TechSpot

"The maximum number of secrets that may be stored in a single system has exceeded..."

Inactive
By JimmaWat
Aug 22, 2011
  1. So I've picked up a bit of a doozy of a virus recently. Whenever I would open a program, a message telling me "The maximum number of secrets that may be stored in a single system has exceeded. The length and number of secrets is limited to satisfy United States State Department export restriction." pops up. It also heavily slows down my Firefox when it loads a page that requires flash, and stops any common antivirus programs to be installed and immediately kills any antivirus programs that manages installed and tried to scan anywhere near it, along with rendering the .exe non-reusable. I've also tried process killers, as the offending virus seems to be sticking out like a sore thumb with it's process named in a random string of numbers but while it tells me the process is killed, it comes right back and the program can't seem to find the file that it originated from. So after exhausting all my amateur virus busting knowledge, I've decided to turn to more professional help.

    As I stated earlier, all antivirus are rendered useless against it so I couldn't scan with neither Avira, AVG or MBAM (It seems to have a personal grudge with MBAM since it denies me access to installing it), so steps 1 and 2 are out. Here are my GMER logs:

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-08-22 22:27:20
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 TOSHIBA_MK2552GSX rev.LV010A
    Running: nley09pc.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwroypod.sys


    ---- System - GMER 1.0.15 ----

    SSDT spnj.sys ZwEnumerateKey [0xB7EC5CA4]
    SSDT spnj.sys ZwEnumerateValueKey [0xB7EC6032]

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A915AEA
    Device \Driver\atapi \Device\Ide\IdePort0 8AAC81F8
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A915AEA
    Device \Driver\atapi \Device\Ide\IdePort1 8AAC81F8
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A915AEA
    Device \Driver\atapi \Device\Ide\IdePort2 8AAC81F8
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A915AEA
    Device \Driver\atapi \Device\Ide\IdePort3 8AAC81F8
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A915AEA
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8AAC81F8
    Device \Driver\argdxp2s \Device\Scsi\argdxp2s1 8A617370
    Device \Driver\argdxp2s \Device\Scsi\argdxp2s1Port4Path0Target0Lun0 8A617370
    Device \Driver\JMCR \Device\Scsi\JMCR1 8A8271F8
    Device \Driver\JMCR \Device\Scsi\JMCR2 8A8271F8
    Device \Driver\JMCR \Device\Scsi\JMCR3 8A8271F8
    Device \FileSystem\Ntfs \Ntfs 8AAC71F8

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK2552GSX_______________________LV010A__#5&496c666&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:860] AA43FFC0
    Thread System [4:864] AA43FFC0
    Thread System [4:868] AE7A6105
    Thread System [4:872] AE7A6105

    ---- EOF - GMER 1.0.15 ----

    And my DDS Logs:
    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
    Run by Administrator at 22:29:14 on 2011-08-22
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2555.1748 [GMT -4:00]
    .
    AV: Defense Center *Enabled/Outdated* {28e00e3b-806e-4533-925c-f4c3d79514b9}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\747482349:307458771.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\BisonCam\BisonHK.exe
    C:\WINDOWS\BisonCam\DeLay.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Orbitdownloader\orbitdm.exe
    C:\Program Files\Protector Suite QL\psqltray.exe
    C:\Program Files\Orbitdownloader\orbitnet.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\WINDOWS\System32\svchost.exe -k Akamai
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Windows Live\Contacts\wlcomm.exe
    C:\WINDOWS\system32\dwwin.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
    C:\EVEREST.Ultimate.Edition.5.30.1954.Beta\everestultimate_build_1954\everest.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://search.orbitdownloader.com/
    uInternet Settings,ProxyServer = http=106.230
    BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [GateWay] c:\documents and settings\administrator\GateWayMain.exe
    uRun: [AdobeBridge]
    uRun: [Easy-Hide-IP] c:\program files\easy-hide-ip\easy-hide-ip.exe
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [BisonHK] c:\windows\bisoncam\BisonHK.exe
    mRun: [DeLay] c:\windows\bisoncam\DeLay.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
    mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
    mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRunServices: [QuickTimePictureViewer] c:\program files\quicktime alternative\pictureviewer.resources\it.lproj\quicktimequicktime7.6.51327.79.exe
    mRunServices: [QuickTimeQuickTimeResources] c:\program files\quicktime alternative\propertypanels\panelhelperbase.resources\de.lproj\quicktimequicktimeresources7.6.41327.58.exe
    mRunServices: [PictureViewerQuickTime] c:\program files\quicktime alternative\pictureviewer.resources\it.lproj\quicktimequicktime7.6.51327.79.exe
    mRunServices: [StudioMSDIA80] c:\program files\common files\microsoft shared\vc\studiomicrosoft.exe
    mRunServices: [AUTHMGRSMPLFSYS] c:\program files\adobe\adobe premiere pro cs3\helix\bin\plugins\realmediasimple.exe
    StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\shortc~1.lnk - c:\documents and settings\administrator\desktop\bypass\kevin.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
    IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    LSP: mswsock.dll
    DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
    DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
    Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: psfus - c:\windows\system32\psqlpwd.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    LSA: Notification Packages = scecli psqlpwd
    mASetup: {0FDEABD1-E3FE-3DDE-FAE8-CADCD636FFB5} - c:\documents and settings\administrator\application data\svchost.exe
    IFEO: image file execution options - svchost.exe
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\z1748ax6.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101027100&s=
    FF - prefs.js: network.proxy.ftp - 109.230.216.23
    FF - prefs.js: network.proxy.ftp_port - 1080
    FF - prefs.js: network.proxy.http - 109.230.216.23
    FF - prefs.js: network.proxy.http_port - 1080
    FF - prefs.js: network.proxy.socks - 109.230.216.23
    FF - prefs.js: network.proxy.socks_port - 1080
    FF - prefs.js: network.proxy.ssl - 109.230.216.23
    FF - prefs.js: network.proxy.ssl_port - 1080
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll
    FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\z1748ax6.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
    FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
    FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - plugin: c:\windows\system32\npOGPPlugin.dll
    FF - plugin: c:\windows\system32\npptools.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    ============= SERVICES / DRIVERS ===============
    .
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-3 14336]
    R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [2011-3-22 2304]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-1 24652]
    R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\everest.ultimate.edition.5.30.1954.beta\everestultimate_build_1954\kerneld.wnt [2010-8-30 27760]
    R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-10-1 84240]
    R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\131.tmp --> c:\windows\system32\131.tmp [?]
    R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2009-12-23 17792]
    S0 boci;boci;c:\windows\system32\drivers\sdvhwiu.sys --> c:\windows\system32\drivers\sdvhwiu.sys [?]
    S0 dygygdv;dygygdv;c:\windows\system32\drivers\cihytg.sys --> c:\windows\system32\drivers\cihytg.sys [?]
    S0 wzrwo;wzrwo; [x]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-6 135664]
    S2 HDD & SSD access service;HDD & SSD access service;"c:\program files\common files\binarysense\disksvc.exe" --> c:\program files\common files\binarysense\disksvc.exe [?]
    S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
    S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-6 135664]
    S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2010-4-1 133632]
    S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2010-4-1 79360]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-8-31 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-8-31 8320]
    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-8-31 42112]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S3 XDva285;XDva285;\??\c:\windows\system32\xdva285.sys --> c:\windows\system32\XDva285.sys [?]
    S3 XDva296;XDva296;\??\c:\windows\system32\xdva296.sys --> c:\windows\system32\XDva296.sys [?]
    S3 XDva326;XDva326;\??\c:\windows\system32\xdva326.sys --> c:\windows\system32\XDva326.sys [?]
    S3 XDva328;XDva328;\??\c:\windows\system32\xdva328.sys --> c:\windows\system32\XDva328.sys [?]
    S3 XDva332;XDva332;\??\c:\windows\system32\xdva332.sys --> c:\windows\system32\XDva332.sys [?]
    S3 XDva337;XDva337;\??\c:\windows\system32\xdva337.sys --> c:\windows\system32\XDva337.sys [?]
    S3 XDva341;XDva341;\??\c:\windows\system32\xdva341.sys --> c:\windows\system32\XDva341.sys [?]
    S3 XDva343;XDva343;\??\c:\windows\system32\xdva343.sys --> c:\windows\system32\XDva343.sys [?]
    S3 XDva346;XDva346;\??\c:\windows\system32\xdva346.sys --> c:\windows\system32\XDva346.sys [?]
    S3 XDva347;XDva347;\??\c:\windows\system32\xdva347.sys --> c:\windows\system32\XDva347.sys [?]
    S3 XDva349;XDva349;\??\c:\windows\system32\xdva349.sys --> c:\windows\system32\XDva349.sys [?]
    S3 XDva351;XDva351;\??\c:\windows\system32\xdva351.sys --> c:\windows\system32\XDva351.sys [?]
    S3 XDva352;XDva352;\??\c:\windows\system32\xdva352.sys --> c:\windows\system32\XDva352.sys [?]
    S3 XDva354;XDva354;\??\c:\windows\system32\xdva354.sys --> c:\windows\system32\XDva354.sys [?]
    S3 XDva358;XDva358;\??\c:\windows\system32\xdva358.sys --> c:\windows\system32\XDva358.sys [?]
    S3 XDva359;XDva359;\??\c:\windows\system32\xdva359.sys --> c:\windows\system32\XDva359.sys [?]
    S3 XDva362;XDva362;\??\c:\windows\system32\xdva362.sys --> c:\windows\system32\XDva362.sys [?]
    S3 XDva370;XDva370;\??\c:\windows\system32\xdva370.sys --> c:\windows\system32\XDva370.sys [?]
    S3 XDva375;XDva375;\??\c:\windows\system32\xdva375.sys --> c:\windows\system32\XDva375.sys [?]
    S3 XDva380;XDva380;\??\c:\windows\system32\xdva380.sys --> c:\windows\system32\XDva380.sys [?]
    S3 XDva383;XDva383;\??\c:\windows\system32\xdva383.sys --> c:\windows\system32\XDva383.sys [?]
    S3 XDva385;XDva385;\??\c:\windows\system32\xdva385.sys --> c:\windows\system32\XDva385.sys [?]
    S3 XDva386;XDva386;\??\c:\windows\system32\xdva386.sys --> c:\windows\system32\XDva386.sys [?]
    S3 XDva387;XDva387;\??\c:\windows\system32\xdva387.sys --> c:\windows\system32\XDva387.sys [?]
    S3 XDva388;XDva388;\??\c:\windows\system32\xdva388.sys --> c:\windows\system32\XDva388.sys [?]
    S3 XDva389;XDva389;\??\c:\windows\system32\xdva389.sys --> c:\windows\system32\XDva389.sys [?]
    S4 dwrfa;dwrfa;c:\windows\system32\drivers\cpma.sys [2010-7-10 54016]
    S4 fqlpjiyc;fqlpjiyc;c:\windows\system32\drivers\htubn.sys [2010-7-9 54016]
    S4 kwaxi;kwaxi;c:\windows\system32\drivers\vldso.sys [2010-7-9 54016]
    S4 nepo;nepo;c:\windows\system32\drivers\dbxd.sys [2010-7-9 54016]
    S4 nscb;nscb;c:\windows\system32\drivers\xiip.sys [2010-6-13 54016]
    S4 sajy;sajy;c:\windows\system32\drivers\snba.sys [2010-6-13 54016]
    .
