[Active] Rootkit issue? Multiple unwanted pop-ups. 8-step logs included

rrw1217 · Feb 15, 2011

Hi there,

Sorry to bother you, had a problem last year and you all were incredibly helpful. Very recently, started getting multiple pop-ups from some sites, particularly when initiating a Google search. WOT registered most of these sites as dangerous. Ran a scan using I've my anti-virus program (AVG) last week, came up with 56 warnings and 7 infected files (all Trojans - can provide specifics, if that would be helpful). Previous automated scans hadn't caught anything. Pop-up infestation continues, even though subsequent scans haven't caught any infected files. Very concerned, so ran through preliminary instructions. Logs are below (I noticed the DDS log mentioned something about "possible rootkit infection," hence the title). Please let me know if there's further info I can provide, and thanks for any assistance/advice you can offer:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4005

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

2/14/2011 3:19:17 PM
mbam-log-2011-02-14 (15-19-17).txt

Scan type: Quick scan
Objects scanned: 112445
Time elapsed: 7 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-14 15:35:57
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD800BB-75JHA0 rev.05.01C05
Running: 049qrymt.exe; Driver: C:\DOCUME~1\Liz\LOCALS~1\Temp\ufddipod.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 822FF5F5
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 822FF5F5
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 822FF5F5
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 822FF5F5

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800BB-75JHA0______________________05.01C05#5&2713bb34&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----

DDS (Ver_10-12-12.02) - NTFSx86
Run by Liz at 15:45:26.21 on Mon 02/14/2011
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.95 [GMT -5:00]

AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *Enabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
svchost.exe
C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
C:\Program Files\Panasonic\PHOTOfunSTUDIO 4.0\AutoStartupService.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Liz\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://cgi.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=6.1&bm=ho_home
uInternet Connection Wizard,ShellNext = https://activate.verizon.net/launch/res1/html/vol_with_msn_help.html
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Motive SmartBridge] c:\progra~1\verizo~1\smartb~1\MotiveSB.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio 4.0\AutoStartupService.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1269205387408
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170535137421
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389}
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
mASetup: {4BFBEBE3-34EC-4BEF-9BA9-8FEABF8C1B75} - rundll32.exe "c:\documents and settings\liz\application data\sun\iimsu.dll", UnregisterDll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\liz\applic~1\mozilla\firefox\profiles\3hljs8kd.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4bafb9c7&v=6.010.006.004&i=23&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - component: c:\documents and settings\liz\application data\mozilla\firefox\profiles\3hljs8kd.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\liz\application data\mozilla\firefox\profiles\3hljs8kd.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\liz\application data\mozilla\firefox\profiles\3hljs8kd.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: BitDefender QuickScan: {e001c731-5e37-4538-a5cb-8168736a2360} - %profile%\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox
FF - Ext: AVG Security Toolbar em:version=6.010.006.004 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg9\toolbar\firefox\avg@igeared

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-3-28 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-3-28 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-3-28 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
S1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\mpfirewall.sys --> c:\windows\system32\drivers\MpFirewall.sys [?]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]
S3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys --> c:\windows\system32\drivers\naiavf5x.sys [?]

=============== Created Last 30 ================

2011-02-06 18:16:52 90112 ------w- c:\windows\Updreg.EXE
2011-02-06 18:16:49 84992 ------w- c:\windows\system32\SFCVRT32.DLL
2011-02-06 18:16:49 53552 ------w- c:\windows\CTCCW.DLL
2011-02-06 18:16:49 40960 ------w- c:\windows\system32\AC3API.DLL
2011-02-06 18:16:49 24976 ------w- c:\windows\CTRES.DLL
2011-02-06 18:16:47 82432 ------w- c:\windows\system32\CTWFLT32.DLL
2011-02-06 18:16:47 26768 ------w- c:\windows\system32\CTL3D.DLL
2011-02-06 18:16:45 -------- d-----w- c:\windows\system32\Defaults
2011-02-06 18:14:19 176128 ----a-w- c:\windows\system32\USBAudio.cpl
2011-02-06 18:14:19 135168 ----a-w- c:\windows\system32\USBAudio.crl
2011-02-06 18:12:34 15840 ----a-w- c:\windows\system32\drivers\Pfmodnt.sys
2011-02-06 17:22:20 -------- d-----w- c:\docume~1\liz\applic~1\AVG9
2011-02-03 03:55:59 -------- d-----w- c:\docume~1\liz\applic~1\whitesmoketoolbar
2011-02-02 02:14:53 -------- d-----w- c:\program files\whitesmoketoolbar

