TechSpot

Redirecting websites to ads in firefox, IE, google chrome, random pop up

Solved
By sunbeam08
Dec 17, 2010
  1. random ads pop up in new tabs and random times without clicking on anything. links for google searches redirected to a different website with ads.

    i have ran malwarebyte, sophos, norton anti-virus, AVG. none have cleared the problem. i'm not very computer literate. detailed instructions would be much appreciated. thank you.
     
  2. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. sunbeam08

    sunbeam08 TS Rookie Topic Starter Posts: 78

    Here's the Malwarebyte log. It says no malicious items were detected.



    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5346

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/17/2010 5:46:53 PM
    mbam-log-2010-12-17 (17-46-53).txt

    Scan type: Quick scan
    Objects scanned: 185667
    Time elapsed: 6 minute(s), 58 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  4. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Go on.....
     
  5. sunbeam08

    sunbeam08 TS Rookie Topic Starter Posts: 78

    I'm on to the next step. However, I don't understand this instruction:

    "Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver."

    I know this is a dumb question, but what does 'real-time active protection' referring to? Where do you disable the firewall? Is there just one of them?

    Thanks.
     
  6. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    You don't want to disable your firewall.
    Your AV program being disabled should do.
     
  7. sunbeam08

    sunbeam08 TS Rookie Topic Starter Posts: 78

    Step 5: What are consider 'script blocking protection'?
     
  8. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Mostly Spybot and Windows Defender. Do you use any of those?
     
  9. sunbeam08

    sunbeam08 TS Rookie Topic Starter Posts: 78

    Spybot, but already disabled that. Is it recommened to use Spybot? I'm not even sure what it does, since I cannot really differentiate which ones to allow and which ones not to allow. I must be the most comp-illiterate blogger you have on this site. Thanks for the tip, will go on to the next step now.
     
  10. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    No worries. We're here to help :)

    Spybot is rather a tool of the past, so you won't miss anything, if you uninstall it.
     
  11. sunbeam08

    sunbeam08 TS Rookie Topic Starter Posts: 78

    The GMER seem not to have posted. Here's the log:


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-17 18:33:09
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST9500420AS rev.0002SDM1
    Running: d4ox7wnw.exe; Driver: C:\DOCUME~1\camron\LOCALS~1\Temp\kwroyfoc.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 03: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sectors 976772912 (+255): rootkit-like behavior;

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A4A7292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A4A7292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A4A7292

    AttachedDevice \FileSystem\Ntfs \Ntfs savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST9500420AS_____________________________0002SDM1#5&2c06044&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----
     
     
  12. sunbeam08

    sunbeam08 TS Rookie Topic Starter Posts: 78

    DDS.txt



    DDS (Ver_10-12-12.02) - NTFSx86
    Run by camron at 18:36:07.39 on Fri 12/17/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.625 [GMT -8:00]

    AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
    AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

    ============== Running Processes ===============

    C:\Program Files\Common Files\Virtual Token\vtserver.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\system32\IPSSVC.EXE
    C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\lxddcoms.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
    C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe
    C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe
    C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe
    C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
    C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe
    C:\WINDOWS\system32\acs.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
    C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
    C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
    C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
    C:\Program Files\Sophos\AutoUpdate\ALMon.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\camron\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
    uStart Page = hxxp://www.google.com/
    uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    BHO: AutorunsDisabled - No File
    BHO: URLRedirectionBHO - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [LPManager] c:\progra~1\thinkv~2\prdctr\LPMGR.exe
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [DiskeeperSystray] "c:\program files\diskeeper corporation\diskeeper\DkIcon.exe"
    mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
    mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [DiscWizardMonitor.exe] c:\program files\seagate\discwizard\DiscWizardMonitor.exe
    mRun: [AcronisTimounterMonitor] c:\program files\seagate\discwizard\TimounterMonitor.exe
    mRun: [Seagate Scheduler2 Service] "c:\program files\common files\seagate\schedule2\schedhlp.exe"
    mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
    dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
    IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\PkgMgr.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.yorkphoto.com/YorkActivia.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://sunbeam08.multiply.com/photos/uploader.cab
    DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.2/jinstall-142-win.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: ACNotify - ACNotify.dll
    Notify: igfxcui - igfxdev.dll
    Notify: psfus - c:\program files\thinkvantage fingerprint software\psfus.dll
    Notify: tpfnf2 - notifyf2.dll
    Notify: tphotkey - tphklock.dll
    AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
    LSA: Authentication Packages = msv1_0 relog_ap
    LSA: Notification Packages = scecli csspwntfy

    ============= SERVICES / DRIVERS ===============

    R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2009-8-30 111232]
    R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2009-8-30 38912]
    R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
    R2 PrivateDisk;PrivateDisk;c:\program files\ibm thinkvantage\safeguard privatedisk\privatediskm.sys [2005-6-28 46142]
    R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\rosettastoneltdservices\RosettaStoneDaemon.exe [2009-9-3 444224]
    R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2009-10-5 80936]
    R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2008-11-18 98304]
    R2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\common files\seagate\schedule2\schedul2.exe [2009-10-16 431456]
    R2 smi2;smi2;c:\program files\smi2\smi2.sys [2005-8-2 3968]
    R2 SmiHlp;SMI helper driver;c:\program files\thinkvantage fingerprint software\smihlp.sys [2005-7-12 3328]
    R3 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-5-27 172032]
    R3 swmx01;Sierra Wireless USB MUX Driver (#01);c:\windows\system32\drivers\swmx01.sys [2005-8-5 57728]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-29 135664]
    S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2010-11-1 99248]
    S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2009-10-29 30603640]
    S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-9-26 4639136]
    S3 SWNC5E01;Sierra Wireless MUX NDIS Driver (#01);c:\windows\system32\drivers\SWNC5E01.sys [2005-8-5 73600]
    S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-8-30 14976]

