664]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE --> c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [?]
S2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [1/28/2009 2:36 PM 19456]
S2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [1/28/2009 2:36 PM 9600]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [3/31/2011 5:59 PM 23456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 8:21 AM 135664]
S3 HVWINDR.SYS;HVWINDR.SYS;c:\documents and settings\OEM\Desktop\hVC Alpha 2\hvwindr.sys [8/1/2009 3:10 PM 205220]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/2/2011 7:49 AM 15232]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [9/17/2009 6:27 PM 24416]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-12-01 18:02]
.
2011-12-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-30 04:16]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 19:21]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 19:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{4DA6114D-3366-1228-057D-509775E46FD4} - c:\windows\system32\Audiio3D.dll
HKU-Default-RunOnce-tscuninstall - c:\windows\system32\tscupgrd.exe
SafeBoot-72274489.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-29 12:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(484)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2440)
c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\SOUNDMAN.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2011-12-29 13:05:58 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-29 00:05
.
Pre-Run: 1,139,183,616 bytes free
Post-Run: 2,959,613,952 bytes free
.
- - End Of File - - 66C80B56512D5E6C27F14C24B4C2A04D

 

[Broni]

Run the fix listed below and then see if you can fix your internet connection.
Let me know.

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\SETC3.tmp
c:\windows\SETB7.tmp
c:\windows\SETB4.tmp
c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP


Folder::

Driver::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000

ClearJavaCache::

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[wisconsin]