==================== Find3M ====================

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-75JHA0 rev.05.01C05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x822FF7AF]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x823059b0]; MOV EAX, [0x82305a2c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8234DAB8]
3 CLASSPNP[0xF85F905B] -> nt!IofCallDriver[0x804E37D5] -> [0x82352BD0]
\Driver\atapi[0x82367030] -> IRP_MJ_CREATE -> 0x822FF7AF
kernel: MBR read successfully
_asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD800BB-75JHA0______________________05.01C05#5&2713bb34&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x822FF5F5
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 15:46:29.70 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/20/2010 3:38:20 PM
System Uptime: 2/14/2011 3:08:19 PM (0 hours ago)

Motherboard: Dell Computer Corp. | | 0F8403
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | Microprocessor | 2793/533mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 71 GiB total, 2.844 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description:
Device ID: ROOT\LEGACY_MCDETECT.EXE\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_MCDETECT.EXE\0000
Service:

Class GUID:
Description:
Device ID: ROOT\LEGACY_MCSHIELD\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_MCSHIELD\0000
Service:

Class GUID:
Description:
Device ID: ROOT\LEGACY_MCTSKSHD.EXE\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_MCTSKSHD.EXE\0000
Service:

Class GUID:
Description:
Device ID: ROOT\LEGACY_MCUPDMGR.EXE\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_MCUPDMGR.EXE\0000
Service:

Class GUID:
Description:
Device ID: ROOT\LEGACY_MPFSERVICE\0000
Manufacturer:
Name:
PNP Device ID: ROOT\LEGACY_MPFSERVICE\0000
Service:

==== System Restore Points ===================

RP215: 1/1/2011 11:39:36 PM - System Checkpoint
RP216: 1/3/2011 1:01:05 AM - System Checkpoint
RP217: 1/4/2011 1:39:42 AM - System Checkpoint
RP218: 1/5/2011 2:18:08 AM - System Checkpoint
RP219: 1/6/2011 2:39:42 AM - System Checkpoint
RP220: 1/7/2011 3:39:38 AM - System Checkpoint
RP221: 1/8/2011 3:55:12 PM - System Checkpoint
RP222: 1/9/2011 4:09:41 PM - System Checkpoint
RP223: 1/10/2011 4:43:07 PM - System Checkpoint
RP224: 1/11/2011 10:24:11 PM - System Checkpoint
RP225: 1/13/2011 3:00:26 AM - Software Distribution Service 3.0
RP226: 1/17/2011 8:16:36 PM - System Checkpoint
RP227: 1/18/2011 8:42:10 PM - System Checkpoint
RP228: 1/20/2011 12:05:14 AM - System Checkpoint
RP229: 1/21/2011 12:16:40 AM - System Checkpoint
RP230: 1/22/2011 1:15:58 AM - System Checkpoint
RP231: 1/23/2011 2:16:00 AM - System Checkpoint
RP232: 1/24/2011 3:16:06 AM - System Checkpoint
RP233: 1/25/2011 3:56:27 AM - System Checkpoint
RP234: 1/26/2011 8:54:51 PM - System Checkpoint
RP235: 1/31/2011 10:40:14 PM - System Checkpoint
RP236: 2/1/2011 11:05:39 PM - System Checkpoint
RP237: 2/5/2011 11:54:24 AM - Installed HiJackThis
RP238: 2/5/2011 3:19:24 PM - Removed EarthLink setup files
RP239: 2/5/2011 3:21:02 PM - Removed Musicmatch for Windows Media Player
RP240: 2/5/2011 3:21:43 PM - Removed NetZeroInstallers
RP241: 2/5/2011 3:22:34 PM - Removed Sound Blaster Audigy
RP242: 2/5/2011 3:22:57 PM - Configured Your Application Name
RP243: 2/5/2011 3:23:12 PM - Configured Your Application Name
RP244: 2/5/2011 3:23:28 PM - Configured Your Application Name
RP245: 2/5/2011 3:23:41 PM - Configured Your Application Name
RP246: 2/5/2011 3:26:16 PM - Removed Sonic Update Manager
RP247: 2/6/2011 1:13:34 PM - Installed Sound Blaster Audigy
RP248: 2/6/2011 1:13:55 PM - Installed Your Application Name
RP249: 2/6/2011 1:54:47 PM - Configured E-Center
RP250: 2/6/2011 1:52:34 PM - Installed Your Application Name
RP251: 2/6/2011 1:53:29 PM - Configured Your Application Name
RP252: 2/6/2011 1:53:57 PM - Installed Your Application Name
RP253: 2/6/2011 1:54:26 PM - Installed Your Application Name
RP254: 2/7/2011 9:04:05 PM - System Checkpoint
RP255: 2/8/2011 9:09:07 PM - System Checkpoint
RP256: 2/9/2011 10:25:05 PM - System Checkpoint
RP257: 2/10/2011 11:14:11 PM - System Checkpoint
RP258: 2/11/2011 11:42:33 PM - System Checkpoint
RP259: 2/13/2011 12:14:11 AM - System Checkpoint
RP260: 2/14/2011 12:15:35 AM - System Checkpoint