    =============== Created Last 30 ================
    .
    2073-04-13 21:17:26 203576 ---h--w- c:\program files\microsoft games\age of empires iii\autopatcher2.exe
    2011-08-23 02:02:27 -------- d-----w- c:\program files\Avira
    2011-08-23 02:02:27 -------- d-----w- c:\documents and settings\all users\application data\Avira
    2011-08-22 17:59:51 -------- d-----w- c:\program files\Virus Secure Lab
    2011-08-18 21:45:32 -------- d-----w- c:\program files\Sophos
    2011-08-18 04:28:30 -------- d-----w- c:\program files\Foxit Software
    2011-08-18 03:07:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-08-18 03:07:16 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
    2011-08-18 02:46:24 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
    2011-08-18 02:46:00 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-08-18 02:46:00 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
    2011-08-18 01:00:08 -------- d-----w- c:\documents and settings\administrator\application data\QuickScan
    2011-08-18 00:30:51 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
    2011-08-18 00:30:45 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2011-08-18 00:17:57 331776 ----a-w- c:\windows\system32\EasyRedirect.dll
    2011-08-18 00:17:55 -------- d-----w- c:\program files\Easy-Hide-IP
    2011-08-17 16:37:25 -------- d-----w- C:\CherryDeGames
    2011-08-11 18:00:58 -------- d-----w- c:\program files\InterActual
    2011-08-07 23:13:27 -------- d-----w- c:\program files\PCSX2 0.9.8
    .
    ==================== Find3M ====================
    .
    2011-08-16 18:05:40 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-09 21:16:08 141200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2011-06-09 21:15:50 281656 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2011-06-09 21:15:50 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
    2011-06-09 20:34:07 281656 ----a-w- c:\windows\system32\PnkBstrB.ex0
    2011-06-08 09:07:51 201728 ----a-w- C:\zYan_ID_Changer.dll
    2011-06-07 23:49:07 138056 ----a-w- c:\documents and settings\administrator\application data\PnkBstrK.sys
    2011-06-07 23:48:46 90112 ----a-w- c:\windows\system32\PnkBstrA.exe
    2011-06-02 07:36:15 27648 ----a-w- C:\zYan_X.dll
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: TOSHIBA_MK2552GSX rev.LV010A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xAE7A5660]<<
    _asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
    1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk0\DR0[0x8A90BAB8]
    3 CLASSPNP[0xB810905B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8A7624D8]
    \Driver\00002509[0x8A6B9B10] -> IRP_MJ_CREATE -> 0xAE7A5660
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK2552GSX_______________________LV010A__#5&496c666&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A915AEA
    \Driver\atapi -> 0x8aac81f8
    user & kernel MBR OK
    sectors 488397166 (+255): user != kernel
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 22:30:44.54 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 10/1/2008 9:48:06 PM
    System Uptime: 8/18/2011 6:57:26 PM (100 hours ago)
    .
    Motherboard: CLEVO CO. | | M860TU
    Processor: Intel Pentium III processor | U22 | 2394/mhz
    Processor: Intel Pentium III processor | U22 | 2393/mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 151 GiB total, 14.831 GiB free.
    D: is FIXED (NTFS) - 82 GiB total, 1.902 GiB free.
    E: is CDROM ()
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: 1394 Net Adapter
    Device ID: V1394\NIC1394\90F5145890A033
    Manufacturer: Microsoft
    Name: 1394 Net Adapter
    PNP Device ID: V1394\NIC1394\90F5145890A033
    Service: NIC1394
    .
    Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
    Description: iPod touch
    Device ID: ROOT\{140FD12F-CBAE-408D-9942-F919A7CB22CC}\0000
    Manufacturer: Apple
    Name: iPod touch
    PNP Device ID: ROOT\{140FD12F-CBAE-408D-9942-F919A7CB22CC}\0000
    Service: WUDFRd
    .
    ==== System Restore Points ===================
    .
    RP326: 7/13/2011 12:04:17 AM - System Checkpoint
    RP327: 7/13/2011 3:54:07 PM - Removed Google Talk Plugin
    RP328: 7/18/2011 4:00:56 AM - System Checkpoint
    RP329: 7/19/2011 4:43:12 AM - System Checkpoint
    RP330: 7/20/2011 5:13:55 AM - System Checkpoint
    RP331: 7/20/2011 9:42:53 AM - Installed Windows XP KB917021.
    RP332: 7/21/2011 10:26:28 AM - System Checkpoint
    RP333: 7/24/2011 5:48:53 AM - System Checkpoint
    RP334: 7/25/2011 6:31:14 AM - System Checkpoint
    RP335: 7/26/2011 7:33:19 AM - System Checkpoint
    RP336: 7/27/2011 8:12:09 AM - System Checkpoint
    RP337: 7/28/2011 8:41:25 AM - System Checkpoint
    RP338: 7/29/2011 8:53:07 AM - System Checkpoint
    RP339: 7/30/2011 9:53:05 AM - System Checkpoint
    RP340: 7/31/2011 12:08:33 PM - System Checkpoint
    RP341: 8/1/2011 6:07:00 PM - System Checkpoint
    RP342: 8/2/2011 9:24:32 PM - System Checkpoint
    RP343: 8/5/2011 4:42:12 AM - System Checkpoint
    RP344: 8/6/2011 4:46:15 AM - System Checkpoint
    RP345: 8/7/2011 4:49:33 AM - System Checkpoint
    RP346: 8/8/2011 5:07:59 AM - System Checkpoint
    RP347: 8/8/2011 8:14:00 PM - Removed Assassin's Creed II
    RP348: 8/10/2011 9:58:09 PM - System Checkpoint
    RP349: 8/12/2011 4:32:19 AM - System Checkpoint
    RP350: 8/14/2011 12:08:18 AM - System Checkpoint
    RP351: 8/16/2011 12:14:08 AM - System Checkpoint
    RP352: 8/16/2011 7:48:40 PM - Removed Google Talk Plugin
    RP353: 8/17/2011 12:37:24 PM - Installed Dragon Nest SEA
    RP354: 8/19/2011 6:32:39 AM - System Checkpoint
    RP355: 8/20/2011 7:20:36 AM - System Checkpoint
    RP356: 8/21/2011 8:20:39 AM - System Checkpoint
    RP357: 8/22/2011 2:15:34 PM - Removed Dragon Nest SEA
    .
    ==== Installed Programs ======================
    .
    3ivx MPEG-4 5.0.3 (remove only)
    7-Zip 4.65
    Acrobat.com
    Adobe AIR
    Adobe Anchor Service CS3
    Adobe Anchor Service CS4
    Adobe Asset Services CS3
    Adobe Bridge CS3
    Adobe Bridge CS4
    Adobe Bridge Start Meeting
    Adobe Camera Raw 4.0
    Adobe CMaps CS4
    Adobe Color EU Extra Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Recommended Settings CS4
    Adobe Color Video Profiles CS CS4
    Adobe Community Help
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe Device Central CS3
    Adobe ExtendScript Toolkit 2
    Adobe ExtendScript Toolkit CS4
    Adobe Extension Manager CS4
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Help Viewer CS3
    Adobe Illustrator CS4
    Adobe Linguistics CS3
    Adobe Linguistics CS4
    Adobe Media Player
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Photoshop CS5
    Adobe Photoshop Lightroom 2.6.1
    Adobe Premiere Pro CS3
    Adobe Premiere Pro CS3 Functional Content
    Adobe Premiere Pro CS3 Third Party Content
    Adobe Reader 9.4.0
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe Shockwave Player 11.5
    Adobe Type Support CS4
    Adobe Update Manager CS3
    Adobe Update Manager CS4
    Adobe Version Cue CS3 Client
    Adobe WinSoft Linguistics Plugin
    Adobe XMP DVA Panels CS3
    Adobe XMP Panels CS3
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    Advertising Center
    Age of Empires III
    Age of Empires III - The Asian Dynasties
    Aimersoft MKV Converter(Build 2.0.2.13)
    Akamai NetSession Interface
    AoA Audio Extractor
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Applian FLV Player
    Azureus
    Bandisoft MPEG-1 Decoder
    Belarc Advisor 8.1
    BisonCam
    Bonjour
    Compatibility Pack for the 2007 Office system
    Connect
    DAEMON Tools Toolbar
    DiskAid 3.1
    DivX Converter
    DivX Plus DirectShow Filters
    DivX Setup
    DivX Version Checker
    DolbyFiles
    DragonNest
    Duke Nukem Forever
    Elsword version 1.00
    EphPod
    ESET Online Scanner v3
    EVEREST Home Edition v2.20
    Express Burn
    Foxit Reader 5.0
    Free Natural Text to Speech Reader 2008
    Free Sound Recorder
    Freez FLV to MP3 Converter
    GamersFirst LIVE!
    Gateway
    Google Chrome
    Google Talk Plugin
    Google Update Helper
    High Definition Audio Driver Package - KB888111
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB917021)
    Hotfix for Windows XP (KB926239)
    Hotfix for Windows XP (KB935448)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    ImagXpress
    ips XP 1.11.2600
    IrfanView (remove only)
    iTunes
    Java(TM) 6 Update 14
    Java(TM) 6 Update 7
    JMicron JMB38X Flash Media Controller
    K-Lite Codec Pack 4.1.7 (Full)
    kuler
    League of Legends
    Mabinogi
    Menu Templates - Starter Kit
    Metal Assault
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Office XP Professional with FrontPage
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.7
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    Motorola Driver Installation 3.7.0
    Motorola SM56 Data Fax Modem
    Movie Templates - Starter Kit
    Mozilla Firefox 4.0 (x86 en-US)
    MP3 Converter Simple
    MSN
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    Nero 9 Trial
    Nero BurnRights
    Nero ControlCenter
    Nero CoverDesigner
    Nero DiscSpeed
    Nero DriveSpeed
    Nero InfoTool
    Nero Installer
    Nero PhotoSnap
    Nero Recode
    Nero Rescue Agent
    Nero ShowTime
    Nero StartSmart
    Nero Vision
    Nero WaveEditor
    NeroBurningROM
    NeroExpress
    neroxml
    Nexon Game Manager
    NJStar Communicator
    NVIDIA Drivers
    NVIDIA nView Desktop Manager
    NVIDIA PhysX
    Orbit Downloader
    Pando Media Booster
    PCSX2 - Playstation 2 Emulator
    Pcsx2 0.9.6
    PDF Settings CS4
    PDF Settings CS5
    Photoshop Camera Raw
    Pixillion Image Converter
    Protector Suite QL 5.6
    PSP ISO Compressor
    QuickTime
    QuickTime Alternative 2.8.0
    Ragnarok Online
    Real Alternative 1.9.0
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Realtek High Definition Audio Driver
    RegCure
    S4 League_EU
    Security Task Manager 1.8d
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB901190)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB944338-v2)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981350)
    Security Update for Windows XP (KB982381)
    Segoe UI
    Skype Toolbars
    Skype™ 4.2
    SoundTrax
    Suite Shared Configuration CS4
    SUPERAntiSpyware
    Switch Sound File Converter
    Synaptics Pointing Device Driver
    System Requirements Lab
    The Core Media Player 4.0
    Ubisoft Game Launcher
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    VC80CRTRedist - 8.0.50727.4053
    Ventrilo Client
    Viewpoint Media Player
    Virus Effect Remover©
    VLC media player 1.1.0
    WebFldrs XP
    WinAVI MP4 Converter
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Hotfix - KB885884
    WinRAR archiver
    WinSCP 4.2.8
    Xilisoft iPod Rip
    Yahoo! Messenger
    .
    ==== Event Viewer Messages From Past Week ========
    .
    8/16/2011 1:05:56 PM, error: Dhcp [1002] - The IP address lease 192.168.1.69 for the Network Card with network address 0016EA5FCAC4 has been denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).
    8/16/2011 1:05:47 PM, error: Dhcp [1002] - The IP address lease 129.133.127.105 for the Network Card with network address 0090F58B2C33 has been denied by the DHCP server 129.133.1.5 (The DHCP Server sent a DHCPNACK message).
    8/15/2011 10:32:39 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0016EA5FCAC4. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    8/15/2011 10:31:30 PM, error: Dhcp [1002] - The IP address lease 129.133.210.213 for the Network Card with network address 0016EA5FCAC4 has been denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================