    =============== Created Last 30 ================

    2010-12-18 01:38:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-18 01:38:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-18 01:38:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-17 19:53:19 -------- d-----w- c:\docume~1\camron\applic~1\Avira
    2010-12-15 04:54:17 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG
    2010-12-13 01:55:54 -------- d-sh--w- c:\documents and settings\camron\IECompatCache
    2010-12-13 01:31:00 -------- d-sh--w- c:\documents and settings\camron\PrivacIE
    2010-12-13 01:25:34 -------- d-sh--w- c:\documents and settings\camron\IETldCache
    2010-12-13 01:13:09 -------- dc-h--w- c:\windows\ie8
    2010-12-10 04:27:54 -------- d-----w- c:\docume~1\camron\applic~1\AVG10
    2010-12-10 04:26:46 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
    2010-12-10 04:25:28 -------- d-----w- c:\windows\system32\drivers\AVG
    2010-12-10 04:25:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
    2010-12-10 04:24:42 -------- d-----w- c:\program files\AVG
    2010-12-10 04:09:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2010-12-02 03:26:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-12-02 03:26:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-12-02 03:26:03 133432520 ----a-w- c:\program files\Ad-AwareInstall.exe
    2010-12-02 03:21:59 16409960 ----a-w- c:\program files\spybotsd162.exe
    2010-12-02 03:18:36 7622112 ----a-w- c:\program files\mbam-setup-1.50.0.0.exe
    2010-12-01 07:30:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
    2010-12-01 07:30:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
    2010-11-24 23:22:53 6153352 ----a-w- c:\program files\malware-setup-1.46.exe

    ==================== Find3M ====================

    2010-12-12 23:47:08 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
    2007-02-12 17:17:30 1286944 ------w- c:\program files\SetupAnyDVD6114.exe
    2006-12-03 20:28:42 6083152 ------w- c:\program files\SightSpeedInstall.exe
    2006-11-29 22:53:06 739240 ------w- c:\program files\vnc-4_1_2-x86_win32.exe
    2006-10-30 18:16:16 482288 ------w- c:\program files\YorkPhotoShow.exe
    2006-09-05 10:30:45 3800811 ------w- c:\program files\wace265i.exe
    2003-04-22 15:46:52 2719744 ------w- c:\program files\aiodrv.msi
    2003-04-22 15:42:04 2588672 ------w- c:\program files\aiosw.msi
    2003-03-10 02:30:44 184320 ----a-w- c:\program files\hpzscr07.dll
    2003-03-10 02:30:42 274432 ----a-w- c:\program files\hpzglu07.exe
    2003-03-10 02:30:42 237568 ----a-w- c:\program files\hpzc3212.dll
    2002-09-09 23:48:20 22608 ----a-w- c:\program files\usbprint.sys
    2002-09-09 23:48:12 12288 ----a-w- c:\program files\usbmon.dll
    2002-09-09 23:47:52 254005 ----a-w- c:\program files\msvcrt.dll
    2002-09-09 23:47:44 70656 ----a-w- c:\program files\msvcirt.dll
    2002-09-09 23:47:00 212992 ----a-w- c:\program files\hpzpnp07.dll
    2002-09-09 23:46:50 49212 ----a-w- c:\program files\hpzjvp01.dll
    2002-09-09 23:46:42 249913 ----a-w- c:\program files\hpzjut01.dll
    2002-09-09 23:46:32 417849 ----a-w- c:\program files\hpzjpp01.dll
    2002-09-09 23:46:24 28722 ----a-w- c:\program files\hpzjlog.dll
    2002-09-06 15:54:56 995383 ----a-w- c:\program files\MFC42.DLL

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST9500420AS rev.0002SDM1 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4A7446]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4ad504]; MOV EAX, [0x8a4ad580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A50BAB8]
    3 CLASSPNP[0xBA0F8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000008c[0x8A5859E8]
    5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A4C3D98]
    \Driver\atapi[0x8A4EE2C0] -> IRP_MJ_CREATE -> 0x8A4A7446
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST9500420AS_____________________________0002SDM1#5&2c06044&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A4A7292
    user != kernel MBR !!!
    sectors 976773166 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

    ============= FINISH: 18:37:39.75 ===============
     
  13. sunbeam08

    sunbeam08 TS Rookie Topic Starter Posts: 78

    Attach.txt



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/24/2006 10:49:37 PM
    System Uptime: 12/17/2010 5:28:28 PM (1 hours ago)

    Motherboard: IBM | | 25137BU
    Processor: Intel(R) Pentium(R) M processor 1.86GHz | None | 1862/533mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 100 GiB total, 27.016 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is FIXED (NTFS) - 294 GiB total, 231.461 GiB free.
    G: is FIXED (NTFS) - 51 GiB total, 12.681 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Broadcom NetXtreme Gigabit Ethernet
    Device ID: PCI\VEN_14E4&DEV_167D&SUBSYS_05771014&REV_11\4&111A1FD8&0&00E0
    Manufacturer: Broadcom
    Name: Broadcom NetXtreme Gigabit Ethernet
    PNP Device ID: PCI\VEN_14E4&DEV_167D&SUBSYS_05771014&REV_11\4&111A1FD8&0&00E0
    Service: b57w2k

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 11a/b/g Wireless LAN Mini PCI Express Adapter
    Device ID: PCI\VEN_168C&DEV_1014&SUBSYS_058A1014&REV_01\4&275FD39B&0&00E3
    Manufacturer: Atheros Communications Inc
    Name: 11a/b/g Wireless LAN Mini PCI Express Adapter
    PNP Device ID: PCI\VEN_168C&DEV_1014&SUBSYS_058A1014&REV_01\4&275FD39B&0&00E3
    Service: AR5211

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Sierra Wireless 1xEV-DO Network Adapter
    Device ID: SWMUXBUS\SW_NETEVDO01\6&12C83729&0&0&2
    Manufacturer: Sierra Wireless
    Name: Sierra Wireless 1xEV-DO Network Adapter
    PNP Device ID: SWMUXBUS\SW_NETEVDO01\6&12C83729&0&0&2
    Service: SWNC5E01