ComboFix 11-12-28.03 - OEM 12/29/2011 13:33:02.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1392 [GMT 13:00]
Running from: c:\documents and settings\OEM\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\OEM\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
FILE ::
"c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP"
"c:\windows\SETB4.tmp"
"c:\windows\SETB7.tmp"
"c:\windows\SETC3.tmp"
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 )))))))))))))))))))))))))))))))
.
.
2011-12-28 02:33 . 2011-12-28 02:33 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-28 01:52 . 2003-03-24 03:52 82035 -c--a-w- c:\windows\system32\dllcache\fp4anscp.dll
2011-12-28 01:52 . 2003-03-24 03:52 49210 -c--a-w- c:\windows\system32\dllcache\fp4areg.dll
2011-12-28 01:52 . 2003-03-24 03:52 147513 -c--a-w- c:\windows\system32\dllcache\fp4apws.dll
2011-12-28 01:52 . 2004-05-12 11:39 184435 -c--a-w- c:\windows\system32\dllcache\fp4amsft.dll
2011-12-28 01:52 . 2008-04-13 16:41 46592 -c--a-w- c:\windows\system32\dllcache\coadmin.dll
2011-12-28 01:52 . 2003-03-24 03:52 188480 -c--a-w- c:\windows\system32\dllcache\cfgwiz.exe
2011-12-28 01:52 . 2003-03-24 03:52 20540 -c--a-w- c:\windows\system32\dllcache\author.dll
2011-12-28 01:52 . 2003-03-24 03:52 16439 -c--a-w- c:\windows\system32\dllcache\author.exe
2011-12-28 01:52 . 2008-04-13 16:41 43520 -c--a-w- c:\windows\system32\dllcache\admwprox.dll
2011-12-28 01:52 . 2008-04-13 16:41 290816 -c--a-w- c:\windows\system32\dllcache\adsiis51.dll
2011-12-28 01:52 . 2003-03-24 03:52 16439 -c--a-w- c:\windows\system32\dllcache\admin.exe
2011-12-28 01:52 . 2003-03-24 03:52 20540 -c--a-w- c:\windows\system32\dllcache\admin.dll
2011-12-28 01:50 . 2001-08-23 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2011-12-28 01:35 . 2001-08-23 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2011-12-28 01:35 . 2001-08-23 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-12-28 01:35 . 2008-04-13 18:34 16535 ----a-r- c:\windows\SETC3.tmp
2011-12-28 01:35 . 2008-04-13 18:34 1088840 ----a-r- c:\windows\SETB7.tmp
2011-12-28 01:35 . 2008-04-13 18:40 1296669 ----a-r- c:\windows\SETB4.tmp
2011-12-27 14:49 . 2011-12-27 14:49 -------- d-----w- C:\_OTL
2011-12-18 01:23 . 2011-12-18 01:23 110080 ----a-r- c:\documents and settings\OEM\Application Data\Microsoft\Installer\{1C7CC8E2-CFCF-41E6-A863-7C7A45CE8A78}\IconD7F16134.exe
2011-12-18 01:23 . 2011-12-18 01:23 110080 ----a-r- c:\documents and settings\OEM\Application Data\Microsoft\Installer\{1C7CC8E2-CFCF-41E6-A863-7C7A45CE8A78}\IconCF33A0CE.exe
2011-12-18 01:23 . 2011-12-18 01:23 110080 ----a-r- c:\documents and settings\OEM\Application Data\Microsoft\Installer\{1C7CC8E2-CFCF-41E6-A863-7C7A45CE8A78}\IconF7A21AF7.exe
2011-12-18 01:23 . 2011-12-18 01:24 -------- d-----w- C:\sh4ldr
2011-12-18 01:23 . 2011-12-18 01:23 -------- d-----w- c:\program files\Enigma Software Group
2011-12-18 01:21 . 2011-12-18 01:23 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2011-12-18 01:21 . 2011-12-18 01:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-12-18 00:15 . 2011-12-18 00:15 -------- d-s---w- c:\documents and settings\LocalService\UserData
2011-12-17 21:49 . 2011-12-17 22:22 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\adawaretb
2011-12-17 19:31 . 2011-12-17 21:41 -------- d-----w- c:\documents and settings\OEM\Application Data\MediaWmplay
2011-12-11 22:08 . 2011-12-11 22:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-11 22:08 . 2011-08-31 04:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-11 21:22 . 2011-12-11 18:02 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-12-11 20:55 . 2011-12-11 18:02 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-11 17:55 . 2011-12-11 17:55 -------- d-----w- c:\documents and settings\OEM\Local Settings\Application Data\adaware
2011-12-11 17:55 . 2011-12-11 17:55 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Sunbelt Software
2011-12-11 17:55 . 2011-12-11 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
2011-12-11 17:55 . 2011-12-11 17:55 -------- d-----w- c:\program files\Toolbar Cleaner
2011-12-11 17:55 . 2011-12-18 01:51 -------- d-----w- c:\documents and settings\OEM\Application Data\adawaretb
2011-12-11 17:54 . 2011-12-11 17:55 -------- d-----w- c:\program files\adawaretb
2011-12-11 17:54 . 2011-12-01 18:49 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-12-11 17:54 . 2011-12-11 17:54 -------- d-----w- c:\program files\Lavasoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 05:20 . 2008-10-08 18:57 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-11-11 19:57 . 2011-05-15 20:19 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-11-29 86696]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2011-11-29 19:15 86696 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-11-29 86696]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ADSL_A2"="A2Installed" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-08 155648]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-11-14 197288]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2011-10-10 4712864]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]
.
c:\documents and settings\OEM\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ADSL Diagnostic Tools.LNK - c:\windows\system32\mapiicon.exe [2001-10-5 377856]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Phoenix Viewer\\SLVoice.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\METAbolt\\METAbolt Auto Updater.exe"=
"c:\\Program Files\\METAbolt\\METAbolt.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\adawaretb\\dtUser.exe"=
"c:\\Program Files\\Phoenix Viewer\\SLPlugin.exe"=
"c:\\Program Files\\Phoenix Viewer\\PhoenixViewer.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Ad-Aware Browsing Protection\\adawarebp.exe"=
"c:\\Documents and Settings\\OEM\\Desktop\\SpyHunter-Installer.exe"=
"c:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter4.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/12/2011 6:54 AM 64512]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [9/19/2010 12:07 PM 20328]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/29/2011 12:49 PM 2152152]
R3 itexadsla2;ITeX ADSL PCI NIC Service;c:\windows\system32\drivers\TBCIwana.sys [10/5/2001 6:00 PM 432640]
S2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [1/28/2009 2:36 PM 59776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 8:21 AM 135664]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE --> c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [?]
S2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [1/28/2009 2:36 PM 19456]
S2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [1/28/2009 2:36 PM 9600]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [3/31/2011 5:59 PM 23456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 8:21 AM 135664]
S3 HVWINDR.SYS;HVWINDR.SYS;c:\documents and settings\OEM\Desktop\hVC Alpha 2\hvwindr.sys [8/1/2009 3:10 PM 205220]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/2/2011 7:49 AM 15232]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [9/17/2009 6:27 PM 24416]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-12-01 18:02]
.
2011-12-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-30 04:16]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 19:21]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 19:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-29 13:45
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(484)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2232)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-12-29 13:49:07
ComboFix-quarantined-files.txt 2011-12-29 00:49
ComboFix2.txt 2011-12-29 00:06
.
Pre-Run: 2,962,817,024 bytes free
Post-Run: 2,951,348,224 bytes free
.
- - End Of File - - C4A432BD666EE7EEFD0336BE73911B55

 

[Broni]

Good.

See if you can reestablish your internet connection.

 

[wisconsin]

Okay, will do. I think it's a simple forgotten password issue and I will need to contact my ISP Help Desk to check that out. If it's something more sinister, I will come back to you to help with that too!