    Thank you for your help.
     
  2. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===============================================================

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  3. JimmaWat

    JimmaWat TS Rookie Topic Starter Posts: 42

    Sorry for being a bit late on replying. I would've posted much sooner but my internet decided to stop connecting after the reset TDSSKiller asked me to do. I'm getting the logs through by a USB Drive and another computer now.

    Here is the log:

    2011/08/22 23:49:17.0984 0820 TDSS rootkit removing tool 2.5.16.0 Aug 19 2011 17:48:17
    2011/08/22 23:49:18.0281 0820 ================================================================================
    2011/08/22 23:49:18.0281 0820 SystemInfo:
    2011/08/22 23:49:18.0281 0820
    2011/08/22 23:49:18.0281 0820 OS Version: 5.1.2600 ServicePack: 2.0
    2011/08/22 23:49:18.0281 0820 Product type: Workstation
    2011/08/22 23:49:18.0281 0820 ComputerName: JIMMAWAT
    2011/08/22 23:49:18.0281 0820 UserName: Administrator
    2011/08/22 23:49:18.0281 0820 Windows directory: C:\WINDOWS
    2011/08/22 23:49:18.0281 0820 System windows directory: C:\WINDOWS
    2011/08/22 23:49:18.0281 0820 Processor architecture: Intel x86
    2011/08/22 23:49:18.0281 0820 Number of processors: 2
    2011/08/22 23:49:18.0281 0820 Page size: 0x1000
    2011/08/22 23:49:18.0281 0820 Boot type: Normal boot
    2011/08/22 23:49:18.0281 0820 ================================================================================
    2011/08/22 23:49:19.0890 0820 Initialize success
    2011/08/22 23:49:30.0609 2348 ================================================================================
    2011/08/22 23:49:30.0609 2348 Scan started
    2011/08/22 23:49:30.0609 2348 Mode: Manual;
    2011/08/22 23:49:30.0609 2348 ================================================================================
    2011/08/22 23:49:31.0953 2348 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/08/22 23:49:32.0000 2348 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2011/08/22 23:49:32.0062 2348 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
    2011/08/22 23:49:32.0171 2348 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
    2011/08/22 23:49:32.0328 2348 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/08/22 23:49:32.0406 2348 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/08/22 23:49:32.0453 2348 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/08/22 23:49:32.0515 2348 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/08/22 23:49:32.0625 2348 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/08/22 23:49:32.0703 2348 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
    2011/08/22 23:49:32.0734 2348 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/08/22 23:49:32.0781 2348 BthEnum (d24b8d1784c68a25060fffbe8ed34b76) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
    2011/08/22 23:49:32.0828 2348 BthPan (10355270be12641b9764235da39dcf0f) C:\WINDOWS\system32\DRIVERS\bthpan.sys
    2011/08/22 23:49:32.0875 2348 BTHPORT (95ef6f3f386d93ee1e4d9ca45a50252a) C:\WINDOWS\system32\Drivers\BTHport.sys
    2011/08/22 23:49:33.0000 2348 BTHUSB (f06d4cb9918b462a84d9ac00027efc30) C:\WINDOWS\system32\Drivers\BTHUSB.sys
    2011/08/22 23:49:33.0062 2348 Cam5607 (ce9f13675fdc354f16962dffecec3041) C:\WINDOWS\system32\Drivers\BisonC07.sys
    2011/08/22 23:49:33.0156 2348 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/08/22 23:49:33.0281 2348 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/08/22 23:49:33.0343 2348 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/08/22 23:49:33.0406 2348 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/08/22 23:49:33.0453 2348 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/08/22 23:49:33.0515 2348 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/08/22 23:49:33.0625 2348 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/08/22 23:49:33.0687 2348 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/08/22 23:49:33.0734 2348 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/08/22 23:49:33.0812 2348 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2011/08/22 23:49:33.0906 2348 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/08/22 23:49:33.0953 2348 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/08/22 23:49:34.0046 2348 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/08/22 23:49:34.0109 2348 dwrfa (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\cpma.sys
    2011/08/22 23:49:34.0234 2348 EverestDriver (6e19f0a386eb53147df1f70da0850306) C:\EVEREST.Ultimate.Edition.5.30.1954.Beta\everestultimate_build_1954\kerneld.wnt
    2011/08/22 23:49:34.0375 2348 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/08/22 23:49:34.0421 2348 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
    2011/08/22 23:49:34.0484 2348 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2011/08/22 23:49:34.0546 2348 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/08/22 23:49:34.0593 2348 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/08/22 23:49:34.0640 2348 fqlpjiyc (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\htubn.sys
    2011/08/22 23:49:34.0734 2348 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/08/22 23:49:34.0765 2348 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/08/22 23:49:34.0781 2348 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/08/22 23:49:34.0859 2348 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/08/22 23:49:34.0921 2348 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/08/22 23:49:35.0046 2348 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/08/22 23:49:35.0109 2348 Htsysm (57bd2878b475f530a9cf965c785c74a3) C:\WINDOWS\system32\HtsysmNT.sys
    2011/08/22 23:49:35.0218 2348 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/08/22 23:49:35.0312 2348 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/08/22 23:49:35.0437 2348 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/08/22 23:49:35.0640 2348 IntcAzAudAddService (b2957d6c1226f029230dac2c46d34286) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2011/08/22 23:49:35.0953 2348 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/08/22 23:49:35.0984 2348 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/08/22 23:49:36.0015 2348 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/08/22 23:49:36.0031 2348 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/08/22 23:49:36.0062 2348 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/08/22 23:49:36.0265 2348 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/08/22 23:49:36.0312 2348 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/08/22 23:49:36.0359 2348 isapnp (786b56d76f27f0117d1d51182078f623) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/08/22 23:49:36.0359 2348 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\isapnp.sys. Real md5: 786b56d76f27f0117d1d51182078f623, Fake md5: 1837a75fc44e6deb430f4e90b4dfb15a
    2011/08/22 23:49:36.0359 2348 isapnp - detected Rootkit.Win32.TDSS.tdl3 (0)
    2011/08/22 23:49:36.0421 2348 JMCR (dedb6cc1b166928a8f3f68def1766db0) C:\WINDOWS\system32\DRIVERS\jmcr.sys
    2011/08/22 23:49:36.0578 2348 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/08/22 23:49:36.0656 2348 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/08/22 23:49:36.0734 2348 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/08/22 23:49:36.0796 2348 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/08/22 23:49:36.0937 2348 kwaxi (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\vldso.sys
    2011/08/22 23:49:37.0078 2348 Mkd2kfNt (6f4d79ea861137ef2f9078e265c2aa83) C:\WINDOWS\system32\drivers\Mkd2kfNt.sys
    2011/08/22 23:49:37.0109 2348 Mkd2Nadr (fe7925784f6801e983b41ec118ef62ac) C:\WINDOWS\system32\drivers\Mkd2Nadr.sys
    2011/08/22 23:49:37.0156 2348 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/08/22 23:49:37.0328 2348 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2011/08/22 23:49:37.0406 2348 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys
    2011/08/22 23:49:37.0437 2348 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
    2011/08/22 23:49:37.0468 2348 MotDev (80bda4ac4b2834ca522b7386fc1f6a20) C:\WINDOWS\system32\DRIVERS\motodrv.sys
    2011/08/22 23:49:37.0640 2348 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
    2011/08/22 23:49:37.0687 2348 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/08/22 23:49:37.0781 2348 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/08/22 23:49:37.0875 2348 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/08/22 23:49:37.0906 2348 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/08/22 23:49:37.0984 2348 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/08/22 23:49:38.0046 2348 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/08/22 23:49:38.0156 2348 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/08/22 23:49:38.0203 2348 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/08/22 23:49:38.0250 2348 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/08/22 23:49:38.0296 2348 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/08/22 23:49:38.0328 2348 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/08/22 23:49:38.0406 2348 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/08/22 23:49:38.0609 2348 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/08/22 23:49:38.0640 2348 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/08/22 23:49:38.0687 2348 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/08/22 23:49:38.0781 2348 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/08/22 23:49:38.0828 2348 Ndisuio (5146c3d286e66c72328f6ce6e4d983a8) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/08/22 23:49:38.0937 2348 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/08/22 23:49:38.0953 2348 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/08/22 23:49:39.0015 2348 nepo (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\dbxd.sys
    2011/08/22 23:49:39.0093 2348 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/08/22 23:49:39.0281 2348 NETw5x32 (0888844230083ce3b47395102bca8207) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
    2011/08/22 23:49:39.0578 2348 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/08/22 23:49:39.0625 2348 nm (60cf8c7192b3614f240838ddbaa4a245) C:\WINDOWS\system32\DRIVERS\NMnt.sys
    2011/08/22 23:49:39.0671 2348 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/08/22 23:49:39.0765 2348 nscb (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\xiip.sys
    2011/08/22 23:49:39.0937 2348 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/08/22 23:49:40.0000 2348 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/08/22 23:49:40.0062 2348 nv (8d43a34dacd260bf70fcc95e45b69456) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/08/22 23:49:40.0359 2348 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\nv4_mini.sys. Real md5: 8d43a34dacd260bf70fcc95e45b69456, Fake md5: ed9816dbaf6689542ea7d022631906a1
    2011/08/22 23:49:40.0390 2348 nv - detected ForgedFile.Multi.Generic (1)
    2011/08/22 23:49:40.0546 2348 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/08/22 23:49:40.0578 2348 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/08/22 23:49:40.0640 2348 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/08/22 23:49:40.0687 2348 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
    2011/08/22 23:49:40.0734 2348 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/08/22 23:49:40.0812 2348 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/08/22 23:49:40.0906 2348 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/08/22 23:49:40.0953 2348 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/08/22 23:49:41.0015 2348 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/08/22 23:49:41.0140 2348 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/08/22 23:49:41.0218 2348 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/08/22 23:49:41.0296 2348 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/08/22 23:49:41.0359 2348 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/08/22 23:49:41.0453 2348 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/08/22 23:49:41.0468 2348 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/08/22 23:49:41.0531 2348 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/08/22 23:49:41.0546 2348 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/08/22 23:49:41.0593 2348 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/08/22 23:49:41.0656 2348 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/08/22 23:49:41.0781 2348 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/08/22 23:49:41.0828 2348 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/08/22 23:49:41.0875 2348 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/08/22 23:49:41.0921 2348 RFCOMM (99c4b74981a1413f142a3903130088cb) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
    2011/08/22 23:49:41.0984 2348 RTLE8023xp (cd0afbbd81c30e6a8a92cc1089db1ba0) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
    2011/08/22 23:49:42.0046 2348 sajy (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\snba.sys
    2011/08/22 23:49:42.0218 2348 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2011/08/22 23:49:42.0234 2348 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    2011/08/22 23:49:42.0406 2348 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
    2011/08/22 23:49:42.0437 2348 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/08/22 23:49:42.0484 2348 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
    2011/08/22 23:49:42.0578 2348 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/08/22 23:49:42.0734 2348 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/08/22 23:49:42.0828 2348 smserial (be44ae880e8d22a5615e352c68b278b9) C:\WINDOWS\system32\DRIVERS\smserial.sys
    2011/08/22 23:49:42.0921 2348 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
    2011/08/22 23:49:43.0093 2348 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/08/22 23:49:43.0093 2348 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
    2011/08/22 23:49:43.0093 2348 sptd - detected LockedFile.Multi.Generic (1)
    2011/08/22 23:49:43.0125 2348 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/08/22 23:49:43.0187 2348 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/08/22 23:49:43.0281 2348 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/08/22 23:49:43.0390 2348 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/08/22 23:49:43.0453 2348 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/08/22 23:49:43.0671 2348 SynTP (d7b9ad3abd0f7f9f694d71f38b5c7b72) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    2011/08/22 23:49:43.0734 2348 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/08/22 23:49:43.0812 2348 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/08/22 23:49:43.0890 2348 TcUsb (53900527fa5e2ccc818c5894383772d1) C:\WINDOWS\system32\Drivers\tcusb.sys
    2011/08/22 23:49:43.0921 2348 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/08/22 23:49:43.0968 2348 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/08/22 23:49:44.0015 2348 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/08/22 23:49:44.0125 2348 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/08/22 23:49:44.0265 2348 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/08/22 23:49:44.0343 2348 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/08/22 23:49:44.0406 2348 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
    2011/08/22 23:49:44.0468 2348 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/08/22 23:49:44.0593 2348 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/08/22 23:49:44.0640 2348 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/08/22 23:49:44.0703 2348 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/08/22 23:49:44.0781 2348 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/08/22 23:49:44.0859 2348 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/08/22 23:49:44.0906 2348 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys
    2011/08/22 23:49:44.0953 2348 VCSVADHWSer (b2abab4ca46bad182e27763dc19c780f) C:\WINDOWS\system32\DRIVERS\vcsvad.sys
    2011/08/22 23:49:45.0046 2348 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2011/08/22 23:49:45.0078 2348 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/08/22 23:49:45.0125 2348 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/08/22 23:49:45.0218 2348 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
    2011/08/22 23:49:45.0359 2348 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/08/22 23:49:45.0453 2348 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2011/08/22 23:49:45.0531 2348 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2011/08/22 23:49:45.0578 2348 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/08/22 23:49:45.0625 2348 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/08/22 23:49:45.0718 2348 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/08/22 23:49:46.0109 2348 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    2011/08/22 23:49:46.0250 2348 Boot (0x1200) (376cd6a563b68089149b43ac88d519d5) \Device\Harddisk0\DR0\Partition0
    2011/08/22 23:49:46.0281 2348 Boot (0x1200) (43d6dc9dc6c9c8518f76cf3e1dca59ef) \Device\Harddisk0\DR0\Partition1
    2011/08/22 23:49:46.0281 2348 ================================================================================
    2011/08/22 23:49:46.0281 2348 Scan finished
    2011/08/22 23:49:46.0281 2348 ================================================================================
    2011/08/22 23:49:46.0296 4592 Detected object count: 3
    2011/08/22 23:49:46.0296 4592 Actual detected object count: 3
    2011/08/22 23:50:05.0125 4592 isapnp (786b56d76f27f0117d1d51182078f623) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/08/22 23:50:05.0125 4592 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\isapnp.sys. Real md5: 786b56d76f27f0117d1d51182078f623, Fake md5: 1837a75fc44e6deb430f4e90b4dfb15a
    2011/08/22 23:50:05.0140 4592 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\isapnp.sys) error 13
    2011/08/22 23:50:06.0171 4592 Backup copy found, using it..
    2011/08/22 23:50:06.0187 4592 C:\WINDOWS\system32\DRIVERS\isapnp.sys - will be cured after reboot
    2011/08/22 23:50:06.0187 4592 Rootkit.Win32.TDSS.tdl3(isapnp) - User select action: Cure
    2011/08/22 23:50:06.0187 4592 ForgedFile.Multi.Generic(nv) - User select action: Skip
    2011/08/22 23:50:06.0187 4592 LockedFile.Multi.Generic(sptd) - User select action: Skip
    2011/08/22 23:50:27.0203 3784 Deinitialize success
     
  4. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Good :)

    Still no internet?

    Please download Rootkit Unhooker from one of the following links and save it to your desktop.
    In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

    • Double-click on RKUnhookerLE.exe to start the program.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • Click the Report tab, then click Scan.
    • Check Drivers, Stealth, and uncheck the rest.
    • Click OK.
    • Wait until it's finished and then go to File > Save Report.
    • Save the report to your Desktop.
    • Copy and paste the contents of the report into your next reply.
    -- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".
     
  5. JimmaWat

    JimmaWat TS Rookie Topic Starter Posts: 42

    Yeah still no internet. I'm worried the TDSSKiller thing might've done something to mess it up because I know the internet works but not for my computer. Not the wireless or the wired.

    Anyways, here's the log:

    RkU Version: 3.8.389.593, Type LE (SR2)
    ==============================================
    OS Name: Windows XP
    Version 5.1.2600 (Service Pack 2)
    Number of processors #2
    ==============================================
    >Drivers
    ==============================================
    0xB692D000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 10604544 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 258.96 )
    0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6344704 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 258.96 )
    0xB4F1D000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4874240 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
    0xB655B000 C:\WINDOWS\system32\DRIVERS\NETw5x32.sys 3629056 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
    0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2142208 bytes (Microsoft Corporation, NT Kernel & System)
    0x804D7000 PnpManager 2142208 bytes
    0x804D7000 RAW 2142208 bytes
    0x804D7000 WMIxWDM 2142208 bytes
    0xBF800000 Win32k 1851392 bytes
    0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
    0xB4E11000 C:\WINDOWS\system32\DRIVERS\smserial.sys 1097728 bytes (Motorola Inc., Motorola SM56 Modem WDM Driver)
    0xB4B09000 C:\WINDOWS\System32\Drivers\BisonC07.sys 1069056 bytes (Bison Electronics. Inc. , Universal Serial Bus Camera Driver)
    0xB7EA6000 PCI_PNP1096 1052672 bytes
    0xB7EA6000 spkc.sys 1052672 bytes
    0xB7EA6000 sptd 1052672 bytes
    0xB7D0A000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
    0xB4C0E000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
    0xB4D36000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
    0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
    0xB1A77000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
    0xB649A000 C:\WINDOWS\System32\Drivers\aadmviqx.SYS 229376 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
    0xB64F5000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 221184 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
    0xB63EB000 C:\WINDOWS\system32\DRIVERS\update.sys 212992 bytes (Microsoft Corporation, Update Driver)
    0xB641F000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
    0xB7E60000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
    0xB7CDD000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
    0xB4CA5000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 180224 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
    0xB7E0A000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
    0xB68D1000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 151552 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
    0xB1642000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 143360 bytes (Microsoft Corporation, Fast FAT File System Driver)
    0xB64D2000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
    0xB68F6000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
    0xB4D14000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
    0xB6478000 C:\WINDOWS\system32\DRIVERS\portcls.sys 139264 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
    0xB4CD1000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
    0xB4CF3000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
    0x806E2000 ACPI_HAL 134400 bytes
    0x806E2000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
    0xB7DD3000 fltMgr.sys 126976 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
    0xB7E30000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
    0xB7CC2000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
    0xB652B000 C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 110592 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
    0xB7DF2000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
    0xB7E8E000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
    0xB7DAA000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
    0xB6461000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
    0xB6546000 C:\WINDOWS\system32\DRIVERS\jmcr.sys 86016 bytes (JMicron Technology Corp., JMicron JMB38X Memory Card Reader Driver)
    0xB32B7000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
    0xB6919000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
    0xB4D8E000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
    0xB7D97000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
    0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
    0xB7DC1000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
    0xB7E4F000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
    0xB6450000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
    0xB8138000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
    0xB75C5000 C:\WINDOWS\system32\DRIVERS\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
    0xB80A8000 ohci1394.sys 61440 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
    0xB8308000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
    0xB3494000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
    0xB7555000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
    0xB80B8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 53248 bytes (Microsoft Corporation, 1394 Bus Device Driver)
    0xB82F8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
    0xB8108000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
    0xB8218000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
    0xB75B5000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
    0xB80E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
    0xB7595000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
    0xB8168000 C:\WINDOWS\System32\Drivers\STREAM.SYS 49152 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
    0xB82E8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
    0xB80D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
    0xB75A5000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
    !!!!!!!!!!!Hidden driver: 0xB82C8000 3092378616 40960 bytes
    0xB7565000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
    0xB8118000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
    0xB8148000 C:\WINDOWS\System32\Drivers\tcusb.sys 40960 bytes (UPEK Inc., TouchChip USB Kernel Driver)
    0xB7575000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
    0xB1AE8000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
    0xB80F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
    0xB736A000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
    0xB8318000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
    0xB80C8000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
    0xB7585000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
    0xB738A000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
    0xB737A000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
    0xB8478000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
    0xB8388000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
    0xB83A8000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
    0xB8348000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
    0xB8328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
    0xB8470000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
    0xB33FC000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
    0xB83C8000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
    0xB83B8000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
    0xB83C0000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
    0xB8390000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
    0xB8378000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
    0xB8380000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
    0xB8330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
    0xB8440000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
    0xB8448000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
    0xB8438000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
    0xB8468000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 20480 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
    0xB8430000 C:\WINDOWS\system32\DRIVERS\vcsvad.sys 20480 bytes (Avnex, Avnex Ltd. Virtual Audio Device (WDM))
    0xB83D0000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
    0xB84C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
    0xB7515000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
    0xB8584000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
    0xB36C9000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
    0xB84C4000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
    0xB84B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
    0xB84BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
    0xB4DC9000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
    0xB750D000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
    0xB53C7000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
    0xB7511000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
    0xB8656000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
    0xB85AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
    0xB8654000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
    0xB85A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
    0xB865A000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
    0xB865C000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
    0xB860A000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
    0xB8604000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
    0xB85AA000 C:\WINDOWS\System32\Drivers\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
    0xB87B9000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
    0xB872D000 C:\WINDOWS\System32\Drivers\BANTExt.sys 4096 bytes
    0xB868F000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
    0xB879F000 C:\WINDOWS\system32\HtsysmNT.sys 4096 bytes
    0xB8723000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
    0xB8671000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
    0xB8670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
    0x8AA571F8 unknown_irp_handler 3592 bytes
    0x85C091F8 unknown_irp_handler 3592 bytes
    0x8AA581F8 unknown_irp_handler 3592 bytes
    0x8A6B91F8 unknown_irp_handler 3592 bytes
    0x85A991F8 unknown_irp_handler 3592 bytes
    0x8AACA1F8 unknown_irp_handler 3592 bytes
    0x8A8581F8 unknown_irp_handler 3592 bytes
    0x8AA591F8 unknown_irp_handler 3592 bytes
    0x8A7991F8 unknown_irp_handler 3592 bytes
    0x8A8371F8 unknown_irp_handler 3592 bytes
    0x86A501F8 unknown_irp_handler 3592 bytes
    0x8A740500 unknown_irp_handler 2816 bytes
    0x8A692500 unknown_irp_handler 2816 bytes
    !!!!!!!!!!!Hidden driver: 0xB81CE9D0 00000949 1584 bytes
    0xB81CE9D0 unknown_irp_handler 1584 bytes
    ==============================================
    >Stealth
    ==============================================
    0x85B9BF58 LDT (IN GDT of Core 1) Modification, Base+0xA70, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
    0x85B9BF58 LDT (IN GDT of Core 2) Modification, Base+0xA70, DPL_USER, Rpl : 0, Type: CallGate32, Core [2]
    0xB81C993C Unknown page with executable code, 1732 bytes
    0xB81CB617 Unknown page with executable code, 2537 bytes
    0xB81CB4E6 Unknown page with executable code, 2842 bytes
    0xB81CE185 Unknown page with executable code, 3707 bytes
    WARNING: Virus alike driver modification [i8042prt.sys]
    0xB82CCFC0 Unknown thread object [ ETHREAD 0x8A6D5DA8 ] TID: 144, 600 bytes
    0xB82CCFC0 Unknown thread object [ ETHREAD 0x8A6BB498 ] TID: 148, 600 bytes
    0xB81D0105 Unknown thread object [ ETHREAD 0x8A704DA8 ] TID: 152, 600 bytes
    0xB81D0105 Unknown thread object [ ETHREAD 0x8A6EC330 ] TID: 156, 600 bytes
    WARNING: File locked for read access [C:\WINDOWS\system32\drivers\sptd.sys]
    0xB81CDC20 Unknown page with executable code, 992 bytes
     
  6. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Please re-run TDSSKiller one more time.
     
  7. JimmaWat

    JimmaWat TS Rookie Topic Starter Posts: 42

    Ran TDSSKiller.exe from my desktop; it crashed within a few seconds of scanning, so I put a copy of it onto my USB and ran it from there. Finished scanning all the way through.

    Here is the log:

    2011/08/23 22:14:21.0796 0572 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
    2011/08/23 22:14:21.0812 0572 ================================================================================
    2011/08/23 22:14:21.0812 0572 SystemInfo:
    2011/08/23 22:14:21.0812 0572
    2011/08/23 22:14:21.0812 0572 OS Version: 5.1.2600 ServicePack: 2.0
    2011/08/23 22:14:21.0812 0572 Product type: Workstation
    2011/08/23 22:14:21.0812 0572 ComputerName: JIMMAWAT
    2011/08/23 22:14:21.0812 0572 UserName: Administrator
    2011/08/23 22:14:21.0812 0572 Windows directory: C:\WINDOWS
    2011/08/23 22:14:21.0812 0572 System windows directory: C:\WINDOWS
    2011/08/23 22:14:21.0812 0572 Processor architecture: Intel x86
    2011/08/23 22:14:21.0812 0572 Number of processors: 2
    2011/08/23 22:14:21.0812 0572 Page size: 0x1000
    2011/08/23 22:14:21.0812 0572 Boot type: Normal boot
    2011/08/23 22:14:21.0812 0572 ================================================================================
    2011/08/23 22:14:21.0984 0572 Initialize success
    2011/08/23 22:14:25.0546 3944 ================================================================================
    2011/08/23 22:14:25.0546 3944 Scan started
    2011/08/23 22:14:25.0546 3944 Mode: Manual;
    2011/08/23 22:14:25.0546 3944 ================================================================================
    2011/08/23 22:14:26.0468 3944 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/08/23 22:14:26.0500 3944 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2011/08/23 22:14:26.0578 3944 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
    2011/08/23 22:14:26.0734 3944 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
    2011/08/23 22:14:27.0203 3944 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/08/23 22:14:27.0343 3944 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/08/23 22:14:27.0453 3944 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/08/23 22:14:27.0546 3944 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/08/23 22:14:27.0609 3944 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/08/23 22:14:27.0640 3944 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
    2011/08/23 22:14:27.0671 3944 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/08/23 22:14:27.0750 3944 BthEnum (d24b8d1784c68a25060fffbe8ed34b76) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
    2011/08/23 22:14:27.0843 3944 BthPan (10355270be12641b9764235da39dcf0f) C:\WINDOWS\system32\DRIVERS\bthpan.sys
    2011/08/23 22:14:27.0921 3944 BTHPORT (95ef6f3f386d93ee1e4d9ca45a50252a) C:\WINDOWS\system32\Drivers\BTHport.sys
    2011/08/23 22:14:27.0984 3944 BTHUSB (f06d4cb9918b462a84d9ac00027efc30) C:\WINDOWS\system32\Drivers\BTHUSB.sys
    2011/08/23 22:14:28.0062 3944 Cam5607 (ce9f13675fdc354f16962dffecec3041) C:\WINDOWS\system32\Drivers\BisonC07.sys
    2011/08/23 22:14:28.0171 3944 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/08/23 22:14:28.0265 3944 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/08/23 22:14:28.0328 3944 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/08/23 22:14:28.0406 3944 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/08/23 22:14:28.0500 3944 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/08/23 22:14:28.0640 3944 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/08/23 22:14:28.0671 3944 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/08/23 22:14:28.0765 3944 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/08/23 22:14:28.0812 3944 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/08/23 22:14:28.0859 3944 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2011/08/23 22:14:28.0953 3944 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/08/23 22:14:29.0078 3944 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/08/23 22:14:29.0156 3944 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/08/23 22:14:29.0203 3944 dwrfa (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\cpma.sys
    2011/08/23 22:14:29.0296 3944 edac8d2c (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\747482349:307458771.exe
    2011/08/23 22:14:29.0328 3944 Suspicious file (Hidden): C:\WINDOWS\747482349:307458771.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
    2011/08/23 22:14:29.0343 3944 edac8d2c - detected HiddenFile.Multi.Generic (1)
    2011/08/23 22:14:29.0546 3944 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/08/23 22:14:29.0593 3944 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
    2011/08/23 22:14:29.0656 3944 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2011/08/23 22:14:29.0671 3944 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/08/23 22:14:29.0703 3944 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/08/23 22:14:29.0781 3944 fqlpjiyc (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\htubn.sys
    2011/08/23 22:14:29.0843 3944 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/08/23 22:14:29.0875 3944 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/08/23 22:14:29.0921 3944 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/08/23 22:14:29.0984 3944 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/08/23 22:14:30.0046 3944 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/08/23 22:14:30.0156 3944 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/08/23 22:14:30.0265 3944 Htsysm (57bd2878b475f530a9cf965c785c74a3) C:\WINDOWS\system32\HtsysmNT.sys
    2011/08/23 22:14:30.0406 3944 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/08/23 22:14:30.0609 3944 i8042prt (d05bab516dc50198fdf8a849ef4f6645) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/08/23 22:14:30.0609 3944 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\i8042prt.sys. Real md5: d05bab516dc50198fdf8a849ef4f6645, Fake md5: 5502b58eef7486ee6f93f3f164dcb808
    2011/08/23 22:14:30.0609 3944 i8042prt - detected Rootkit.Win32.ZAccess.c (0)
    2011/08/23 22:14:30.0687 3944 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/08/23 22:14:30.0906 3944 IntcAzAudAddService (b2957d6c1226f029230dac2c46d34286) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2011/08/23 22:14:31.0093 3944 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/08/23 22:14:31.0140 3944 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/08/23 22:14:31.0171 3944 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/08/23 22:14:31.0187 3944 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/08/23 22:14:31.0234 3944 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/08/23 22:14:31.0390 3944 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/08/23 22:14:31.0437 3944 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/08/23 22:14:31.0484 3944 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/08/23 22:14:31.0562 3944 JMCR (dedb6cc1b166928a8f3f68def1766db0) C:\WINDOWS\system32\DRIVERS\jmcr.sys
    2011/08/23 22:14:31.0765 3944 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/08/23 22:14:31.0812 3944 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/08/23 22:14:31.0875 3944 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/08/23 22:14:31.0921 3944 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/08/23 22:14:32.0078 3944 kwaxi (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\vldso.sys
    2011/08/23 22:14:32.0250 3944 Mkd2kfNt (6f4d79ea861137ef2f9078e265c2aa83) C:\WINDOWS\system32\drivers\Mkd2kfNt.sys
    2011/08/23 22:14:32.0281 3944 Mkd2Nadr (fe7925784f6801e983b41ec118ef62ac) C:\WINDOWS\system32\drivers\Mkd2Nadr.sys
    2011/08/23 22:14:32.0328 3944 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/08/23 22:14:32.0500 3944 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2011/08/23 22:14:32.0734 3944 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys
    2011/08/23 22:14:32.0765 3944 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
    2011/08/23 22:14:32.0796 3944 MotDev (80bda4ac4b2834ca522b7386fc1f6a20) C:\WINDOWS\system32\DRIVERS\motodrv.sys
    2011/08/23 22:14:32.0828 3944 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
    2011/08/23 22:14:32.0875 3944 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/08/23 22:14:32.0921 3944 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/08/23 22:14:33.0078 3944 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/08/23 22:14:33.0140 3944 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/08/23 22:14:33.0203 3944 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/08/23 22:14:33.0250 3944 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/08/23 22:14:33.0296 3944 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/08/23 22:14:33.0406 3944 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/08/23 22:14:33.0421 3944 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/08/23 22:14:33.0484 3944 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/08/23 22:14:33.0500 3944 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/08/23 22:14:33.0562 3944 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/08/23 22:14:33.0703 3944 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/08/23 22:14:33.0750 3944 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/08/23 22:14:33.0781 3944 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/08/23 22:14:33.0843 3944 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/08/23 22:14:34.0000 3944 Ndisuio (5146c3d286e66c72328f6ce6e4d983a8) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/08/23 22:14:34.0046 3944 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/08/23 22:14:34.0078 3944 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/08/23 22:14:34.0125 3944 nepo (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\dbxd.sys
    2011/08/23 22:14:34.0156 3944 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/08/23 22:14:34.0437 3944 NETw5x32 (0888844230083ce3b47395102bca8207) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
    2011/08/23 22:14:34.0687 3944 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/08/23 22:14:34.0718 3944 nm (60cf8c7192b3614f240838ddbaa4a245) C:\WINDOWS\system32\DRIVERS\NMnt.sys
    2011/08/23 22:14:34.0765 3944 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/08/23 22:14:34.0984 3944 nscb (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\xiip.sys
    2011/08/23 22:14:35.0156 3944 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/08/23 22:14:35.0218 3944 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/08/23 22:14:35.0593 3944 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/08/23 22:14:36.0187 3944 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/08/23 22:14:36.0328 3944 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/08/23 22:14:36.0390 3944 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/08/23 22:14:36.0437 3944 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
    2011/08/23 22:14:36.0500 3944 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/08/23 22:14:36.0625 3944 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/08/23 22:14:36.0671 3944 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/08/23 22:14:36.0765 3944 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/08/23 22:14:36.0859 3944 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/08/23 22:14:37.0125 3944 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/08/23 22:14:37.0140 3944 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/08/23 22:14:37.0187 3944 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/08/23 22:14:37.0218 3944 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/08/23 22:14:37.0328 3944 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/08/23 22:14:37.0406 3944 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/08/23 22:14:37.0531 3944 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/08/23 22:14:37.0562 3944 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/08/23 22:14:37.0593 3944 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/08/23 22:14:37.0625 3944 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/08/23 22:14:37.0765 3944 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/08/23 22:14:37.0828 3944 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/08/23 22:14:37.0875 3944 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/08/23 22:14:37.0921 3944 RFCOMM (99c4b74981a1413f142a3903130088cb) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
    2011/08/23 22:14:38.0031 3944 RTLE8023xp (cd0afbbd81c30e6a8a92cc1089db1ba0) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
    2011/08/23 22:14:38.0125 3944 sajy (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\snba.sys
    2011/08/23 22:14:38.0421 3944 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2011/08/23 22:14:38.0437 3944 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    2011/08/23 22:14:38.0562 3944 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
    2011/08/23 22:14:38.0640 3944 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/08/23 22:14:38.0703 3944 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
    2011/08/23 22:14:38.0750 3944 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/08/23 22:14:38.0890 3944 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/08/23 22:14:39.0000 3944 smserial (be44ae880e8d22a5615e352c68b278b9) C:\WINDOWS\system32\DRIVERS\smserial.sys
    2011/08/23 22:14:39.0093 3944 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
    2011/08/23 22:14:39.0250 3944 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/08/23 22:14:39.0250 3944 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
    2011/08/23 22:14:39.0250 3944 sptd - detected LockedFile.Multi.Generic (1)
    2011/08/23 22:14:39.0312 3944 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/08/23 22:14:39.0343 3944 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/08/23 22:14:39.0468 3944 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/08/23 22:14:39.0515 3944 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/08/23 22:14:39.0578 3944 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/08/23 22:14:39.0718 3944 SynTP (d7b9ad3abd0f7f9f694d71f38b5c7b72) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    2011/08/23 22:14:39.0843 3944 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/08/23 22:14:39.0906 3944 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/08/23 22:14:39.0984 3944 TcUsb (53900527fa5e2ccc818c5894383772d1) C:\WINDOWS\system32\Drivers\tcusb.sys
    2011/08/23 22:14:40.0015 3944 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/08/23 22:14:40.0140 3944 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/08/23 22:14:40.0234 3944 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/08/23 22:14:40.0312 3944 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/08/23 22:14:40.0421 3944 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/08/23 22:14:40.0546 3944 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/08/23 22:14:40.0640 3944 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
    2011/08/23 22:14:40.0687 3944 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/08/23 22:14:40.0765 3944 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/08/23 22:14:40.0843 3944 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/08/23 22:14:40.0937 3944 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/08/23 22:14:40.0984 3944 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/08/23 22:14:41.0015 3944 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/08/23 22:14:41.0078 3944 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys
    2011/08/23 22:14:41.0171 3944 VCSVADHWSer (b2abab4ca46bad182e27763dc19c780f) C:\WINDOWS\system32\DRIVERS\vcsvad.sys
    2011/08/23 22:14:41.0250 3944 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2011/08/23 22:14:41.0281 3944 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/08/23 22:14:41.0328 3944 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/08/23 22:14:41.0421 3944 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
    2011/08/23 22:14:41.0593 3944 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/08/23 22:14:41.0703 3944 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2011/08/23 22:14:41.0781 3944 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2011/08/23 22:14:41.0828 3944 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/08/23 22:14:41.0953 3944 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/08/23 22:14:42.0015 3944 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/08/23 22:14:42.0515 3944 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    2011/08/23 22:14:42.0718 3944 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR7
    2011/08/23 22:14:42.0734 3944 Boot (0x1200) (376cd6a563b68089149b43ac88d519d5) \Device\Harddisk0\DR0\Partition0
    2011/08/23 22:14:42.0781 3944 Boot (0x1200) (43d6dc9dc6c9c8518f76cf3e1dca59ef) \Device\Harddisk0\DR0\Partition1
    2011/08/23 22:14:42.0781 3944 Boot (0x1200) (c5fb7fc3af5920a6944c3e04abe5d8d3) \Device\Harddisk1\DR7\Partition0
    2011/08/23 22:14:42.0796 3944 ================================================================================
    2011/08/23 22:14:42.0796 3944 Scan finished
    2011/08/23 22:14:42.0796 3944 ================================================================================
    2011/08/23 22:14:42.0812 3192 Detected object count: 3
    2011/08/23 22:14:42.0812 3192 Actual detected object count: 3
    2011/08/23 22:15:50.0218 3192 HiddenFile.Multi.Generic(edac8d2c) - User select action: Skip
    2011/08/23 22:15:50.0390 3192 i8042prt (d05bab516dc50198fdf8a849ef4f6645) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/08/23 22:15:50.0390 3192 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\i8042prt.sys. Real md5: d05bab516dc50198fdf8a849ef4f6645, Fake md5: 5502b58eef7486ee6f93f3f164dcb808
    2011/08/23 22:15:50.0625 3192 Backup copy found, using it..
    2011/08/23 22:15:50.0625 3192 C:\WINDOWS\system32\DRIVERS\i8042prt.sys - will be cured after reboot
    2011/08/23 22:15:50.0625 3192 Rootkit.Win32.ZAccess.c(i8042prt) - User select action: Cure
    2011/08/23 22:15:50.0625 3192 LockedFile.Multi.Generic(sptd) - User select action: Skip
     