    ==== System Restore Points ===================

    RP647: 9/20/2010 4:15:18 PM - System Checkpoint
    RP648: 9/21/2010 7:14:20 PM - System Checkpoint
    RP649: 9/22/2010 9:25:17 PM - System Checkpoint
    RP650: 9/23/2010 9:46:39 PM - System Checkpoint
    RP651: 9/25/2010 7:49:50 PM - System Checkpoint
    RP652: 9/26/2010 8:32:40 PM - System Checkpoint
    RP653: 9/28/2010 4:02:49 PM - System Checkpoint
    RP654: 9/29/2010 8:56:33 PM - System Checkpoint
    RP655: 9/30/2010 8:20:55 AM - Software Distribution Service 3.0
    RP656: 10/1/2010 10:38:14 AM - System Checkpoint
    RP657: 10/3/2010 7:38:03 AM - System Checkpoint
    RP658: 10/4/2010 4:47:51 PM - System Checkpoint
    RP659: 10/5/2010 5:16:43 PM - System Checkpoint
    RP660: 10/7/2010 8:28:54 AM - Software Distribution Service 3.0
    RP661: 10/8/2010 8:35:43 PM - System Checkpoint
    RP662: 10/10/2010 4:06:27 PM - System Checkpoint
    RP663: 10/12/2010 5:11:02 PM - System Checkpoint
    RP664: 10/13/2010 7:37:01 AM - Software Distribution Service 3.0
    RP665: 10/14/2010 9:45:06 AM - System Checkpoint
    RP666: 10/15/2010 10:32:11 AM - System Checkpoint
    RP667: 10/16/2010 8:15:01 PM - System Checkpoint
    RP668: 10/17/2010 9:50:24 PM - System Checkpoint
    RP669: 10/19/2010 8:31:09 AM - System Checkpoint
    RP670: 10/20/2010 11:56:19 AM - System Checkpoint
    RP671: 10/21/2010 2:16:25 PM - System Checkpoint
    RP672: 10/23/2010 11:45:44 PM - System Checkpoint
    RP673: 10/27/2010 4:49:40 PM - System Checkpoint
    RP674: 10/31/2010 5:05:39 PM - System Checkpoint
    RP675: 11/1/2010 6:03:28 PM - System Checkpoint
    RP676: 11/2/2010 7:33:17 PM - System Checkpoint
    RP677: 11/4/2010 8:31:10 AM - System Checkpoint
    RP678: 11/8/2010 9:56:27 PM - System Checkpoint
    RP679: 11/11/2010 6:33:50 AM - Software Distribution Service 3.0
    RP680: 11/12/2010 4:18:55 PM - System Checkpoint
    RP681: 11/14/2010 7:36:06 PM - System Checkpoint
    RP682: 11/16/2010 5:05:23 AM - System Checkpoint
    RP683: 11/17/2010 7:57:13 PM - System Checkpoint
    RP684: 11/18/2010 8:02:19 PM - System Checkpoint
    RP685: 11/20/2010 2:56:29 PM - System Checkpoint
    RP686: 11/21/2010 3:16:10 PM - System Checkpoint
    RP687: 11/22/2010 6:43:47 PM - System Checkpoint
    RP688: 11/23/2010 7:23:39 PM - System Checkpoint
    RP689: 11/24/2010 8:54:54 PM - System Checkpoint
    RP690: 11/27/2010 5:09:39 PM - System Checkpoint
    RP691: 11/28/2010 10:12:07 PM - System Checkpoint
    RP692: 11/30/2010 6:24:02 PM - System Checkpoint
    RP693: 12/2/2010 5:45:13 PM - System Checkpoint
    RP694: 12/7/2010 7:21:03 PM - System Checkpoint
    RP695: 12/9/2010 6:22:48 PM - System Checkpoint
    RP696: 12/12/2010 7:11:44 PM - System Checkpoint
    RP697: 12/17/2010 10:12:36 AM - Avira AntiVir Personal - 12/17/2010 10:11
    RP698: 12/17/2010 2:27:57 PM - Removed AVG 2011
    RP699: 12/17/2010 2:28:36 PM - Removed AVG 2011

    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    AAC Decoder
    Access Help
    Adobe Acrobat 6.0 Standard
    Adobe AIR
    Adobe Atmosphere Player for Acrobat and Adobe Reader
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.1
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Software Update
    Before You Know It 3.6
    Bonjour
    Byki
    Byki Express for camron
    Canon MP160
    Coupon Printer for Windows
    Diskeeper Lite
    DivX Codec
    DivX Converter
    DivX Player
    DivX Plus DirectShow Filters
    DivX Version Checker
    DivX Web Player
    DLA
    Facebook Plug-In
    Fingerprint Tutorial
    Garmin City Navigator North America NT 2010.20
    Garmin Communicator Plugin
    Garmin USB Drivers
    Google Chrome
    Google Talk Plugin
    Google Toolbar for Internet Explorer
    Google Update Helper
    Google Updater
    H.264 Decoder
    Help Center
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    HP Photo and Imaging 2.0 - All-in-One
    HP Photo and Imaging 2.0 - All-in-One Drivers
    HP Photo and Imaging 2.0 - hp psc 1200 series
    hp psc 1200 series
    IBM 32-bit Runtime Environment for Java 2, v1.4.2
    Intel(R) Graphics Media Accelerator Driver for Mobile
    InterVideo WinDVD
    InterVideo WinDVD Creator 3
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 20
    Lenovo Battery Program
    Lexmark 2500 Series
    Logitech QuickCam Driver Package
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2000 SR-1 Premium
    Microsoft Office Access MUI (English) 2010 (Beta)
    Microsoft Office Access Setup Metadata MUI (English) 2010 (Beta)
    Microsoft Office Excel MUI (English) 2010 (Beta)
    Microsoft Office Groove MUI (English) 2010 (Beta)
    Microsoft Office InfoPath MUI (English) 2010 (Beta)
    Microsoft Office OneNote MUI (English) 2010 (Beta)
    Microsoft Office Outlook MUI (English) 2010 (Beta)
    Microsoft Office PowerPoint MUI (English) 2010 (Beta)
    Microsoft Office Professional Plus 2010
    Microsoft Office Professional Plus 2010 (Beta)
    Microsoft Office Proof (English) 2010 (Beta)
    Microsoft Office Proof (French) 2010 (Beta)
    Microsoft Office Proof (Spanish) 2010 (Beta)
    Microsoft Office Proofing (English) 2010 (Beta)
    Microsoft Office Publisher MUI (English) 2010 (Beta)
    Microsoft Office Shared MUI (English) 2010 (Beta)
    Microsoft Office Shared Setup Metadata MUI (English) 2010 (Beta)
    Microsoft Office Word MUI (English) 2010 (Beta)
    Microsoft Software Update for Web Folders (English) 14 (Beta)
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MKV Splitter
    Monopoly by Parker Brothers
    Move Media Player
    MSVCRT
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    palmOne
    Photosynth 2.0.1519.16
    Productivity Center Supplement for ThinkPad
    QuickTime
    RealPlayer
    RecordNow Audio
    RecordNow Copy
    RecordNow Data
    Rescue and Recovery - Client Security Solution
    Rosetta Stone Ltd Services
    Seagate*DiscWizard
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office 2010 File Validation - Beta (KB976133)
    Security Update for Windows Internet Explorer 7 (KB2183461)
    Security Update for Windows Internet Explorer 7 (KB2360131)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Segoe UI
    Sierra Wireless MC5720 Package for Access Connections
    Skype™ 4.2
    Software Installer
    Sonic Express Labeler
    Sonic Update Manager
    Sophos Anti-Virus
    Sophos AutoUpdate
    SoundMAX
    Spelling Dictionaries Support For Adobe Reader 9
    Spybot - Search & Destroy
    System Migration Assistant 5.0
    ThinkPad Bluetooth with Enhanced Data Rate Software
    ThinkPad Configuration
    ThinkPad EasyEject Utility
    ThinkPad FullScreen Magnifier
    ThinkPad Hotkey Features Setup
    ThinkPad Keyboard Customizer Utility
    ThinkPad Modem
    ThinkPad PC Card Power Policy
    ThinkPad Power Management Driver
    ThinkPad Power Manager
    ThinkPad Presentation Director
    ThinkPad UltraNav Driver
    ThinkPad UltraNav Wizard
    ThinkPad Wireless LAN Adapters Software (11a/b, 11b/g, 11a/b/g)
    ThinkVantage Access Connections
    ThinkVantage Active Protection System
    ThinkVantage Away Manager
    ThinkVantage Fingerprint Software 4.6.0
    ThinkVantage Productivity Center
    ThinkVantage System Update
    ThinkVantage Technologies Welcome Message
    TrackPoint Accessibility Features
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    VC80CRTRedist - 8.0.50727.762
    VZAccess Manager for Lenovo
    Wallpapers
    WebFldrs XP
    WinAce Archiver
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Service Pack 3
    XP Codec Pack
    XP Themes
    YouTube Downloader 2.6.1