==== Installed Programs ======================

ABBYY FineReader 5.0 Sprint Plus
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 Plugin
Adobe Illustrator 10
Adobe Photoshop 7.0
Adobe Reader 6.0.1
Adobe SVG Viewer 3.0
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audible Download Manager
AVG Free 9.0
Banctec Service Agreement
Bonjour
Conexant D850 56K V.9x DFVc Modem
Creative MediaSource
Dell Driver Reset Tool
Dell Media Experience
Dell Photo AIO Printer 922
Dell Picture Studio v3.0
Dell System Restore
DellSupport
Digital Line Detect
Engine Installer
G5a922EN
Get High Speed Internet!
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iPod for Windows 2005-06-26
iTunes
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 16
Learn2 Player (Uninstall Only)
Macromedia Flash Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2000 Small Business
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Modem Helper
Mozilla Firefox (3.6.13)
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Musicmatch® Jukebox
My Way Search Assistant
NetWaiting
PHOTOfunSTUDIO 4.0
PowerDVD 5.3
QuickTime
RealPlayer Basic
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
Sonic DLA
Sonic RecordNow!
Sony USB Driver
Sound Blaster Live! 24-bit
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB925720)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB980182)
Verizon Online
Verizon Online Support Center
Viewpoint Media Player
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
WordPerfect Office 12

==== Event Viewer Messages From Past Week ========

2/7/2011 8:10:50 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: MPFIREWL
2/14/2011 2:58:52 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 2:58:52 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 2:58:52 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 2:58:49 PM, error: Service Control Manager [7034] - The AOL Connectivity Service service terminated unexpectedly. It has done this 1 time(s).
2/14/2011 2:58:49 PM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
2/14/2011 2:58:49 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

==== End Of File ===========================

Bobbye · Feb 15, 2011

Welcome to TechSpot!

First order of business: You have 2 antivirus program running:
AV: AVG Anti-Virus Free *Disabled/Updated*
AV: McAfee VirusScan *Enabled/Outdated*
This makes a system more vulnerable, not less and it can also slow it down. Please remove one of them:
Going by some Serveices that are not bing used, it appears that you may have had McAee Security at one time, but now use AVG instead. If that is the case, you can't just abandon a security program> you must uninstall it to stop entries from loading.Tools to help:

AVG Remover eliminates all the parts of your AVG installation from your computer, including registry items, installation files, user files, etc.
Note:

AVG user settings will be removed.

Virus Vault contents will be removed.

All other items related to AVG installation and use will be removed.

You will be asked during the removal procedure to restart your computer. Please do so.

Make sure there is no open work in process prior toto launching AVG Remover.