  8. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Go ahead and run it one more time.
     
  9. JimmaWat

    JimmaWat TS Rookie Topic Starter Posts: 42

    Ran it again, again from the USB. Here's the log:

    2011/08/23 22:29:46.0750 3860 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
    2011/08/23 22:29:46.0781 3860 ================================================================================
    2011/08/23 22:29:46.0781 3860 SystemInfo:
    2011/08/23 22:29:46.0781 3860
    2011/08/23 22:29:46.0781 3860 OS Version: 5.1.2600 ServicePack: 2.0
    2011/08/23 22:29:46.0781 3860 Product type: Workstation
    2011/08/23 22:29:46.0781 3860 ComputerName: JIMMAWAT
    2011/08/23 22:29:46.0781 3860 UserName: Administrator
    2011/08/23 22:29:46.0781 3860 Windows directory: C:\WINDOWS
    2011/08/23 22:29:46.0781 3860 System windows directory: C:\WINDOWS
    2011/08/23 22:29:46.0781 3860 Processor architecture: Intel x86
    2011/08/23 22:29:46.0781 3860 Number of processors: 2
    2011/08/23 22:29:46.0781 3860 Page size: 0x1000
    2011/08/23 22:29:46.0781 3860 Boot type: Normal boot
    2011/08/23 22:29:46.0781 3860 ================================================================================
    2011/08/23 22:29:48.0390 3860 Initialize success
    2011/08/23 22:29:49.0750 2868 ================================================================================
    2011/08/23 22:29:49.0750 2868 Scan started
    2011/08/23 22:29:49.0750 2868 Mode: Manual;
    2011/08/23 22:29:49.0750 2868 ================================================================================
    2011/08/23 22:29:51.0156 2868 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/08/23 22:29:51.0187 2868 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2011/08/23 22:29:51.0281 2868 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
    2011/08/23 22:29:51.0437 2868 AFD (d9a47e3853528fbcc03ce0e11210fd16) C:\WINDOWS\System32\drivers\afd.sys
    2011/08/23 22:29:51.0453 2868 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: d9a47e3853528fbcc03ce0e11210fd16, Fake md5: 55e6e1c51b6d30e54335750955453702
    2011/08/23 22:29:51.0453 2868 AFD - detected Rootkit.Win32.ZAccess.c (0)
    2011/08/23 22:29:51.0593 2868 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/08/23 22:29:51.0671 2868 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/08/23 22:29:51.0750 2868 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/08/23 22:29:51.0890 2868 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/08/23 22:29:51.0953 2868 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/08/23 22:29:52.0000 2868 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
    2011/08/23 22:29:52.0015 2868 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/08/23 22:29:52.0078 2868 BthEnum (d24b8d1784c68a25060fffbe8ed34b76) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
    2011/08/23 22:29:52.0125 2868 BthPan (10355270be12641b9764235da39dcf0f) C:\WINDOWS\system32\DRIVERS\bthpan.sys
    2011/08/23 22:29:52.0281 2868 BTHPORT (95ef6f3f386d93ee1e4d9ca45a50252a) C:\WINDOWS\system32\Drivers\BTHport.sys
    2011/08/23 22:29:52.0343 2868 BTHUSB (f06d4cb9918b462a84d9ac00027efc30) C:\WINDOWS\system32\Drivers\BTHUSB.sys
    2011/08/23 22:29:52.0421 2868 Cam5607 (ce9f13675fdc354f16962dffecec3041) C:\WINDOWS\system32\Drivers\BisonC07.sys
    2011/08/23 22:29:52.0593 2868 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/08/23 22:29:52.0640 2868 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/08/23 22:29:52.0703 2868 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/08/23 22:29:52.0750 2868 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/08/23 22:29:52.0921 2868 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/08/23 22:29:53.0015 2868 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/08/23 22:29:53.0046 2868 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/08/23 22:29:53.0125 2868 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/08/23 22:29:53.0187 2868 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/08/23 22:29:53.0359 2868 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2011/08/23 22:29:53.0406 2868 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/08/23 22:29:53.0453 2868 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/08/23 22:29:53.0531 2868 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/08/23 22:29:53.0625 2868 dwrfa (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\cpma.sys
    2011/08/23 22:29:53.0765 2868 edac8d2c (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\747482349:307458771.exe
    2011/08/23 22:29:53.0796 2868 Suspicious file (Hidden): C:\WINDOWS\747482349:307458771.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
    2011/08/23 22:29:53.0812 2868 edac8d2c - detected HiddenFile.Multi.Generic (1)
    2011/08/23 22:29:53.0937 2868 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/08/23 22:29:54.0015 2868 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
    2011/08/23 22:29:54.0078 2868 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2011/08/23 22:29:54.0109 2868 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/08/23 22:29:54.0140 2868 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/08/23 22:29:54.0250 2868 fqlpjiyc (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\htubn.sys
    2011/08/23 22:29:54.0312 2868 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/08/23 22:29:54.0375 2868 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/08/23 22:29:54.0406 2868 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/08/23 22:29:54.0484 2868 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/08/23 22:29:54.0609 2868 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/08/23 22:29:54.0718 2868 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/08/23 22:29:54.0781 2868 Htsysm (57bd2878b475f530a9cf965c785c74a3) C:\WINDOWS\system32\HtsysmNT.sys
    2011/08/23 22:29:54.0953 2868 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/08/23 22:29:55.0093 2868 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/08/23 22:29:55.0171 2868 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/08/23 22:29:55.0390 2868 IntcAzAudAddService (b2957d6c1226f029230dac2c46d34286) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2011/08/23 22:29:55.0593 2868 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/08/23 22:29:55.0640 2868 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/08/23 22:29:55.0671 2868 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/08/23 22:29:55.0687 2868 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/08/23 22:29:55.0734 2868 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/08/23 22:29:55.0937 2868 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/08/23 22:29:55.0984 2868 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/08/23 22:29:56.0031 2868 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/08/23 22:29:56.0109 2868 JMCR (dedb6cc1b166928a8f3f68def1766db0) C:\WINDOWS\system32\DRIVERS\jmcr.sys
    2011/08/23 22:29:56.0265 2868 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/08/23 22:29:56.0312 2868 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/08/23 22:29:56.0375 2868 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/08/23 22:29:56.0437 2868 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/08/23 22:29:56.0578 2868 kwaxi (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\vldso.sys
    2011/08/23 22:29:56.0734 2868 Mkd2kfNt (6f4d79ea861137ef2f9078e265c2aa83) C:\WINDOWS\system32\drivers\Mkd2kfNt.sys
    2011/08/23 22:29:56.0765 2868 Mkd2Nadr (fe7925784f6801e983b41ec118ef62ac) C:\WINDOWS\system32\drivers\Mkd2Nadr.sys
    2011/08/23 22:29:56.0828 2868 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/08/23 22:29:56.0984 2868 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2011/08/23 22:29:57.0031 2868 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys
    2011/08/23 22:29:57.0046 2868 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
    2011/08/23 22:29:57.0078 2868 MotDev (80bda4ac4b2834ca522b7386fc1f6a20) C:\WINDOWS\system32\DRIVERS\motodrv.sys
    2011/08/23 22:29:57.0125 2868 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
    2011/08/23 22:29:57.0281 2868 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/08/23 22:29:57.0328 2868 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/08/23 22:29:57.0375 2868 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/08/23 22:29:57.0437 2868 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/08/23 22:29:57.0531 2868 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/08/23 22:29:57.0609 2868 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/08/23 22:29:57.0671 2868 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/08/23 22:29:57.0703 2868 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/08/23 22:29:57.0734 2868 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/08/23 22:29:57.0828 2868 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/08/23 22:29:57.0859 2868 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/08/23 22:29:57.0968 2868 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/08/23 22:29:58.0062 2868 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/08/23 22:29:58.0093 2868 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/08/23 22:29:58.0187 2868 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/08/23 22:29:58.0234 2868 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/08/23 22:29:58.0343 2868 Ndisuio (5146c3d286e66c72328f6ce6e4d983a8) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/08/23 22:29:58.0406 2868 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/08/23 22:29:58.0468 2868 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/08/23 22:29:58.0531 2868 nepo (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\dbxd.sys
    2011/08/23 22:29:58.0609 2868 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/08/23 22:29:58.0796 2868 NETw5x32 (0888844230083ce3b47395102bca8207) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
    2011/08/23 22:29:59.0125 2868 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/08/23 22:29:59.0296 2868 nm (60cf8c7192b3614f240838ddbaa4a245) C:\WINDOWS\system32\DRIVERS\NMnt.sys
    2011/08/23 22:29:59.0390 2868 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/08/23 22:29:59.0781 2868 nscb (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\xiip.sys
    2011/08/23 22:29:59.0921 2868 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/08/23 22:30:00.0078 2868 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/08/23 22:30:00.0437 2868 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/08/23 22:30:00.0875 2868 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/08/23 22:30:00.0906 2868 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/08/23 22:30:00.0968 2868 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/08/23 22:30:01.0046 2868 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
    2011/08/23 22:30:01.0109 2868 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/08/23 22:30:01.0234 2868 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/08/23 22:30:01.0265 2868 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/08/23 22:30:01.0328 2868 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/08/23 22:30:01.0390 2868 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/08/23 22:30:01.0562 2868 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/08/23 22:30:01.0703 2868 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/08/23 22:30:01.0734 2868 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/08/23 22:30:01.0796 2868 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/08/23 22:30:01.0890 2868 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/08/23 22:30:01.0921 2868 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/08/23 22:30:02.0015 2868 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/08/23 22:30:02.0156 2868 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/08/23 22:30:02.0187 2868 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/08/23 22:30:02.0203 2868 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/08/23 22:30:02.0281 2868 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/08/23 22:30:02.0328 2868 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/08/23 22:30:02.0468 2868 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/08/23 22:30:02.0515 2868 RFCOMM (99c4b74981a1413f142a3903130088cb) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
    2011/08/23 22:30:02.0578 2868 RTLE8023xp (cd0afbbd81c30e6a8a92cc1089db1ba0) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
    2011/08/23 22:30:02.0640 2868 sajy (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\snba.sys
    2011/08/23 22:30:02.0796 2868 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    2011/08/23 22:30:02.0828 2868 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    2011/08/23 22:30:02.0984 2868 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
    2011/08/23 22:30:03.0015 2868 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/08/23 22:30:03.0093 2868 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
    2011/08/23 22:30:03.0140 2868 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/08/23 22:30:03.0312 2868 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/08/23 22:30:03.0406 2868 smserial (be44ae880e8d22a5615e352c68b278b9) C:\WINDOWS\system32\DRIVERS\smserial.sys
    2011/08/23 22:30:03.0609 2868 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
    2011/08/23 22:30:03.0687 2868 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/08/23 22:30:03.0687 2868 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
    2011/08/23 22:30:03.0703 2868 sptd - detected LockedFile.Multi.Generic (1)
    2011/08/23 22:30:03.0734 2868 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/08/23 22:30:03.0890 2868 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/08/23 22:30:03.0937 2868 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/08/23 22:30:04.0062 2868 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/08/23 22:30:04.0125 2868 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/08/23 22:30:04.0375 2868 SynTP (d7b9ad3abd0f7f9f694d71f38b5c7b72) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    2011/08/23 22:30:04.0421 2868 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/08/23 22:30:04.0500 2868 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/08/23 22:30:04.0625 2868 TcUsb (53900527fa5e2ccc818c5894383772d1) C:\WINDOWS\system32\Drivers\tcusb.sys
    2011/08/23 22:30:04.0671 2868 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/08/23 22:30:04.0687 2868 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/08/23 22:30:04.0765 2868 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/08/23 22:30:04.0859 2868 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/08/23 22:30:05.0000 2868 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/08/23 22:30:05.0078 2868 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/08/23 22:30:05.0171 2868 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
    2011/08/23 22:30:05.0218 2868 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/08/23 22:30:05.0359 2868 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/08/23 22:30:05.0375 2868 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/08/23 22:30:05.0437 2868 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/08/23 22:30:05.0500 2868 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/08/23 22:30:05.0625 2868 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/08/23 22:30:05.0671 2868 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys
    2011/08/23 22:30:05.0718 2868 VCSVADHWSer (b2abab4ca46bad182e27763dc19c780f) C:\WINDOWS\system32\DRIVERS\vcsvad.sys
    2011/08/23 22:30:05.0812 2868 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2011/08/23 22:30:05.0921 2868 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/08/23 22:30:05.0984 2868 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/08/23 22:30:06.0062 2868 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
    2011/08/23 22:30:06.0171 2868 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/08/23 22:30:06.0312 2868 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2011/08/23 22:30:06.0375 2868 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2011/08/23 22:30:06.0406 2868 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/08/23 22:30:06.0500 2868 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/08/23 22:30:06.0531 2868 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/08/23 22:30:07.0093 2868 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    2011/08/23 22:30:07.0265 2868 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR3
    2011/08/23 22:30:07.0281 2868 Boot (0x1200) (376cd6a563b68089149b43ac88d519d5) \Device\Harddisk0\DR0\Partition0
    2011/08/23 22:30:07.0296 2868 Boot (0x1200) (43d6dc9dc6c9c8518f76cf3e1dca59ef) \Device\Harddisk0\DR0\Partition1
    2011/08/23 22:30:07.0312 2868 Boot (0x1200) (b5eadabcc7b8ecbba42e9877722ef96f) \Device\Harddisk1\DR3\Partition0
    2011/08/23 22:30:07.0312 2868 ================================================================================
    2011/08/23 22:30:07.0312 2868 Scan finished
    2011/08/23 22:30:07.0312 2868 ================================================================================
    2011/08/23 22:30:07.0328 2960 Detected object count: 3
    2011/08/23 22:30:07.0328 2960 Actual detected object count: 3
    2011/08/23 22:31:13.0062 2960 AFD (d9a47e3853528fbcc03ce0e11210fd16) C:\WINDOWS\System32\drivers\afd.sys
    2011/08/23 22:31:13.0062 2960 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: d9a47e3853528fbcc03ce0e11210fd16, Fake md5: 55e6e1c51b6d30e54335750955453702
    2011/08/23 22:31:14.0203 2960 Backup copy found, using it..
    2011/08/23 22:31:14.0218 2960 C:\WINDOWS\System32\drivers\afd.sys - will be cured after reboot
    2011/08/23 22:31:14.0218 2960 Rootkit.Win32.ZAccess.c(AFD) - User select action: Cure
    2011/08/23 22:31:14.0218 2960 HiddenFile.Multi.Generic(edac8d2c) - User select action: Skip
    2011/08/23 22:31:14.0218 2960 LockedFile.Multi.Generic(sptd) - User select action: Skip
     