    ==== Event Viewer Messages From Past Week ========

    12/17/2010 2:58:22 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The TVT Scheduler service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The TVT Backup Service service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The ThinkVantage System Update service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The ThinkPad PM Service service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The ThinkPad HDD APS Logging Service service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The Sophos Anti-Virus status reporter service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The Seagate Scheduler2 Service service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The RosettaStoneDaemon service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The Protector Suite Virtual Token service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The lxdd_device service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The IPS Core Service service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The IBM KCU Service service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The Diskeeper service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The ACU Configuration Service service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The Access Connections Main Service service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7034] - The Ac Profile Manager Service service terminated unexpectedly. It has done this 1 time(s).
    12/17/2010 2:58:21 PM, error: Service Control Manager [7031] - The Bluetooth Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    12/17/2010 11:54:02 AM, error: SAVOnAccessFilter [63] - Failed to obtain volume information from mount manager.
    12/17/2010 11:53:52 AM, error: Removable Storage Service [111] - RSM could not load media in drive Drive 0 of library SD Memory Card.
    12/17/2010 10:39:36 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
    12/16/2010 5:26:17 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    12/15/2010 7:18:20 PM, error: Service Control Manager [7001] - The Infrared Monitor service depends on the Terminal Services service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    12/14/2010 9:59:41 PM, information: Windows File Protection [64004] - The protected system file zclientm.exe could not be restored to its original, valid version. The file version of the bad file is 1.2.626.1 The specific error code is 0x00000426 [The service has not been started. ].
    12/14/2010 8:34:46 PM, error: Service Control Manager [7022] - The Sophos AutoUpdate Service service hung on starting.
    12/14/2010 8:32:54 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the lxddCATSCustConnectService service to connect.
    12/14/2010 8:32:54 PM, error: Service Control Manager [7000] - The lxddCATSCustConnectService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    12/14/2010 8:30:34 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    12/14/2010 10:15:15 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
    12/13/2010 9:34:27 AM, error: Print [19] - Sharing printer failed + 1722, Printer Microsoft XPS Document Writer share name Printer.
    12/12/2010 3:46:33 PM, error: PlugPlayManager [12] - The device 'MATSHITA DVD-RAM UJ-832' (IDE\CdRomMATSHITA_DVD-RAM_UJ-832_________________1.00____\5&2ba179a6&0&0.0.0) disappeared from the system without first being prepared for removal.

    ==== End Of File ===========================
     
  14. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    We have a rootkit here....

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  15. sunbeam08

    sunbeam08 TS Rookie Topic Starter Posts: 78

    Is that everything you need?
     
  16. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Did you read my previous reply?
     
  17. sunbeam08

    sunbeam08 TS Rookie Topic Starter Posts: 78

    Yeah, trying to find the log after the reboot. Give me one second here.
     