Use the appropriate download for your system for the AVG Remover: AVG Remover:32bit
AVG Remover:64 bit
McAfee Removal
Reboot the computer when through.
=============================================
There is evidence of a rootkit so we'll address that:

Download the file TDSSKiller.zip and save to the desktop.
(If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)

Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.

Double click on TDSSKiller.exe. to run the scan

When the scan is over, the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).

Select the action Quarantine to quarantine detected objects.
The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43

After clicking Next, the utility applies selected actions and outputs the result. Please include the log in your next reply.

A reboot is required after disinfection.

rrw1217 · Feb 15, 2011

Thank you - I will try the rootkit removal program once I get home. Re: the anti-virus, I am at a complete loss... I've run the MCPR.exe program, deleted every folder and every registry file I can find for McAfee. It doesn't show up in my Control Panel as a program that I can remove. I've contacted them directly - the account is long cancelled (since about a year ago, which is when I installed AVG) and they hence aren't willing/able to assist as I'm no longer a customer. I'm at a loss as to why it still comes up as an active program.

Bobbye · Feb 15, 2011

Don't worry about McAfee. After you have run Combofix (later) if it just remains in the Header, I can remove it.

rrw1217 · Feb 16, 2011

Ran the TDSS, report below:

2011/02/16 15:40:43.0476 2612 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20
2011/02/16 15:40:43.0804 2612 ================================================================================
2011/02/16 15:40:43.0804 2612 SystemInfo:
2011/02/16 15:40:43.0804 2612
2011/02/16 15:40:43.0804 2612 OS Version: 5.1.2600 ServicePack: 2.0
2011/02/16 15:40:43.0804 2612 Product type: Workstation
2011/02/16 15:40:43.0804 2612 ComputerName: TIGGER2
2011/02/16 15:40:43.0804 2612 UserName: Liz
2011/02/16 15:40:43.0804 2612 Windows directory: C:\WINDOWS
2011/02/16 15:40:43.0804 2612 System windows directory: C:\WINDOWS
2011/02/16 15:40:43.0804 2612 Processor architecture: Intel x86
2011/02/16 15:40:43.0804 2612 Number of processors: 1
2011/02/16 15:40:43.0804 2612 Page size: 0x1000
2011/02/16 15:40:43.0804 2612 Boot type: Normal boot
2011/02/16 15:40:43.0804 2612 ================================================================================
2011/02/16 15:40:45.0742 2612 Initialize success
2011/02/16 15:40:59.0148 2728 ================================================================================
2011/02/16 15:40:59.0148 2728 Scan started
2011/02/16 15:40:59.0148 2728 Mode: Manual;
2011/02/16 15:40:59.0148 2728 ================================================================================
2011/02/16 15:41:00.0976 2728 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/02/16 15:41:02.0023 2728 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/16 15:41:02.0773 2728 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/16 15:41:03.0195 2728 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/02/16 15:41:03.0617 2728 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2011/02/16 15:41:03.0835 2728 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/02/16 15:41:04.0195 2728 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/02/16 15:41:04.0460 2728 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/02/16 15:41:04.0679 2728 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/02/16 15:41:04.0882 2728 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/02/16 15:41:05.0132 2728 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/02/16 15:41:05.0320 2728 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/02/16 15:41:05.0523 2728 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/02/16 15:41:05.0757 2728 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/02/16 15:41:05.0960 2728 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/02/16 15:41:06.0195 2728 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/02/16 15:41:06.0413 2728 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/02/16 15:41:06.0632 2728 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/02/16 15:41:06.0788 2728 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2011/02/16 15:41:07.0195 2728 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/16 15:41:07.0398 2728 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/16 15:41:07.0570 2728 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/16 15:41:07.0867 2728 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/16 15:41:08.0163 2728 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
2011/02/16 15:41:08.0335 2728 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
2011/02/16 15:41:08.0554 2728 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\system32\Drivers\avgtdix.sys
2011/02/16 15:41:09.0023 2728 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/16 15:41:09.0320 2728 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/02/16 15:41:09.0445 2728 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/16 15:41:09.0492 2728 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/02/16 15:41:09.0710 2728 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/16 15:41:09.0929 2728 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/16 15:41:10.0148 2728 cdrbsvsd (7fc46240546c16c0448c29c9d233b915) C:\WINDOWS\system32\drivers\cdrbsvsd.sys
2011/02/16 15:41:10.0632 2728 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/16 15:41:11.0054 2728 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/02/16 15:41:11.0273 2728 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/02/16 15:41:11.0523 2728 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
2011/02/16 15:41:11.0913 2728 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/02/16 15:41:12.0101 2728 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/02/16 15:41:12.0351 2728 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/16 15:41:12.0679 2728 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/16 15:41:13.0085 2728 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/16 15:41:13.0226 2728 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/16 15:41:13.0445 2728 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/16 15:41:13.0663 2728 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/02/16 15:41:13.0851 2728 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/16 15:41:14.0070 2728 drvmcdb (b15f9e526ba511a48b1b1b8537815740) C:\WINDOWS\system32\drivers\drvmcdb.sys