 

[Broni]

Very well because at this point we really need your computer to be connected.

 

[wisconsin]

Okay, the infected computer is connected back to the matrix.

 

[Broni]

Whatever "matrix" is....LOL

1. Re-run Combofix one more time. Allow recovery console installation. Post new log

2. Update MBAM, run "Quick scan". Post its log.

3. Let me know how computer is doing.

4. Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click the Scan All Users checkbox.
• Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[wisconsin]

ComboFix 11-12-28.03 - OEM 12/29/2011 16:39:40.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1443 [GMT 13:00]
Running from: c:\documents and settings\OEM\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-29 )))))))))))))))))))))))))))))))
.
.
2011-12-28 02:33 . 2011-12-28 02:33 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-12-28 01:52 . 2003-03-24 03:52 82035 -c--a-w- c:\windows\system32\dllcache\fp4anscp.dll
2011-12-28 01:52 . 2003-03-24 03:52 49210 -c--a-w- c:\windows\system32\dllcache\fp4areg.dll
2011-12-28 01:52 . 2003-03-24 03:52 147513 -c--a-w- c:\windows\system32\dllcache\fp4apws.dll
2011-12-28 01:52 . 2004-05-12 11:39 184435 -c--a-w- c:\windows\system32\dllcache\fp4amsft.dll
2011-12-28 01:52 . 2008-04-13 16:41 46592 -c--a-w- c:\windows\system32\dllcache\coadmin.dll
2011-12-28 01:52 . 2003-03-24 03:52 188480 -c--a-w- c:\windows\system32\dllcache\cfgwiz.exe
2011-12-28 01:52 . 2003-03-24 03:52 20540 -c--a-w- c:\windows\system32\dllcache\author.dll
2011-12-28 01:52 . 2003-03-24 03:52 16439 -c--a-w- c:\windows\system32\dllcache\author.exe
2011-12-28 01:52 . 2008-04-13 16:41 43520 -c--a-w- c:\windows\system32\dllcache\admwprox.dll
2011-12-28 01:52 . 2008-04-13 16:41 290816 -c--a-w- c:\windows\system32\dllcache\adsiis51.dll
2011-12-28 01:52 . 2003-03-24 03:52 16439 -c--a-w- c:\windows\system32\dllcache\admin.exe
2011-12-28 01:52 . 2003-03-24 03:52 20540 -c--a-w- c:\windows\system32\dllcache\admin.dll
2011-12-28 01:50 . 2001-08-23 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2011-12-28 01:35 . 2001-08-23 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2011-12-28 01:35 . 2001-08-23 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-12-28 01:35 . 2008-04-13 18:34 16535 ----a-r- c:\windows\SETC3.tmp
2011-12-28 01:35 . 2008-04-13 18:34 1088840 ----a-r- c:\windows\SETB7.tmp
2011-12-28 01:35 . 2008-04-13 18:40 1296669 ----a-r- c:\windows\SETB4.tmp
2011-12-27 14:49 . 2011-12-27 14:49 -------- d-----w- C:\_OTL
2011-12-18 01:23 . 2011-12-18 01:23 110080 ----a-r- c:\documents and settings\OEM\Application Data\Microsoft\Installer\{1C7CC8E2-CFCF-41E6-A863-7C7A45CE8A78}\IconD7F16134.exe
2011-12-18 01:23 . 2011-12-18 01:23 110080 ----a-r- c:\documents and settings\OEM\Application Data\Microsoft\Installer\{1C7CC8E2-CFCF-41E6-A863-7C7A45CE8A78}\IconCF33A0CE.exe
2011-12-18 01:23 . 2011-12-18 01:23 110080 ----a-r- c:\documents and settings\OEM\Application Data\Microsoft\Installer\{1C7CC8E2-CFCF-41E6-A863-7C7A45CE8A78}\IconF7A21AF7.exe
2011-12-18 01:23 . 2011-12-18 01:24 -------- d-----w- C:\sh4ldr
2011-12-18 01:23 . 2011-12-18 01:23 -------- d-----w- c:\program files\Enigma Software Group
2011-12-18 01:21 . 2011-12-18 01:23 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2011-12-18 01:21 . 2011-12-18 01:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-12-18 00:15 . 2011-12-18 00:15 -------- d-s---w- c:\documents and settings\LocalService\UserData
2011-12-17 21:49 . 2011-12-17 22:22 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\adawaretb
2011-12-17 19:31 . 2011-12-17 21:41 -------- d-----w- c:\documents and settings\OEM\Application Data\MediaWmplay
2011-12-11 22:08 . 2011-12-11 22:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-11 22:08 . 2011-08-31 04:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-11 21:22 . 2011-12-11 18:02 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-12-11 20:55 . 2011-12-11 18:02 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-11 17:55 . 2011-12-11 17:55 -------- d-----w- c:\documents and settings\OEM\Local Settings\Application Data\adaware
2011-12-11 17:55 . 2011-12-11 17:55 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Sunbelt Software
2011-12-11 17:55 . 2011-12-11 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
2011-12-11 17:55 . 2011-12-11 17:55 -------- d-----w- c:\program files\Toolbar Cleaner
2011-12-11 17:55 . 2011-12-18 01:51 -------- d-----w- c:\documents and settings\OEM\Application Data\adawaretb
2011-12-11 17:54 . 2011-12-11 17:55 -------- d-----w- c:\program files\adawaretb