  18. sunbeam08

    sunbeam08 TS Rookie Topic Starter Posts: 78

    2010/12/17 18:46:30.0859 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
    2010/12/17 18:46:30.0859 ================================================================================
    2010/12/17 18:46:30.0859 SystemInfo:
    2010/12/17 18:46:30.0859
    2010/12/17 18:46:30.0859 OS Version: 5.1.2600 ServicePack: 3.0
    2010/12/17 18:46:30.0859 Product type: Workstation
    2010/12/17 18:46:30.0859 ComputerName: LENOVO-190B3298
    2010/12/17 18:46:30.0859 UserName: camron
    2010/12/17 18:46:30.0859 Windows directory: C:\WINDOWS
    2010/12/17 18:46:30.0859 System windows directory: C:\WINDOWS
    2010/12/17 18:46:30.0859 Processor architecture: Intel x86
    2010/12/17 18:46:30.0859 Number of processors: 1
    2010/12/17 18:46:30.0859 Page size: 0x1000
    2010/12/17 18:46:30.0859 Boot type: Normal boot
    2010/12/17 18:46:30.0859 ================================================================================
    2010/12/17 18:46:31.0234 Initialize success
    2010/12/17 18:46:46.0875 ================================================================================
    2010/12/17 18:46:46.0875 Scan started
    2010/12/17 18:46:46.0875 Mode: Manual;
    2010/12/17 18:46:46.0875 ================================================================================
    2010/12/17 18:46:48.0281 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
    2010/12/17 18:46:48.0359 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
    2010/12/17 18:46:48.0578 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/12/17 18:46:48.0718 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2010/12/17 18:46:48.0859 ADIHdAudAddService (f966521dee86995393a470e95ecaa9fa) C:\WINDOWS\system32\drivers\ADIHdAud.sys
    2010/12/17 18:46:48.0921 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    2010/12/17 18:46:49.0015 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/12/17 18:46:49.0062 AegisP (91f3df93f40a74d222cd166fe95db633) C:\WINDOWS\system32\DRIVERS\AegisP.sys
    2010/12/17 18:46:49.0140 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/12/17 18:46:49.0250 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2010/12/17 18:46:49.0343 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
    2010/12/17 18:46:49.0421 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
    2010/12/17 18:46:49.0484 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    2010/12/17 18:46:49.0562 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    2010/12/17 18:46:49.0625 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    2010/12/17 18:46:49.0687 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
    2010/12/17 18:46:49.0750 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
    2010/12/17 18:46:49.0828 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
    2010/12/17 18:46:49.0921 ANC (11ab185a7af224800bbfb5b836974a17) C:\WINDOWS\system32\drivers\ANC.SYS
    2010/12/17 18:46:49.0984 AR5211 (732957c5d10c8960422bbdb4e74e7b1d) C:\WINDOWS\system32\DRIVERS\ar5211.sys
    2010/12/17 18:46:50.0078 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2010/12/17 18:46:50.0140 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
    2010/12/17 18:46:50.0203 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
    2010/12/17 18:46:50.0265 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
    2010/12/17 18:46:50.0343 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/12/17 18:46:50.0437 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/12/17 18:46:50.0546 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/12/17 18:46:50.0609 atmeltpm (78a6db2682cd5ca28395423ccf0ccfae) C:\WINDOWS\system32\DRIVERS\atmeltpm.sys
    2010/12/17 18:46:50.0656 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/12/17 18:46:50.0718 b57w2k (241474d01380e9ed41d4c07f4f5fd401) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
    2010/12/17 18:46:50.0781 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/12/17 18:46:50.0875 btaudio (d696dabc8cea46fb734471dfb7097e08) C:\WINDOWS\system32\drivers\btaudio.sys
    2010/12/17 18:46:50.0953 BTDriver (8afe2f912542dabf638c1dcc5885f685) C:\WINDOWS\system32\DRIVERS\btport.sys
    2010/12/17 18:46:51.0046 BTKRNL (0026eff717c70bba7bcea6891e5878d5) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
    2010/12/17 18:46:51.0140 BTWDNDIS (14a72d813bea2c400e941a928a7cca9f) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
    2010/12/17 18:46:51.0171 BTWUSB (5a12020259495bbad1b5e13e5c98671f) C:\WINDOWS\system32\Drivers\btwusb.sys
    2010/12/17 18:46:51.0203 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
    2010/12/17 18:46:51.0250 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/12/17 18:46:51.0296 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2010/12/17 18:46:51.0359 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
    2010/12/17 18:46:51.0406 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/12/17 18:46:51.0453 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/12/17 18:46:51.0546 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/12/17 18:46:51.0656 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2010/12/17 18:46:51.0703 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
    2010/12/17 18:46:51.0734 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2010/12/17 18:46:51.0796 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
    2010/12/17 18:46:51.0843 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
    2010/12/17 18:46:51.0906 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
    2010/12/17 18:46:51.0968 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/12/17 18:46:52.0062 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/12/17 18:46:52.0140 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/12/17 18:46:52.0171 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/12/17 18:46:52.0234 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/12/17 18:46:52.0312 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
    2010/12/17 18:46:52.0359 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
    2010/12/17 18:46:52.0390 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
    2010/12/17 18:46:52.0421 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    2010/12/17 18:46:52.0468 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/12/17 18:46:52.0500 drvmcdb (0196321f41476fc1fe6b0b7c37a6051e) C:\WINDOWS\system32\drivers\drvmcdb.sys
    2010/12/17 18:46:52.0546 drvnddm (273061d90d4af7c1539e8102c7f458b5) C:\WINDOWS\system32\drivers\drvnddm.sys
    2010/12/17 18:46:52.0593 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2010/12/17 18:46:52.0640 EGATHDRV (2d0fc676d159525f6cd74c3302c7a61c) C:\WINDOWS\SYSTEM32\EGATHDRV.SYS
    2010/12/17 18:46:52.0703 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/12/17 18:46:52.0765 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2010/12/17 18:46:52.0828 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/12/17 18:46:52.0890 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2010/12/17 18:46:52.0937 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2010/12/17 18:46:52.0984 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/12/17 18:46:53.0046 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/12/17 18:46:53.0109 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2010/12/17 18:46:53.0140 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/12/17 18:46:53.0218 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2010/12/17 18:46:53.0265 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/12/17 18:46:53.0312 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