2011/02/16 15:41:14.0398 2728 drvnddm (fa4670cae95ae2bb857c68e535661145) C:\WINDOWS\system32\drivers\drvnddm.sys
2011/02/16 15:41:14.0710 2728 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
2011/02/16 15:41:15.0132 2728 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
2011/02/16 15:41:15.0507 2728 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/02/16 15:41:15.0913 2728 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/16 15:41:16.0163 2728 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/16 15:41:16.0382 2728 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/16 15:41:16.0601 2728 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/02/16 15:41:16.0820 2728 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/02/16 15:41:17.0023 2728 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/16 15:41:17.0148 2728 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/16 15:41:17.0367 2728 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/02/16 15:41:17.0554 2728 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/16 15:41:17.0757 2728 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/16 15:41:17.0992 2728 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/02/16 15:41:18.0351 2728 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2011/02/16 15:41:19.0132 2728 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/02/16 15:41:19.0570 2728 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/16 15:41:19.0898 2728 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/02/16 15:41:20.0054 2728 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/02/16 15:41:20.0242 2728 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/16 15:41:20.0476 2728 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/02/16 15:41:21.0117 2728 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/16 15:41:21.0335 2728 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/02/16 15:41:21.0570 2728 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/02/16 15:41:21.0820 2728 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/16 15:41:22.0038 2728 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/02/16 15:41:22.0257 2728 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/16 15:41:22.0445 2728 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/16 15:41:22.0726 2728 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/16 15:41:23.0038 2728 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/16 15:41:23.0179 2728 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/16 15:41:23.0445 2728 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/16 15:41:23.0632 2728 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/16 15:41:23.0835 2728 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/16 15:41:24.0070 2728 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/16 15:41:24.0382 2728 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/02/16 15:41:24.0679 2728 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/16 15:41:24.0851 2728 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/16 15:41:25.0038 2728 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/02/16 15:41:25.0132 2728 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/16 15:41:25.0351 2728 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/16 15:41:25.0585 2728 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/16 15:41:25.0913 2728 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/02/16 15:41:26.0788 2728 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/16 15:41:28.0226 2728 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/16 15:41:29.0710 2728 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/16 15:41:31.0038 2728 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/16 15:41:31.0898 2728 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/16 15:41:32.0695 2728 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/16 15:41:33.0773 2728 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/16 15:41:34.0788 2728 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/16 15:41:36.0648 2728 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/16 15:41:38.0163 2728 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/16 15:41:39.0257 2728 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/16 15:41:40.0382 2728 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/16 15:41:41.0398 2728 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/16 15:41:42.0288 2728 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/16 15:41:43.0195 2728 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/16 15:41:44.0648 2728 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/16 15:41:45.0679 2728 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/16 15:41:47.0148 2728 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/16 15:41:48.0804 2728 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/02/16 15:41:50.0945 2728 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/16 15:41:52.0070 2728 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/16 15:41:52.0976 2728 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
2011/02/16 15:41:54.0710 2728 P17 (3a7290f2c423b80ba95becae015b9b1b) C:\WINDOWS\system32\drivers\P17.sys
2011/02/16 15:41:58.0507 2728 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/16 15:41:59.0398 2728 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/16 15:42:00.0242 2728 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/16 15:42:01.0070 2728 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/16 15:42:02.0648 2728 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/16 15:42:03.0570 2728 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/16 15:42:06.0632 2728 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/02/16 15:42:07.0523 2728 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/02/16 15:42:08.0507 2728 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/16 15:42:09.0288 2728 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/16 15:42:10.0257 2728 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/16 15:42:11.0007 2728 PxHelp20 (db3b30c3a4cdcf07e164c14584d9d0f2) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/02/16 15:42:12.0617 2728 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/02/16 15:42:13.0335 2728 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/02/16 15:42:14.0492 2728 