  10. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  11. JimmaWat

    JimmaWat TS Rookie Topic Starter Posts: 42

    Hmm, this is a bit of a problem. It asks me to install the Recovery console but I need to be connected to the internet, which my computer can't seem to do at the moment.
     
     
  12. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Skip recovery console for now.
     
  13. JimmaWat

    JimmaWat TS Rookie Topic Starter Posts: 42

    I ran ComboFix and it scanned and asked to reboot. It told me not reboot manually and to let it reboot itself (Or at least I think, I might've seen/remembered it wrong) but it's been a couple of minutes and it still hasn't rebooted. Just wondering if this was normal.
     
  14. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Give it some more time.
    Post back in 10 minutes.
     
  15. JimmaWat

    JimmaWat TS Rookie Topic Starter Posts: 42

    15 minutes pass and it's still sitting there without a budge.
     
  16. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Restart manually and see if any log will pop-up.
    If not re-run Combofix.
     
  17. JimmaWat

    JimmaWat TS Rookie Topic Starter Posts: 42

    Did a manual reset and Combofix ran itself upon signing in. Here is the log:

    ComboFix 11-08-23.06 - Administrator 08/23/2011 23:35:58.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2555.2167 [GMT -4:00]
    Running from: H:\ComboFix.exe
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Administrator\GateWayMain.exe
    c:\documents and settings\Administrator\MBRWiz.exe
    C:\feed.txt
    C:\Install.exe
    c:\windows\$NtUninstallKB40831$
    c:\windows\$NtUninstallKB40831$\3946221453
    c:\windows\$NtUninstallKB40831$\3987508524\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
    c:\windows\$NtUninstallKB40831$\3987508524\click.tlb
    c:\windows\$NtUninstallKB40831$\3987508524\L\qectlmpm
    c:\windows\$NtUninstallKB40831$\3987508524\loader.tlb
    c:\windows\$NtUninstallKB40831$\3987508524\U\$000000c0
    c:\windows\$NtUninstallKB40831$\3987508524\U\$000000cb
    c:\windows\$NtUninstallKB40831$\3987508524\U\@00000001
    c:\windows\$NtUninstallKB40831$\3987508524\U\@000000c0
    c:\windows\$NtUninstallKB40831$\3987508524\U\@000000cb
    c:\windows\$NtUninstallKB40831$\3987508524\U\@000000cf
    c:\windows\$NtUninstallKB40831$\3987508524\U\@80000000
    c:\windows\$NtUninstallKB40831$\3987508524\U\@800000c0
    c:\windows\$NtUninstallKB40831$\3987508524\U\@800000cb
    c:\windows\$NtUninstallKB40831$\3987508524\U\@800000cf
    c:\windows\system32\c_98363.nls
    c:\windows\system32\comct332.ocx
    c:\windows\system32\Thumbs.db
    .
    Infected copy of c:\windows\system32\drivers\mrxsmb.sys was found and disinfected
    Restored copy from - The cat found it :)
    c:\windows\system32\ws2help.dll . . . is infected!!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_edac8d2c
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-24 to 2011-08-24 )))))))))))))))))))))))))))))))
    .
    .
    2073-04-13 21:17 . 2006-11-22 00:48 203576 ---h--w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
    2011-08-24 02:53 . 2010-02-24 12:31 454016 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys
    2011-08-24 02:53 . 2010-02-24 12:31 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-08-23 03:51 . 2011-08-24 02:33 43408 --sha-w- c:\windows\system32\c_98363.nl_
    2011-08-23 02:02 . 2011-08-23 02:02 -------- d-----w- c:\program files\Avira
    2011-08-22 17:59 . 2011-08-22 17:59 -------- d-----w- c:\program files\Virus Secure Lab
    2011-08-18 21:45 . 2011-08-18 21:45 -------- d-----w- c:\program files\Sophos
    2011-08-18 04:28 . 2011-08-18 04:28 -------- d-----w- c:\program files\Foxit Software
    2011-08-18 03:07 . 2011-08-23 03:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-08-18 03:07 . 2011-08-22 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2011-08-18 02:46 . 2011-08-22 20:21 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-08-18 01:00 . 2011-08-18 01:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
    2011-08-18 00:30 . 2011-08-18 00:30 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-08-18 00:30 . 2011-08-18 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-08-18 00:17 . 2011-05-03 20:14 331776 ----a-w- c:\windows\system32\EasyRedirect.dll
    2011-08-18 00:17 . 2011-08-18 02:11 -------- d-----w- c:\program files\Easy-Hide-IP
    2011-08-17 16:37 . 2011-08-17 16:37 -------- d-----w- C:\CherryDeGames
    2011-08-11 18:00 . 2011-08-11 20:07 -------- d-----w- c:\program files\InterActual
    2011-08-07 23:13 . 2011-08-07 23:14 -------- d-----w- c:\program files\PCSX2 0.9.8
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-24 02:32 . 2004-08-04 01:07 138368 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-08-24 02:18 . 2004-08-04 01:07 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2011-08-23 03:51 . 2004-08-04 01:07 35840 ----a-w- c:\windows\system32\drivers\isapnp.sys
    2011-08-16 18:05 . 2011-06-15 08:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-06 23:52 . 2008-11-19 16:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-06 23:52 . 2008-11-19 16:37 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-09 21:16 . 2009-12-25 21:10 141200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
    2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2011-06-09 20:34 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.ex0
    2011-06-08 09:07 . 2011-06-13 12:17 201728 ----a-w- C:\zYan_ID_Changer.dll
    2011-06-07 23:49 . 2011-06-07 23:49 138056 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
    2011-06-07 23:48 . 2009-12-25 21:10 90112 ----a-w- c:\windows\system32\PnkBstrA.exe
    2011-06-02 07:36 . 2011-06-13 12:17 27648 ----a-w- C:\zYan_X.dll
    2011-04-30 15:16 . 2011-03-27 19:12 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
    [-] 2004-08-04 . 647C9A7E33CE84E1ADAFB7E49E5FF413 . 577024 . . [5.1.2600.2180] . . c:\windows\system32\user32.dll
    .
    [-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
    [-] 2004-08-04 . B8452AB7BAF84D1D621776AF8000BBD4 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
    .
    [-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2help.dll
    [-] 2004-08-04 . 37C22A702CFBF08E7BE60C91688CACA1 . 19968 . . [5.1.2600.2180] . . c:\windows\system32\ws2help.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
    @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
    [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
    2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
    @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
    [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
    2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824]
    "DeLay"="c:\windows\BisonCam\DeLay.exe" [2008-03-11 53248]
    "RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
    "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-03-26 1208320]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
    "PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-06 49168]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Shortcut to kevin.lnk - c:\documents and settings\Administrator\Desktop\Bypass\kevin.exe [2008-10-1 439191]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-10-1 1843000]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2007-06-06 03:03 90112 ----a-w- c:\windows\system32\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
    "c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\alaplaya\\S4League\\patcher_s4.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP"= 5353:TCP:Adobe CSI CS4
    "58176:TCP"= 58176:TCP:pando Media Booster
    "58176:UDP"= 58176:UDP:pando Media Booster
    "58417:TCP"= 58417:TCP:pando Media Booster
    "58417:UDP"= 58417:UDP:pando Media Booster
    "58356:TCP"= 58356:TCP:pando Media Booster
    "58356:UDP"= 58356:UDP:pando Media Booster
    .
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/8/2009 10:44 AM 721904]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/3/2004 9:07 PM 14336]
    R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [3/22/2011 4:16 PM 2304]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/1/2008 11:47 PM 24652]
    R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [10/1/2008 10:23 PM 84240]
    R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [12/23/2009 3:04 PM 17792]
    S0 boci;boci;c:\windows\system32\drivers\sdvhwiu.sys --> c:\windows\system32\drivers\sdvhwiu.sys [?]
    S0 dygygdv;dygygdv;c:\windows\system32\drivers\cihytg.sys --> c:\windows\system32\drivers\cihytg.sys [?]
    S0 wzrwo;wzrwo; [x]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
    S2 HDD & SSD access service;HDD & SSD access service;"c:\program files\Common Files\BinarySense\disksvc.exe" --> c:\program files\Common Files\BinarySense\disksvc.exe [?]
    S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 9:07 PM 14336]
    S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\131.tmp --> c:\windows\system32\131.tmp [?]
    S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [4/1/2010 5:55 PM 133632]
    S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [4/1/2010 5:55 PM 79360]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/31/2009 9:15 PM 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/31/2009 9:15 PM 8320]
    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [8/31/2009 9:15 PM 42112]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S3 XDva285;XDva285;\??\c:\windows\system32\XDva285.sys --> c:\windows\system32\XDva285.sys [?]
    S3 XDva296;XDva296;\??\c:\windows\system32\XDva296.sys --> c:\windows\system32\XDva296.sys [?]
    S3 XDva326;XDva326;\??\c:\windows\system32\XDva326.sys --> c:\windows\system32\XDva326.sys [?]
    S3 XDva328;XDva328;\??\c:\windows\system32\XDva328.sys --> c:\windows\system32\XDva328.sys [?]
    S3 XDva332;XDva332;\??\c:\windows\system32\XDva332.sys --> c:\windows\system32\XDva332.sys [?]
    S3 XDva337;XDva337;\??\c:\windows\system32\XDva337.sys --> c:\windows\system32\XDva337.sys [?]
    S3 XDva341;XDva341;\??\c:\windows\system32\XDva341.sys --> c:\windows\system32\XDva341.sys [?]
    S3 XDva343;XDva343;\??\c:\windows\system32\XDva343.sys --> c:\windows\system32\XDva343.sys [?]
    S3 XDva346;XDva346;\??\c:\windows\system32\XDva346.sys --> c:\windows\system32\XDva346.sys [?]
    S3 XDva347;XDva347;\??\c:\windows\system32\XDva347.sys --> c:\windows\system32\XDva347.sys [?]
    S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]
    S3 XDva351;XDva351;\??\c:\windows\system32\XDva351.sys --> c:\windows\system32\XDva351.sys [?]
    S3 XDva352;XDva352;\??\c:\windows\system32\XDva352.sys --> c:\windows\system32\XDva352.sys [?]
    S3 XDva354;XDva354;\??\c:\windows\system32\XDva354.sys --> c:\windows\system32\XDva354.sys [?]
    S3 XDva358;XDva358;\??\c:\windows\system32\XDva358.sys --> c:\windows\system32\XDva358.sys [?]
    S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
    S3 XDva362;XDva362;\??\c:\windows\system32\XDva362.sys --> c:\windows\system32\XDva362.sys [?]
    S3 XDva370;XDva370;\??\c:\windows\system32\XDva370.sys --> c:\windows\system32\XDva370.sys [?]
    S3 XDva375;XDva375;\??\c:\windows\system32\XDva375.sys --> c:\windows\system32\XDva375.sys [?]
    S3 XDva380;XDva380;\??\c:\windows\system32\XDva380.sys --> c:\windows\system32\XDva380.sys [?]
    S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
    S3 XDva385;XDva385;\??\c:\windows\system32\XDva385.sys --> c:\windows\system32\XDva385.sys [?]
    S3 XDva386;XDva386;\??\c:\windows\system32\XDva386.sys --> c:\windows\system32\XDva386.sys [?]
    S3 XDva387;XDva387;\??\c:\windows\system32\XDva387.sys --> c:\windows\system32\XDva387.sys [?]
    S3 XDva388;XDva388;\??\c:\windows\system32\XDva388.sys --> c:\windows\system32\XDva388.sys [?]
    S3 XDva389;XDva389;\??\c:\windows\system32\XDva389.sys --> c:\windows\system32\XDva389.sys [?]
    S4 dwrfa;dwrfa;c:\windows\system32\drivers\cpma.sys [7/10/2010 12:10 AM 54016]
    S4 fqlpjiyc;fqlpjiyc;c:\windows\system32\drivers\htubn.sys [7/9/2010 11:51 PM 54016]
    S4 kwaxi;kwaxi;c:\windows\system32\drivers\vldso.sys [7/9/2010 11:38 PM 54016]
    S4 nepo;nepo;c:\windows\system32\drivers\dbxd.sys [7/9/2010 11:38 PM 54016]
    S4 nscb;nscb;c:\windows\system32\drivers\xiip.sys [6/13/2010 8:04 PM 54016]
    S4 sajy;sajy;c:\windows\system32\drivers\snba.sys [6/13/2010 8:12 PM 54016]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-22 c:\windows\Tasks\AdobeAAMUpdater-1.0-JIMMAWAT-Administrator.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-05-31 07:44]
    .
    2011-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
    .
    2011-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
    .
    2011-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500Core.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
    .
    2011-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500UA.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
    .
    2011-08-24 c:\windows\Tasks\RegCure Startup.job
    - c:\regcure\RegCure.exe [2010-02-23 01:29]
    .
    2009-11-09 c:\windows\Tasks\Test.job
    - c:\windows\system32\ntbackup.exe [2004-08-04 01:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.orbitdownloader.com/
    uInternet Settings,ProxyServer = http=106.230
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z1748ax6.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101027100&s=
    FF - prefs.js: network.proxy.ftp - 109.230.216.23
    FF - prefs.js: network.proxy.ftp_port - 1080
    FF - prefs.js: network.proxy.http - 109.230.216.23
    FF - prefs.js: network.proxy.http_port - 1080
    FF - prefs.js: network.proxy.socks - 109.230.216.23
    FF - prefs.js: network.proxy.socks_port - 1080
    FF - prefs.js: network.proxy.ssl - 109.230.216.23
    FF - prefs.js: network.proxy.ssl_port - 1080
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-GateWay - c:\documents and settings\Administrator\GateWayMain.exe
    HKCU-Run-AdobeBridge - (no file)
    HKCU-Run-Easy-Hide-IP - c:\program files\Easy-Hide-IP\easy-hide-ip.exe
    HKLM-Run-Malwarebytes Anti-Malware (rootkit-scan) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
    SafeBoot-37585001.sys
    SafeBoot-85521509.sys
    SafeBoot-98100742.sys
    SafeBoot-klmdb.sys
    HKLM_ActiveSetup-{0FDEABD1-E3FE-3DDE-FAE8-CADCD636FFB5} - c:\documents and settings\Administrator\Application Data\svchost.exe
    AddRemove-{0166E190-92D7-482A-A220-DE8B7354383A} - c:\documents and settings\Administrator\Local Settings\Application Data\{67C33A62-5B1D-43D1-9600-16006F36EB2B}\setup.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-23 23:53
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\131.tmp"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT\Parameters]
    @DACL=(02 0000)
    "TransportBindName"="\\Device\\"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(980)
    c:\windows\system32\vrlogon.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\psqlpwd.dll
    c:\program files\Protector Suite QL\homefus2.dll
    c:\program files\Protector Suite QL\infra.dll
    c:\program files\Protector Suite QL\homepass.dll
    c:\program files\Protector Suite QL\bio.dll
    c:\program files\Protector Suite QL\remote.dll
    c:\program files\Protector Suite QL\crypto.dll
    .
    - - - - - - - > 'explorer.exe'(3272)
    c:\program files\Protector Suite QL\farchns.dll
    c:\program files\Protector Suite QL\infra.dll
    c:\windows\system32\msi.dll
    c:\windows\IME\SPGRMR.DLL
    c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\WinSCP\DragExt.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\rundll32.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\Protector Suite QL\psqltray.exe
    c:\program files\Orbitdownloader\orbitnet.exe
    c:\program files\Skype\Plugin Manager\skypePM.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    c:\windows\system32\PnkBstrA.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-23 23:56:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-24 03:56
    .
    Pre-Run: 16,290,906,112 bytes free
    Post-Run: 25,813,757,952 bytes free
    .
    - - End Of File - - A4965A98A248B5D01FE134A1969F4509
     