    2010/12/17 18:46:53.0359 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    2010/12/17 18:46:53.0406 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    2010/12/17 18:46:53.0453 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    2010/12/17 18:46:53.0500 HSFHWAZL (b9f870fd21dcab419ca6d7bf879adcc0) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
    2010/12/17 18:46:53.0593 HSF_DPV (68115bb0fa4cba6e2eaf16d652f559d5) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
    2010/12/17 18:46:53.0718 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/12/17 18:46:53.0765 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
    2010/12/17 18:46:53.0812 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
    2010/12/17 18:46:53.0859 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/12/17 18:46:53.0968 ialm (56cc37c0eaa5255d90f989e84e5e7663) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2010/12/17 18:46:54.0046 ibmfilter (d4193760493da47d4d4580589e27f0ca) C:\WINDOWS\system32\drivers\ibmfilter.sys
    2010/12/17 18:46:54.0109 IBMPMDRV (ca94a78eaf5cce1066fcc3df11e706dc) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
    2010/12/17 18:46:54.0171 IBMTPCHK (e11c235daf96e4ce5a60e2aa09a902e2) C:\WINDOWS\system32\Drivers\IBMBLDID.sys
    2010/12/17 18:46:54.0218 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/12/17 18:46:54.0281 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
    2010/12/17 18:46:54.0328 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2010/12/17 18:46:54.0375 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/12/17 18:46:54.0421 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/12/17 18:46:54.0453 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/12/17 18:46:54.0484 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/12/17 18:46:54.0531 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/12/17 18:46:54.0578 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/12/17 18:46:54.0625 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
    2010/12/17 18:46:54.0671 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/12/17 18:46:54.0718 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/12/17 18:46:54.0750 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
    2010/12/17 18:46:54.0796 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/12/17 18:46:54.0843 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/12/17 18:46:54.0890 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/12/17 18:46:55.0125 LVUSBSta (09bb09ed89f38998267647a1ad4da9ed) C:\WINDOWS\system32\drivers\lvusbsta.sys
    2010/12/17 18:46:55.0218 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2010/12/17 18:46:55.0281 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/12/17 18:46:55.0343 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/12/17 18:46:55.0406 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/12/17 18:46:55.0453 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/12/17 18:46:55.0484 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/12/17 18:46:55.0531 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
    2010/12/17 18:46:55.0578 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/12/17 18:46:55.0640 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/12/17 18:46:55.0703 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/12/17 18:46:55.0750 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/12/17 18:46:55.0781 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/12/17 18:46:55.0828 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/12/17 18:46:55.0875 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/12/17 18:46:55.0921 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2010/12/17 18:46:55.0953 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/12/17 18:46:56.0000 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2010/12/17 18:46:56.0078 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/12/17 18:46:56.0140 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2010/12/17 18:46:56.0187 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/12/17 18:46:56.0250 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/12/17 18:46:56.0296 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/12/17 18:46:56.0343 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/12/17 18:46:56.0390 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/12/17 18:46:56.0437 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/12/17 18:46:56.0531 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2010/12/17 18:46:56.0562 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/12/17 18:46:56.0609 NSCIRDA (2adc0ca9945c65284b3d19bc18765974) C:\WINDOWS\system32\DRIVERS\nscirda.sys
    2010/12/17 18:46:56.0656 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/12/17 18:46:56.0734 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/12/17 18:46:56.0859 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2010/12/17 18:46:56.0968 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/12/17 18:46:57.0078 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/12/17 18:46:57.0140 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2010/12/17 18:46:57.0218 PalmUSBD (240c0d4049a833b16b63b636acf01672) C:\WINDOWS\system32\drivers\PalmUSBD.sys
    2010/12/17 18:46:57.0265 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/12/17 18:46:57.0312 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/12/17 18:46:57.0343 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/12/17 18:46:57.0390 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/12/17 18:46:57.0453 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/12/17 18:46:57.0484 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    2010/12/17 18:46:57.0640 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
    2010/12/17 18:46:57.0687 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
    2010/12/17 18:46:57.0828 pmem (fa292805788528c083f416e151b60ab6) C:\WINDOWS\System32\drivers\pmemnt.sys
    2010/12/17 18:46:57.0890 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/12/17 18:46:57.0968 PrivateDisk (c120b205614de6bd2a85c51cc77d69f0) C:\Program Files\IBM ThinkVantage\SafeGuard PrivateDisk\PrivateDiskM.sys
    2010/12/17 18:46:58.0062 PROCDD (884228979a63a63799b48a2926481ea1) C:\WINDOWS\system32\DRIVERS\PROCDD.SYS
    2010/12/17 18:46:58.0093 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2010/12/17 18:46:58.0140 psadd (045f099f312492f8c0a2dfe10df69d52) C:\WINDOWS\system32\Drivers\psadd.sys
    2010/12/17 18:46:58.0187 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/12/17 18:46:58.0234 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/12/17 18:46:58.0265 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2010/12/17 18:46:58.0328 QCMerced (d8ec7e2fbf3b8d66ff8f435338be41fe) C:\WINDOWS\system32\DRIVERS\LVCM.sys
    2010/12/17 18:46:58.0390 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
    2010/12/17 18:46:58.0421 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
    2010/12/17 18:46:58.0468 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
    2010/12/17 18:46:58.0515 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
    2010/12/17 18:46:58.0546 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
    2010/12/17 18:46:58.0593 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/12/17 18:46:58.0640 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
    2010/12/17 18:46:58.0687 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/12/17 18:46:58.0734 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/12/17 18:46:58.0781 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/12/17 18:46:58.0843 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/12/17 18:46:58.0890 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/12/17 18:46:58.0953 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/12/17 18:46:59.0046 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/12/17 18:46:59.0093 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/12/17 18:46:59.0218 SAVOnAccessControl (4041f1ab46a96a45ae4ac52cdc8c7a6c) C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys
    2010/12/17 18:46:59.0265 SAVOnAccessFilter (6ccde94e1a04fcd919ad7d6d0746f9bc) C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys
    2010/12/17 18:46:59.0312 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
    2010/12/17 18:46:59.0359 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/12/17 18:46:59.0406 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/12/17 18:46:59.0453 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/12/17 18:46:59.0515 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
    2010/12/17 18:46:59.0546 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
    2010/12/17 18:46:59.0593 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
    2010/12/17 18:46:59.0656 ShockMgr (a50f0e56ec9cd5fefcfa328a56e0e059) C:\WINDOWS\system32\drivers\ShockMgr.sys
    2010/12/17 18:46:59.0703 Shockprf (621ff0dc997978a1289c55fa9058e18d) C:\WINDOWS\system32\drivers\Shockprf.sys
    2010/12/17 18:46:59.0781 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
    2010/12/17 18:46:59.0828 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2010/12/17 18:46:59.0859 Smapint (26341d0dd225d19fd50e0ee3c3c77502) C:\WINDOWS\system32\drivers\Smapint.sys
    2010/12/17 18:46:59.0921 smi2 (3ba9d0c8a0fbd9fb4029b6cd87c8ce0b) C:\Program Files\SMI2\smi2.sys
    2010/12/17 18:46:59.0953 SmiHlp (1d47b56f3da50248f167d15cc1d03a03) C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys
    2010/12/17 18:47:00.0015 snapman (c3bf55189aa92b8f919108ef9e4accae) C:\WINDOWS\system32\DRIVERS\snapman.sys
    2010/12/17 18:47:00.0093 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
    2010/12/17 18:47:00.0171 SophosBootDriver (3bdf94e0827d13e44249a646f6c0eb7c) C:\WINDOWS\system32\DRIVERS\SophosBootDriver.sys
    2010/12/17 18:47:00.0218 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
    2010/12/17 18:47:00.0265 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/12/17 18:47:00.0296 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/12/17 18:47:00.0375 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/12/17 18:47:00.0421 sscdbhk5 (1cbd1b58a32de97899f5290b05f856db) C:\WINDOWS\system32\drivers\sscdbhk5.sys
    2010/12/17 18:47:00.0453 ssrtln (7fb07ac152d7a87e66204860002bd9a4) C:\WINDOWS\system32\drivers\ssrtln.sys
    2010/12/17 18:47:00.0515 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2010/12/17 18:47:00.0562 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/12/17 18:47:00.0593 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/12/17 18:47:00.0625 swmx01 (4e8e19f3fba3a1e5de6de9782b1dd683) C:\WINDOWS\system32\DRIVERS\swmx01.sys
    2010/12/17 18:47:00.0671 SWNC5E01 (6afe9a256c21fb32f9047cde1f6f426a) C:\WINDOWS\system32\DRIVERS\SWNC5E01.sys
    2010/12/17 18:47:00.0703 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    2010/12/17 18:47:00.0750 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    2010/12/17 18:47:00.0781 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    2010/12/17 18:47:00.0828 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    2010/12/17 18:47:00.0875 SynTP (b7bf027587e0c1b905cfd2330ec1fadd) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    2010/12/17 18:47:00.0906 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/12/17 18:47:00.0968 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/12/17 18:47:01.0078 TcUsb (63e7729e6ebc6f136f648d293b2ffaac) C:\WINDOWS\system32\Drivers\tcusb.sys
    2010/12/17 18:47:01.0125 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/12/17 18:47:01.0203 tdrpman (3b7b6779eb231f731bba8f9fe67aadfc) C:\WINDOWS\system32\DRIVERS\tdrpman.sys
    2010/12/17 18:47:01.0281 TDSMAPI (e9512ac82fff83808549267078b38fe5) C:\WINDOWS\system32\drivers\TDSMAPI.SYS
    2010/12/17 18:47:01.0359 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/12/17 18:47:01.0406 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/12/17 18:47:01.0500 tfsnboio (9acc8b321ac40d09f8ede8c86e125da3) C:\WINDOWS\system32\dla\tfsnboio.sys
    2010/12/17 18:47:01.0531 tfsncofs (de9189d99ebcbbab2b31b6b09c9c3009) C:\WINDOWS\system32\dla\tfsncofs.sys
    2010/12/17 18:47:01.0578 tfsndrct (61ad01c2e8365608831f46a7bf85a4c8) C:\WINDOWS\system32\dla\tfsndrct.sys
    2010/12/17 18:47:01.0609 tfsndres (0d3463ada11b5cd081e49f74a79d7458) C:\WINDOWS\system32\dla\tfsndres.sys
    2010/12/17 18:47:01.0656 tfsnifs (760d69f3bd16de68b235ba9cafab5dd1) C:\WINDOWS\system32\dla\tfsnifs.sys
    2010/12/17 18:47:01.0703 tfsnopio (1e2ad02f3557e18d4b77ccc20d370318) C:\WINDOWS\system32\dla\tfsnopio.sys
    2010/12/17 18:47:01.0734 tfsnpool (3e43969d4d7f9140483d150fa35d4c72) C:\WINDOWS\system32\dla\tfsnpool.sys
    2010/12/17 18:47:01.0765 tfsnudf (07b9263a4f470c75bd4c54871e6072e7) C:\WINDOWS\system32\dla\tfsnudf.sys
    2010/12/17 18:47:01.0796 tfsnudfa (f2c9d20d32d782b3f311a5b256d83803) C:\WINDOWS\system32\dla\tfsnudfa.sys
    2010/12/17 18:47:01.0843 tifsfilter (b0b3122bff3910e0ba97014045467778) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
    2010/12/17 18:47:01.0875 timounter (13bfe330880ac0ce8672d00aa5aff738) C:\WINDOWS\system32\DRIVERS\timntr.sys
    2010/12/17 18:47:01.0937 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
    2010/12/17 18:47:02.0031 TPHKDRV (29f3601d4233a53f819010fee8c04a60) C:\WINDOWS\system32\drivers\TPHKDRV.sys
    2010/12/17 18:47:02.0109 TPPWRIF (44672de6cea9569c21c4b7a8d2560750) C:\WINDOWS\system32\drivers\Tppwrif.sys
    2010/12/17 18:47:02.0171 TSMAPIP (f2aba3066d7921d7fcdbd66dea88be11) C:\WINDOWS\system32\drivers\TSMAPIP.SYS
    2010/12/17 18:47:02.0250 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/12/17 18:47:02.0296 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
    2010/12/17 18:47:02.0359 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/12/17 18:47:02.0453 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    2010/12/17 18:47:02.0500 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/12/17 18:47:02.0562 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/12/17 18:47:02.0609 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/12/17 18:47:02.0671 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2010/12/17 18:47:02.0703 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2010/12/17 18:47:02.0750 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/12/17 18:47:02.0796 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/12/17 18:47:02.0843 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    2010/12/17 18:47:02.0890 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/12/17 18:47:02.0937 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
    2010/12/17 18:47:02.0984 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2010/12/17 18:47:03.0062 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/12/17 18:47:03.0140 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/12/17 18:47:03.0234 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/12/17 18:47:03.0296 winachsf (47b8b41687dd9e9fff4be7827751cfa1) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    2010/12/17 18:47:03.0453 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2010/12/17 18:47:03.0500 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2010/12/17 18:47:03.0625 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2010/12/17 18:47:03.0625 ================================================================================
    2010/12/17 18:47:03.0625 Scan finished
    2010/12/17 18:47:03.0625 ================================================================================
    2010/12/17 18:47:03.0656 Detected object count: 1
    2010/12/17 18:47:18.0781 \HardDisk0 - will be cured after reboot
    2010/12/17 18:47:18.0781 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2010/12/17 18:47:45.0000 Deinitialize success
     