2011-12-11 17:54 . 2011-12-01 18:49 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-12-11 17:54 . 2011-12-11 17:54 -------- d-----w- c:\program files\Lavasoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 05:20 . 2008-10-08 18:57 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-11-11 19:57 . 2011-05-15 20:19 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-11-29 86696]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2011-11-29 19:15 86696 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-11-29 86696]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-30 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ADSL_A2"="A2Installed" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-08 155648]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-08-31 1047208]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-10 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-11-14 197288]
"SpyHunter Security Suite"="c:\program files\Enigma Software Group\SpyHunter\SpyHunter4.exe" [2011-10-10 4712864]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]
.
c:\documents and settings\OEM\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
ADSL Diagnostic Tools.LNK - c:\windows\system32\mapiicon.exe [2001-10-5 377856]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Phoenix Viewer\\SLVoice.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\METAbolt\\METAbolt Auto Updater.exe"=
"c:\\Program Files\\METAbolt\\METAbolt.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\adawaretb\\dtUser.exe"=
"c:\\Program Files\\Phoenix Viewer\\SLPlugin.exe"=
"c:\\Program Files\\Phoenix Viewer\\PhoenixViewer.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Ad-Aware Browsing Protection\\adawarebp.exe"=
"c:\\Documents and Settings\\OEM\\Desktop\\SpyHunter-Installer.exe"=
"c:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter4.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [12/12/2011 6:54 AM 64512]
R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [9/19/2010 12:07 PM 20328]
R3 itexadsla2;ITeX ADSL PCI NIC Service;c:\windows\system32\drivers\TBCIwana.sys [10/5/2001 6:00 PM 432640]
S2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [1/28/2009 2:36 PM 59776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 8:21 AM 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/29/2011 12:49 PM 2152152]
S2 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE --> c:\progra~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [?]
S2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [1/28/2009 2:36 PM 19456]
S2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [1/28/2009 2:36 PM 9600]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [3/31/2011 5:59 PM 23456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/3/2010 8:21 AM 135664]
S3 HVWINDR.SYS;HVWINDR.SYS;c:\documents and settings\OEM\Desktop\hVC Alpha 2\hvwindr.sys [8/1/2009 3:10 PM 205220]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [9/17/2009 6:27 PM 24416]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [4/14/2008 5:42 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - Lavasoft Kernexplorer
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-12-01 18:02]
.
2011-12-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-30 04:16]
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 19:21]
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-02 19:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: Interfaces\{D60D6B9F-6E55-4AC7-803F-BB70AD7BCE1F}: NameServer = 202.27.158.40 202.27.156.72
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-29 16:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(480)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2828)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-12-29 16:52:42
ComboFix-quarantined-files.txt 2011-12-29 03:52
ComboFix2.txt 2011-12-29 00:49
ComboFix3.txt 2011-12-29 00:06
.
Pre-Run: 2,919,034,880 bytes free
Post-Run: 2,908,983,296 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 7BE461E2E39F7ED193C407779E67B88D

 

[wisconsin]

MBAM still does not run with the same error message as noted last time. Should I delete the current installation of MBAM and reinstall?

The computer appears to be behaving okay thus far which doesn't fill me with a great deal of conidence, given all the nasty stuff you have been finding so far.

I haven't run the OTL step yet while I await your thoughts on the MBAM failure.

 

[Broni]

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility.
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here.

If still same problem....

Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• Super should automatically the program definitions. If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
• Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; pick Safe Mode; you'll see "Safe Mode" in all four corners of your screen

• Open SUPERAntiSpyware.
• Click on "Preferences" button.
• Click the "Scanning Control" tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
• Click the "Home" button to leave the control center screen.
• Back on the main screen checkmark "Complete scan" and click "Scan your computer".
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Post SUPERAntiSpyware log.

 

[wisconsin]

I have attempted to download MBAM from the link you provided. It redirects me to

http://majorgeeks.com/download.php?det=5756

and fails to download.