  18. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Uninstall RegCure.
    Registry cleaners/optimizers are not recommended for several reasons:

    • Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

      The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.
    • Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.
    • Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.
    • Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.
    • The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".
    Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.


    ====================================================================

    Unless you installed Viewpoint Manager knowledgeably...
    Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
    Uninstall any of the following programs associated with Viewpoint:
    * Viewpoint Manager
    * Viewpoint Media Player
    * Viewpoint Toolbar
    This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

    ==================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\system32\c_98363.nl_
    c:\windows\system32\drivers\sdvhwiu.sys
    c:\windows\system32\drivers\cihytg.sys
    c:\windows\system32\drivers\snba.sys
    c:\windows\system32\drivers\xiip.sys
    c:\windows\system32\drivers\dbxd.sys
    c:\windows\system32\drivers\vldso.sys
    c:\windows\system32\drivers\htubn.sys
    c:\windows\system32\drivers\cpma.sys
    c:\windows\Tasks\RegCure Startup.job
    
    
    Folder::
    
    Driver::
    boci
    dygygdv
    wzrwo
    dwrfa
    fqlpjiyc
    kwaxi
    nepo
    nscb
    sajy
    
    DDS::
    uInternet Settings,ProxyServer = http=106.230
    
    FireFox::
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z1748ax6.default\
    FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101027100&s=
    FF - prefs.js: network.proxy.ftp - 109.230.216.23
    FF - prefs.js: network.proxy.ftp_port - 1080
    FF - prefs.js: network.proxy.http - 109.230.216.23
    FF - prefs.js: network.proxy.http_port - 1080
    FF - prefs.js: network.proxy.socks - 109.230.216.23
    FF - prefs.js: network.proxy.socks_port - 1080
    FF - prefs.js: network.proxy.ssl - 109.230.216.23
    FF - prefs.js: network.proxy.ssl_port - 1080
    FF - prefs.js: network.proxy.type - 0
    
    Registry::
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  19. JimmaWat

    JimmaWat TS Rookie Topic Starter Posts: 42

    Sorry, I thought you logged off for the night so I turned in to sleep. Ran ComboFix.exe with the CFScript.txt.

    Here is the log:

    ComboFix 11-08-23.06 - Administrator 08/24/2011 13:47:31.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2555.1918 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: H:\CFScript.txt
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    FILE ::
    "c:\windows\system32\c_98363.nl_"
    "c:\windows\system32\drivers\cihytg.sys"
    "c:\windows\system32\drivers\cpma.sys"
    "c:\windows\system32\drivers\dbxd.sys"
    "c:\windows\system32\drivers\htubn.sys"
    "c:\windows\system32\drivers\sdvhwiu.sys"
    "c:\windows\system32\drivers\snba.sys"
    "c:\windows\system32\drivers\vldso.sys"
    "c:\windows\system32\drivers\xiip.sys"
    "c:\windows\Tasks\RegCure Startup.job"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\c_98363.nl_
    c:\windows\system32\drivers\cpma.sys
    c:\windows\system32\drivers\dbxd.sys
    c:\windows\system32\drivers\htubn.sys
    c:\windows\system32\drivers\snba.sys
    c:\windows\system32\drivers\vldso.sys
    c:\windows\system32\drivers\xiip.sys
    .
    c:\windows\system32\ws2help.dll . . . is infected!!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_DWRFA
    -------\Legacy_FQLPJIYC
    -------\Legacy_KWAXI
    -------\Legacy_NEPO
    -------\Legacy_NSCB
    -------\Legacy_SAJY
    -------\Legacy_WZRWO
    -------\Service_boci
    -------\Service_dwrfa
    -------\Service_dygygdv
    -------\Service_fqlpjiyc
    -------\Service_kwaxi
    -------\Service_nepo
    -------\Service_nscb
    -------\Service_sajy
    -------\Service_wzrwo
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-24 to 2011-08-24 )))))))))))))))))))))))))))))))
    .
    .
    2073-04-13 21:17 . 2006-11-22 00:48 203576 ---h--w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
    2011-08-24 02:53 . 2010-02-24 12:31 454016 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys
    2011-08-24 02:53 . 2010-02-24 12:31 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-08-23 02:02 . 2011-08-23 02:02 -------- d-----w- c:\program files\Avira
    2011-08-22 17:59 . 2011-08-22 17:59 -------- d-----w- c:\program files\Virus Secure Lab
    2011-08-18 21:45 . 2011-08-18 21:45 -------- d-----w- c:\program files\Sophos
    2011-08-18 04:28 . 2011-08-18 04:28 -------- d-----w- c:\program files\Foxit Software
    2011-08-18 03:07 . 2011-08-23 03:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-08-18 03:07 . 2011-08-22 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2011-08-18 02:46 . 2011-08-22 20:21 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-08-18 01:00 . 2011-08-18 01:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
    2011-08-18 00:30 . 2011-08-18 00:30 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-08-18 00:30 . 2011-08-18 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-08-18 00:17 . 2011-05-03 20:14 331776 ----a-w- c:\windows\system32\EasyRedirect.dll
    2011-08-18 00:17 . 2011-08-18 02:11 -------- d-----w- c:\program files\Easy-Hide-IP
    2011-08-17 16:37 . 2011-08-17 16:37 -------- d-----w- C:\CherryDeGames
    2011-08-11 18:00 . 2011-08-11 20:07 -------- d-----w- c:\program files\InterActual
    2011-08-07 23:13 . 2011-08-07 23:14 -------- d-----w- c:\program files\PCSX2 0.9.8
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-24 02:32 . 2004-08-04 01:07 138368 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-08-24 02:18 . 2004-08-04 01:07 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2011-08-23 03:51 . 2004-08-04 01:07 35840 ----a-w- c:\windows\system32\drivers\isapnp.sys
    2011-08-16 18:05 . 2011-06-15 08:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-06 23:52 . 2008-11-19 16:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-06 23:52 . 2008-11-19 16:37 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-09 21:16 . 2009-12-25 21:10 141200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
    2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2011-06-09 20:34 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.ex0
    2011-06-08 09:07 . 2011-06-13 12:17 201728 ----a-w- C:\zYan_ID_Changer.dll
    2011-06-07 23:49 . 2011-06-07 23:49 138056 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
    2011-06-07 23:48 . 2009-12-25 21:10 90112 ----a-w- c:\windows\system32\PnkBstrA.exe
    2011-06-02 07:36 . 2011-06-13 12:17 27648 ----a-w- C:\zYan_X.dll
    2011-04-30 15:16 . 2011-03-27 19:12 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
    [-] 2004-08-04 . 647C9A7E33CE84E1ADAFB7E49E5FF413 . 577024 . . [5.1.2600.2180] . . c:\windows\system32\user32.dll
    .
    [-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
    [-] 2004-08-04 . B8452AB7BAF84D1D621776AF8000BBD4 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
    .
    [-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2help.dll
    [-] 2004-08-04 . 37C22A702CFBF08E7BE60C91688CACA1 . 19968 . . [5.1.2600.2180] . . c:\windows\system32\ws2help.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-24_03.51.41 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-08-24 18:01 . 2011-08-24 18:01 16384 c:\windows\Temp\Perflib_Perfdata_69c.dat
    + 2011-08-24 18:01 . 2011-08-24 18:01 16384 c:\windows\Temp\Perflib_Perfdata_2b4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
    @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
    [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
    2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
    @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
    [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
    2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824]
    "DeLay"="c:\windows\BisonCam\DeLay.exe" [2008-03-11 53248]
    "RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
    "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-03-26 1208320]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
    "PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-06 49168]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Shortcut to kevin.lnk - c:\documents and settings\Administrator\Desktop\Bypass\kevin.exe [2008-10-1 439191]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-10-1 1843000]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2007-06-06 03:03 90112 ----a-w- c:\windows\system32\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
    "c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\alaplaya\\S4League\\patcher_s4.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP"= 5353:TCP:Adobe CSI CS4
    "58176:TCP"= 58176:TCP:pando Media Booster
    "58176:UDP"= 58176:UDP:pando Media Booster
    "58417:TCP"= 58417:TCP:pando Media Booster
    "58417:UDP"= 58417:UDP:pando Media Booster
    "58356:TCP"= 58356:TCP:pando Media Booster
    "58356:UDP"= 58356:UDP:pando Media Booster
    .
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/8/2009 10:44 AM 721904]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/3/2004 9:07 PM 14336]
    R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [3/22/2011 4:16 PM 2304]
    R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [10/1/2008 10:23 PM 84240]
    R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [12/23/2009 3:04 PM 17792]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
    S2 HDD & SSD access service;HDD & SSD access service;"c:\program files\Common Files\BinarySense\disksvc.exe" --> c:\program files\Common Files\BinarySense\disksvc.exe [?]
    S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 9:07 PM 14336]
    S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\131.tmp --> c:\windows\system32\131.tmp [?]
    S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [4/1/2010 5:55 PM 133632]
    S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [4/1/2010 5:55 PM 79360]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/31/2009 9:15 PM 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/31/2009 9:15 PM 8320]
    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [8/31/2009 9:15 PM 42112]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S3 XDva285;XDva285;\??\c:\windows\system32\XDva285.sys --> c:\windows\system32\XDva285.sys [?]
    S3 XDva296;XDva296;\??\c:\windows\system32\XDva296.sys --> c:\windows\system32\XDva296.sys [?]
    S3 XDva326;XDva326;\??\c:\windows\system32\XDva326.sys --> c:\windows\system32\XDva326.sys [?]
    S3 XDva328;XDva328;\??\c:\windows\system32\XDva328.sys --> c:\windows\system32\XDva328.sys [?]
    S3 XDva332;XDva332;\??\c:\windows\system32\XDva332.sys --> c:\windows\system32\XDva332.sys [?]
    S3 XDva337;XDva337;\??\c:\windows\system32\XDva337.sys --> c:\windows\system32\XDva337.sys [?]
    S3 XDva341;XDva341;\??\c:\windows\system32\XDva341.sys --> c:\windows\system32\XDva341.sys [?]
    S3 XDva343;XDva343;\??\c:\windows\system32\XDva343.sys --> c:\windows\system32\XDva343.sys [?]
    S3 XDva346;XDva346;\??\c:\windows\system32\XDva346.sys --> c:\windows\system32\XDva346.sys [?]
    S3 XDva347;XDva347;\??\c:\windows\system32\XDva347.sys --> c:\windows\system32\XDva347.sys [?]
    S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]
    S3 XDva351;XDva351;\??\c:\windows\system32\XDva351.sys --> c:\windows\system32\XDva351.sys [?]
    S3 XDva352;XDva352;\??\c:\windows\system32\XDva352.sys --> c:\windows\system32\XDva352.sys [?]
    S3 XDva354;XDva354;\??\c:\windows\system32\XDva354.sys --> c:\windows\system32\XDva354.sys [?]
    S3 XDva358;XDva358;\??\c:\windows\system32\XDva358.sys --> c:\windows\system32\XDva358.sys [?]
    S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
    S3 XDva362;XDva362;\??\c:\windows\system32\XDva362.sys --> c:\windows\system32\XDva362.sys [?]
    S3 XDva370;XDva370;\??\c:\windows\system32\XDva370.sys --> c:\windows\system32\XDva370.sys [?]
    S3 XDva375;XDva375;\??\c:\windows\system32\XDva375.sys --> c:\windows\system32\XDva375.sys [?]
    S3 XDva380;XDva380;\??\c:\windows\system32\XDva380.sys --> c:\windows\system32\XDva380.sys [?]
    S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
    S3 XDva385;XDva385;\??\c:\windows\system32\XDva385.sys --> c:\windows\system32\XDva385.sys [?]
    S3 XDva386;XDva386;\??\c:\windows\system32\XDva386.sys --> c:\windows\system32\XDva386.sys [?]
    S3 XDva387;XDva387;\??\c:\windows\system32\XDva387.sys --> c:\windows\system32\XDva387.sys [?]
    S3 XDva388;XDva388;\??\c:\windows\system32\XDva388.sys --> c:\windows\system32\XDva388.sys [?]
    S3 XDva389;XDva389;\??\c:\windows\system32\XDva389.sys --> c:\windows\system32\XDva389.sys [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-24 c:\windows\Tasks\AdobeAAMUpdater-1.0-JIMMAWAT-Administrator.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-05-31 07:44]
    .
    2011-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
    .
    2011-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
    .
    2011-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500Core.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
    .
    2011-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500UA.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
    .
    2009-11-09 c:\windows\Tasks\Test.job
    - c:\windows\system32\ntbackup.exe [2004-08-04 01:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.orbitdownloader.com/
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z1748ax6.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-24 14:02
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\131.tmp"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT\Parameters]
    @DACL=(02 0000)
    "TransportBindName"="\\Device\\"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(980)
    c:\windows\system32\vrlogon.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\psqlpwd.dll
    c:\program files\Protector Suite QL\homefus2.dll
    c:\program files\Protector Suite QL\infra.dll
    c:\program files\Protector Suite QL\homepass.dll
    c:\program files\Protector Suite QL\bio.dll
    c:\program files\Protector Suite QL\remote.dll
    c:\program files\Protector Suite QL\crypto.dll
    .
    - - - - - - - > 'explorer.exe'(1516)
    c:\program files\Protector Suite QL\farchns.dll
    c:\program files\Protector Suite QL\infra.dll
    c:\windows\system32\msi.dll
    c:\windows\IME\SPGRMR.DLL
    c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
    c:\windows\system32\WPDShServiceObj.dll
    c:\program files\WinSCP\DragExt.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\SUPERAntiSpyware\SASSEH.DLL
    c:\windows\system32\browselc.dll
    c:\windows\system32\wpdshext.dll
    c:\windows\system32\Audiodev.dll
    c:\windows\system32\WMVCore.DLL
    c:\windows\system32\WMASF.DLL
    c:\program files\Microsoft Office\Office10\msohev.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvsvc32.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\rundll32.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\program files\Protector Suite QL\psqltray.exe
    c:\program files\Orbitdownloader\orbitnet.exe
    c:\program files\Skype\Plugin Manager\skypePM.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    c:\windows\system32\PnkBstrA.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-08-24 14:05:06 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-08-24 18:05
    ComboFix2.txt 2011-08-24 03:56
    .
    Pre-Run: 25,852,653,568 bytes free
    Post-Run: 25,826,570,240 bytes free
    .
    - - End Of File - - 13786804F529E6649CC8EA2FD94ADF72
     