  19. sunbeam08

    sunbeam08 TS Rookie Topic Starter Posts: 78

    What is a rootkit?
     
  20. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    http://en.wikipedia.org/wiki/Rootkit

    Is your computer feeling better now?

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  21. sunbeam08

    sunbeam08 TS Rookie Topic Starter Posts: 78

    Just searched for the same thing that the searched for on Google about 20 minutes ago (redirected at the time of course), and it's not redirecting the site :). Definitely feeling better. I noticed this on the log:

    12/14/2010 8:34:46 PM, error: Service Control Manager [7022] - The Sophos AutoUpdate Service service hung on starting.

    Can you help me fix that problem also? It has become an annoyance.
     
  22. Broni

    Broni Malware Annihilator Posts: 47,066   +256

    Remind me, when we're done with cleaning process.
     
  23. sunbeam08

    sunbeam08 TS Rookie Topic Starter Posts: 78

    ComboFix 10-12-16.05 - camron 12/17/2010 19:33:13.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.897 [GMT -8:00]
    Running from: c:\documents and settings\camron\Desktop\ComboFix.exe
    AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
    AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2010-11-18 to 2010-12-18 )))))))))))))))))))))))))))))))
    .

    2010-12-18 01:38 . 2010-11-30 01:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-18 01:38 . 2010-12-18 01:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-12-18 01:38 . 2010-11-30 01:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-17 19:53 . 2010-12-17 19:53 -------- d-----w- c:\documents and settings\camron\Application Data\Avira
    2010-12-15 04:54 . 2010-12-15 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG
    2010-12-14 06:49 . 2010-12-14 06:49 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
    2010-12-13 01:55 . 2010-12-13 01:55 -------- d-sh--w- c:\documents and settings\camron\IECompatCache
    2010-12-13 01:34 . 2010-12-13 01:34 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2010-12-13 01:31 . 2010-12-13 01:31 -------- d-sh--w- c:\documents and settings\camron\PrivacIE
    2010-12-13 01:25 . 2010-12-13 01:25 -------- d-sh--w- c:\documents and settings\camron\IETldCache
    2010-12-13 01:24 . 2010-12-13 01:24 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2010-12-13 01:13 . 2010-12-13 01:18 -------- dc-h--w- c:\windows\ie8
    2010-12-10 04:27 . 2010-12-10 04:27 -------- d-----w- c:\documents and settings\camron\Application Data\AVG10
    2010-12-10 04:26 . 2010-12-10 04:26 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2010-12-10 04:25 . 2010-12-17 22:28 -------- d-----w- c:\windows\system32\drivers\AVG
    2010-12-10 04:24 . 2010-12-16 06:04 -------- d-----w- c:\program files\AVG
    2010-12-10 04:09 . 2010-12-10 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2010-12-02 03:26 . 2010-12-18 03:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-12-02 03:26 . 2010-12-18 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-12-02 03:26 . 2010-12-02 03:30 133432520 ----a-w- c:\program files\Ad-AwareInstall.exe
    2010-12-02 03:21 . 2010-12-02 03:22 16409960 ----a-w- c:\program files\spybotsd162.exe
    2010-12-02 03:18 . 2010-12-14 06:57 7622112 ----a-w- c:\program files\mbam-setup-1.50.0.0.exe
    2010-12-01 20:57 . 2010-12-01 20:57 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
    2010-12-01 20:57 . 2010-12-01 20:57 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    2010-12-01 07:30 . 2010-12-01 07:30 -------- d-----w- c:\program files\Windows Sidebar
    2010-12-01 07:30 . 2010-12-09 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
    2010-12-01 01:29 . 2010-12-01 01:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-11-24 23:22 . 2010-11-24 23:24 6153352 ----a-w- c:\program files\malware-setup-1.46.exe
    2010-11-24 22:21 . 2010-11-24 22:21 -------- d-----w- c:\documents and settings\mom\Application Data\Malwarebytes
     
  24. sunbeam08

    sunbeam08 TS Rookie Topic Starter Posts: 78

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-12 23:47 . 2006-05-18 14:54 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
    2007-02-12 17:17 . 2007-02-12 17:17 1286944 ------w- c:\program files\SetupAnyDVD6114.exe
    2006-12-03 20:28 . 2006-12-03 20:28 6083152 ------w- c:\program files\SightSpeedInstall.exe
    2006-11-29 22:53 . 2006-11-29 22:52 739240 ------w- c:\program files\vnc-4_1_2-x86_win32.exe
    2006-10-30 18:16 . 2006-10-30 18:16 482288 ------w- c:\program files\YorkPhotoShow.exe
    2006-09-05 10:30 . 2006-09-05 10:30 3800811 ------w- c:\program files\wace265i.exe
    2003-04-22 15:46 . 2003-04-22 15:46 2719744 ------w- c:\program files\aiodrv.msi
    2003-04-22 15:42 . 2003-04-22 15:42 2588672 ------w- c:\program files\aiosw.msi
    2003-03-10 02:30 . 2003-03-10 02:30 184320 ----a-w- c:\program files\hpzscr07.dll
    2003-03-10 02:30 . 2003-03-10 02:30 274432 ----a-w- c:\program files\hpzglu07.exe
    2003-03-10 02:30 . 2003-03-10 02:30 237568 ----a-w- c:\program files\hpzc3212.dll
    2002-09-09 23:48 . 2002-09-09 23:48 22608 ----a-w- c:\program files\usbprint.sys
    2002-09-09 23:48 . 2002-09-09 23:48 12288 ----a-w- c:\program files\usbmon.dll
    2002-09-09 23:47 . 2002-09-09 23:47 254005 ----a-w- c:\program files\msvcrt.dll
    2002-09-09 23:47 . 2002-09-09 23:47 70656 ----a-w- c:\program files\msvcirt.dll
    2002-09-09 23:47 . 2002-09-09 23:47 212992 ----a-w- c:\program files\hpzpnp07.dll
    2002-09-09 23:46 . 2002-09-09 23:46 49212 ----a-w- c:\program files\hpzjvp01.dll
    2002-09-09 23:46 . 2002-09-09 23:46 249913 ----a-w- c:\program files\hpzjut01.dll
    2002-09-09 23:46 . 2002-09-09 23:46 417849 ----a-w- c:\program files\hpzjpp01.dll
    2002-09-09 23:46 . 2002-09-09 23:46 28722 ----a-w- c:\program files\hpzjlog.dll
    2002-09-06 15:54 . 2002-09-06 15:54 995383 ----a-w- c:\program files\MFC42.DLL
    .
     
  25. sunbeam08

    sunbeam08 TS Rookie Topic Starter Posts: 78

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2005-09-09 114688]
    "LPManager"="c:\progra~1\THINKV~2\PrdCtr\LPMGR.exe" [2005-11-24 106496]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-09-26 196696]
    "ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2005-12-16 409600]
    "ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2005-12-16 98304]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2009-10-16 1325936]
    "AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2009-10-16 904840]
    "Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2009-10-16 136544]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-6-11 245760]
    hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-9 147456]
    hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2005-07-12 16:45 109664 ------w- c:\program files\ThinkVantage Fingerprint Software\psfus.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-06 06:45 28672 ------w- c:\windows\system32\notifyf2.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-06-17 05:23 24576 ------w- c:\windows\system32\tphklock.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
    @="service"
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.