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/02/16 15:42:15.0195 2728 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/02/16 15:42:16.0179 2728 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/02/16 15:42:17.0257 2728 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/16 15:42:18.0710 2728 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/16 15:42:19.0663 2728 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/16 15:42:20.0648 2728 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/16 15:42:21.0382 2728 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/16 15:42:22.0413 2728 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/16 15:42:23.0242 2728 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/16 15:42:25.0023 2728 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/16 15:42:26.0304 2728 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/16 15:42:27.0460 2728 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/16 15:42:28.0929 2728 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/16 15:42:29.0945 2728 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/16 15:42:30.0835 2728 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/16 15:42:32.0460 2728 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/02/16 15:42:33.0257 2728 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/02/16 15:42:34.0023 2728 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/02/16 15:42:34.0898 2728 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/16 15:42:35.0710 2728 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/16 15:42:36.0523 2728 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/16 15:42:37.0960 2728 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2011/02/16 15:42:39.0476 2728 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
2011/02/16 15:42:40.0867 2728 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/16 15:42:42.0117 2728 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/16 15:42:43.0835 2728 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/02/16 15:42:45.0929 2728 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/02/16 15:42:47.0132 2728 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/02/16 15:42:47.0976 2728 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/02/16 15:42:48.0695 2728 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/16 15:42:49.0757 2728 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/16 15:42:50.0945 2728 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/16 15:42:51.0867 2728 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/16 15:42:53.0023 2728 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/16 15:42:54.0148 2728 tfsnboio (1d265cd2fb1673a0873bf8cec19ddc7f) C:\WINDOWS\system32\dla\tfsnboio.sys
2011/02/16 15:42:55.0648 2728 tfsncofs (62e4901295e0467cac78e5b4b131ae5c) C:\WINDOWS\system32\dla\tfsncofs.sys
2011/02/16 15:42:57.0148 2728 tfsndrct (a2f380f9252ab3464c859adf91eead9c) C:\WINDOWS\system32\dla\tfsndrct.sys
2011/02/16 15:42:58.0757 2728 tfsndres (eee79bbefe9c6a2a3ce6c8753cfea950) C:\WINDOWS\system32\dla\tfsndres.sys
2011/02/16 15:43:00.0023 2728 tfsnifs (9d644eb11fec9487450c4cfcd63a5df4) C:\WINDOWS\system32\dla\tfsnifs.sys
2011/02/16 15:43:01.0195 2728 tfsnopio (e656af05c67edb7c0e9230a5df71ed1b) C:\WINDOWS\system32\dla\tfsnopio.sys
2011/02/16 15:43:03.0023 2728 tfsnpool (64fccb9cce703ca507dffc3cebf6b2cb) C:\WINDOWS\system32\dla\tfsnpool.sys
2011/02/16 15:43:04.0242 2728 tfsnudf (48bc9d8ab4e4b9bff70fb18e55cec3d6) C:\WINDOWS\system32\dla\tfsnudf.sys
2011/02/16 15:43:05.0273 2728 tfsnudfa (79f60822224256b49bfc855da8d651d5) C:\WINDOWS\system32\dla\tfsnudfa.sys
2011/02/16 15:43:06.0757 2728 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/02/16 15:43:07.0929 2728 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/16 15:43:08.0413 2728 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/02/16 15:43:08.0929 2728 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/16 15:43:09.0507 2728 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/16 15:43:09.0960 2728 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/16 15:43:10.0507 2728 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/16 15:43:11.0038 2728 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/02/16 15:43:11.0617 2728 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/02/16 15:43:12.0367 2728 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/16 15:43:12.0976 2728 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/16 15:43:13.0788 2728 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/02/16 15:43:14.0226 2728 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/02/16 15:43:14.0773 2728 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/02/16 15:43:15.0117 2728 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/16 15:43:15.0507 2728 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/16 15:43:16.0085 2728 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/02/16 15:43:16.0788 2728 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/16 15:43:17.0226 2728 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/02/16 15:43:17.0851 2728 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/02/16 15:43:17.0851 2728 ================================================================================
2011/02/16 15:43:17.0851 2728 Scan finished
2011/02/16 15:43:17.0851 2728 ================================================================================
2011/02/16 15:43:17.0867 2212 Detected object count: 1
2011/02/16 15:43:45.0288 2212 \HardDisk0 - copied to quarantine
2011/02/16 15:43:45.0382 2212 \HardDisk0\TDLFS\cfg.ini - copied to quarantine
2011/02/16 15:43:45.0460 2212 \HardDisk0\TDLFS\mbr - copied to quarantine
2011/02/16 15:43:45.0476 2212 \HardDisk0\TDLFS\bckfg.tmp - copied to quarantine
2011/02/16 15:43:45.0507 2212 \HardDisk0\TDLFS\cmd.dll - copied to quarantine
2011/02/16 15:43:45.0507 2212 \HardDisk0\TDLFS\ldr16 - copied to quarantine
2011/02/16 15:43:45.0538 2212 \HardDisk0\TDLFS\ldr32 - copied to quarantine
2011/02/16 15:43:45.0554 2212 \HardDisk0\TDLFS\ldr64 - copied to quarantine
2011/02/16 15:43:45.0554 2212 \HardDisk0\TDLFS\drv64 - copied to quarantine
2011/02/16 15:43:45.0570 2212 \HardDisk0\TDLFS\cmd64.dll - copied to quarantine
2011/02/16 15:43:45.0570 2212 \HardDisk0\TDLFS\drv32 - copied to quarantine
2011/02/16 15:43:45.0632 2212 \HardDisk0\TDLFS\dkmks.tmp - copied to quarantine
2011/02/16 15:43:45.0632 2212 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Quarantine

rrw1217 · Feb 18, 2011

Hi there,

Sorry to be a pest - was just wondering if I ran theTDSS accurately, and if so, if that step were sufficient, or if more action is needed on the computer. Sounded like there'd be at least one more program to run, didn't want to proceed and screw anything up. Thanks again for all your help!

Bobbye · Feb 20, 2011

You're not a pest- I'm running behind. You did fine with TDSSKiller.

Run Eset NOD32 Online AntiVirus scan HERE

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the Active X control to install

Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.

Click Start

Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked

Click Scan

Wait for the scan to finish

Click on "Copy to Clipboard"> (you won't see the 'clipboard)

Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.

Re-enable your Antivirus software.
NOTE: If you forget to copy to the cli[board, you can find the log here:
C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

=========================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2

Double click combofix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Query- Recovery Console image

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

.Close any open browsers.

.Double click combofix.exe & follow the prompts to run.

When the scan completes it will open a text window. Please paste that log in your next reply.

Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

rrw1217 · Feb 21, 2011

Thank you so much, again - below is the ESET log. It took a bit longer than I planned to run it, so I have to leave for work tonight. Will post the combofix log tomorrow. Sorry to split them up.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=d6fa630e09035f49a51ff1908076b92d
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-02-21 11:36:51
# local_time=2011-02-21 06:36:51 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 25247453 25247453 0 0
# compatibility_mode=1024 16777191 100 0 28434987 28434987 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=72977
# found=9
# cleaned=0
# scan_time=2690
C:\Documents and Settings\Liz\Application Data\Sun\iimsu.dll a variant of Win32/AutoRun.Spy.Ambler.CJ worm (unable to clean) 00000000000000000000000000000000 I
C:\I386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\16.02.2011_15.40.43\boot0000\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.ADZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\16.02.2011_15.40.43\boot0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\16.02.2011_15.40.43\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.AMO trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\16.02.2011_15.40.43\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.I trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\16.02.2011_15.40.43\boot0000\tdlfs0000\tsk0008.dta Win64/Olmarik.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\16.02.2011_15.40.43\boot0000\tdlfs0000\tsk0009.dta a variant of Win32/Olmarik.ANB trojan (unable to clean) 00000000000000000000000000000000 I
${Memory} a variant of Win32/AutoRun.Spy.Ambler.CJ worm 00000000000000000000000000000000 I

Bobbye · Feb 21, 2011

I believe your system has been compromised and recommend that you do a reformat and reinstall:

This is a description of a Worm that is still active in your system:
Win32/AutoRun.Spy.Ambler.CJ worm
Alert Level>> Severe
Summary
Worm:Win32/Ambler.A is a worm that spreads via networked and removable drives, and attempts to steal sensitive information, such as passwords, from an affected computer.Worm:Win32/Ambler.A attempts to steal sensitive and confidential information from affected users in order to perpetrate fraud.

When run, Worm:Win32/Ambler.A drops several randomly-named files onto the system. These file names vary from one instance of Ambler to the next
Ambler launches the dropped DLL component and registers itself as a BHO. It makes a number of registry modifications in order to facilitate its actions on the affected computer.

Stolen data is sent to a remote attacker. In the wild, Worm:Win32/Ambler.A has been observed to contact testthenewsource.net for this purpose.
This worm attempts to steal stored passwords from the following locations:

Microsoft Outlook Express

Internet Explorer password protected sites(Most information courtesy Microsoft)

MSN Explorer Signup

Internet Explorer auto complete fields

Internet Explorer auto complete passwords

Internet cookies

Passwords stored in pstore.dll

Manual removal is not recommended for this threat. It is also in memory which means that every time you startup, the Worm will launch again

There must be an infected flash drive. A disinfection on that can be attempted. However, it should not be used between computer systems.

You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

rrw1217 · Feb 22, 2011

Wow, thank you for that update - I will do that as soon as I get home. Also, thanks for the link - should I be doing the Repair Install, or the Fresh Install? I was guessing the Repair Install, although the link said that was best for "minor errors," which did not sound like an accurate description for this case.

Finally, for what its worth, we mostly use Mozilla Firefox (I thought exclusively, although can't guarantee that in every user's case). I plan to change all my passwords when done anyway, but just for peace of mind, I am curious if you think it likely that data/passwords could also be stolen from Mozilla via this worm.

Sorry for all of the questions - thanks again for the time and info.

Bobbye · Feb 24, 2011

I think the Fresh Install would be better. As for passwords and Firefox> When you get malware on the system, especially a Worm like this, you should consider that anything on the system might have been compromised and act accordingly. While Firefox is a bit more secure than IE (in my opinion- and I use FF exclusively) when it comes to personal information, including passwords, you should think that those you have stored in Firefox could also be at risk.

rrw1217 · Feb 28, 2011

sorry to bother again - would this be the kind of situation where anything that is backed up on an External hard drive is compromised as well? And if so, to what extent (do I need to buy an entirely new ext. drive, or just have this wiped)?

Sorry for the delay, had to leave town unexpectedly, so have not been on the computer at all - plan to perform the Fresh Install tomorrow morning, and I am wondering what I might lose, and whether or not I should utilize the hard drive to "save" anything, or if I will just be recreating my problem all over again.

Thanks again for all of your advice.

Bobbye · Mar 1, 2011

Attach the external drive like you would a flash drive. Then run this:

[*] Please download Flash_Disinfector.exe by sUBs and save it to your desktop.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings

The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.

Wait until it has finished scanning and then exit the program.

Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

TechSpot

[Active] Rootkit issue? Multiple unwanted pop-ups. 8-step logs included

rrw1217 Newcomer, in training

Bobbye Helper on the Fringe

rrw1217 Newcomer, in training

Bobbye Helper on the Fringe

rrw1217 Newcomer, in training

rrw1217 Newcomer, in training

Bobbye Helper on the Fringe

rrw1217 Newcomer, in training

Bobbye Helper on the Fringe

rrw1217 Newcomer, in training

Bobbye Helper on the Fringe

rrw1217 Newcomer, in training

Bobbye Helper on the Fringe