  20. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll | c:\windows\system32\user32.dll
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  21. JimmaWat

    JimmaWat TS Rookie Topic Starter Posts: 42

    I ran the scan and as it was scanning, a prompt came up and told me that I needed to insert my Windows XP Professional Service Pack 2 CD to replace some files with the original. I don't have the CD with me though, and I'm not sure where I've placed it. What should I do?
     
  22. JimmaWat

    JimmaWat TS Rookie Topic Starter Posts: 42

    It looks like ComboFix.exe is still running though.
     
  23. JimmaWat

    JimmaWat TS Rookie Topic Starter Posts: 42

    Here's the log :

    ComboFix 11-08-23.06 - Administrator 08/24/2011 21:36:14.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2555.1790 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\system32\ws2help.dll . . . is infected!!
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll --> c:\windows\system32\user32.dll
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-25 to 2011-08-25 )))))))))))))))))))))))))))))))
    .
    .
    2073-04-13 21:17 . 2006-11-22 00:48 203576 ---h--w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
    2011-08-24 02:53 . 2010-02-24 12:31 454016 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys
    2011-08-24 02:53 . 2010-02-24 12:31 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-08-23 02:02 . 2011-08-23 02:02 -------- d-----w- c:\program files\Avira
    2011-08-22 17:59 . 2011-08-22 17:59 -------- d-----w- c:\program files\Virus Secure Lab
    2011-08-18 21:45 . 2011-08-18 21:45 -------- d-----w- c:\program files\Sophos
    2011-08-18 04:28 . 2011-08-18 04:28 -------- d-----w- c:\program files\Foxit Software
    2011-08-18 03:07 . 2011-08-23 03:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-08-18 03:07 . 2011-08-22 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2011-08-18 02:46 . 2011-08-22 20:21 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-08-18 01:00 . 2011-08-18 01:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
    2011-08-18 00:30 . 2011-08-18 00:30 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-08-18 00:30 . 2011-08-18 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-08-18 00:17 . 2011-05-03 20:14 331776 ----a-w- c:\windows\system32\EasyRedirect.dll
    2011-08-18 00:17 . 2011-08-18 02:11 -------- d-----w- c:\program files\Easy-Hide-IP
    2011-08-17 16:37 . 2011-08-17 16:37 -------- d-----w- C:\CherryDeGames
    2011-08-11 18:00 . 2011-08-11 20:07 -------- d-----w- c:\program files\InterActual
    2011-08-07 23:13 . 2011-08-07 23:14 -------- d-----w- c:\program files\PCSX2 0.9.8
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-24 02:32 . 2004-08-04 01:07 138368 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-08-24 02:18 . 2004-08-04 01:07 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2011-08-23 03:51 . 2004-08-04 01:07 35840 ----a-w- c:\windows\system32\drivers\isapnp.sys
    2011-08-16 18:05 . 2011-06-15 08:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-06 23:52 . 2008-11-19 16:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-06 23:52 . 2008-11-19 16:37 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-09 21:16 . 2009-12-25 21:10 141200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
    2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2011-06-09 20:34 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.ex0
    2011-06-08 09:07 . 2011-06-13 12:17 201728 ----a-w- C:\zYan_ID_Changer.dll
    2011-06-07 23:49 . 2011-06-07 23:49 138056 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
    2011-06-07 23:48 . 2009-12-25 21:10 90112 ----a-w- c:\windows\system32\PnkBstrA.exe
    2011-06-02 07:36 . 2011-06-13 12:17 27648 ----a-w- C:\zYan_X.dll
    2011-04-30 15:16 . 2011-03-27 19:12 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
    [-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.2180] . . c:\windows\system32\user32.dll
    .
    [-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
    [-] 2004-08-04 . B8452AB7BAF84D1D621776AF8000BBD4 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
    .
    [-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2help.dll
    [-] 2004-08-04 . 37C22A702CFBF08E7BE60C91688CACA1 . 19968 . . [5.1.2600.2180] . . c:\windows\system32\ws2help.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-24_03.51.41 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-08-24 18:01 . 2011-08-24 18:01 16384 c:\windows\Temp\Perflib_Perfdata_69c.dat
    + 2011-08-24 18:01 . 2011-08-24 18:01 16384 c:\windows\Temp\Perflib_Perfdata_2b4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
    @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
    [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
    2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
    @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
    [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
    2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824]
    "DeLay"="c:\windows\BisonCam\DeLay.exe" [2008-03-11 53248]
    "RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
    "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-03-26 1208320]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
    "PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-06 49168]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Shortcut to kevin.lnk - c:\documents and settings\Administrator\Desktop\Bypass\kevin.exe [2008-10-1 439191]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-10-1 1843000]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2007-06-06 03:03 90112 ----a-w- c:\windows\system32\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
    "c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\alaplaya\\S4League\\patcher_s4.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP"= 5353:TCP:Adobe CSI CS4
    "58176:TCP"= 58176:TCP:pando Media Booster
    "58176:UDP"= 58176:UDP:pando Media Booster
    "58417:TCP"= 58417:TCP:pando Media Booster
    "58417:UDP"= 58417:UDP:pando Media Booster
    "58356:TCP"= 58356:TCP:pando Media Booster
    "58356:UDP"= 58356:UDP:pando Media Booster
    .
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/8/2009 10:44 AM 721904]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/3/2004 9:07 PM 14336]
    R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [3/22/2011 4:16 PM 2304]
    R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [10/1/2008 10:23 PM 84240]
    R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [12/23/2009 3:04 PM 17792]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
    S2 HDD & SSD access service;HDD & SSD access service;"c:\program files\Common Files\BinarySense\disksvc.exe" --> c:\program files\Common Files\BinarySense\disksvc.exe [?]
    S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 9:07 PM 14336]
    S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\131.tmp --> c:\windows\system32\131.tmp [?]
    S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [4/1/2010 5:55 PM 133632]
    S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [4/1/2010 5:55 PM 79360]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/31/2009 9:15 PM 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/31/2009 9:15 PM 8320]
    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [8/31/2009 9:15 PM 42112]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S3 XDva285;XDva285;\??\c:\windows\system32\XDva285.sys --> c:\windows\system32\XDva285.sys [?]
    S3 XDva296;XDva296;\??\c:\windows\system32\XDva296.sys --> c:\windows\system32\XDva296.sys [?]
    S3 XDva326;XDva326;\??\c:\windows\system32\XDva326.sys --> c:\windows\system32\XDva326.sys [?]
    S3 XDva328;XDva328;\??\c:\windows\system32\XDva328.sys --> c:\windows\system32\XDva328.sys [?]
    S3 XDva332;XDva332;\??\c:\windows\system32\XDva332.sys --> c:\windows\system32\XDva332.sys [?]
    S3 XDva337;XDva337;\??\c:\windows\system32\XDva337.sys --> c:\windows\system32\XDva337.sys [?]
    S3 XDva341;XDva341;\??\c:\windows\system32\XDva341.sys --> c:\windows\system32\XDva341.sys [?]
    S3 XDva343;XDva343;\??\c:\windows\system32\XDva343.sys --> c:\windows\system32\XDva343.sys [?]
    S3 XDva346;XDva346;\??\c:\windows\system32\XDva346.sys --> c:\windows\system32\XDva346.sys [?]
    S3 XDva347;XDva347;\??\c:\windows\system32\XDva347.sys --> c:\windows\system32\XDva347.sys [?]
    S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]
    S3 XDva351;XDva351;\??\c:\windows\system32\XDva351.sys --> c:\windows\system32\XDva351.sys [?]
    S3 XDva352;XDva352;\??\c:\windows\system32\XDva352.sys --> c:\windows\system32\XDva352.sys [?]
    S3 XDva354;XDva354;\??\c:\windows\system32\XDva354.sys --> c:\windows\system32\XDva354.sys [?]
    S3 XDva358;XDva358;\??\c:\windows\system32\XDva358.sys --> c:\windows\system32\XDva358.sys [?]
    S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
    S3 XDva362;XDva362;\??\c:\windows\system32\XDva362.sys --> c:\windows\system32\XDva362.sys [?]
    S3 XDva370;XDva370;\??\c:\windows\system32\XDva370.sys --> c:\windows\system32\XDva370.sys [?]
    S3 XDva375;XDva375;\??\c:\windows\system32\XDva375.sys --> c:\windows\system32\XDva375.sys [?]
    S3 XDva380;XDva380;\??\c:\windows\system32\XDva380.sys --> c:\windows\system32\XDva380.sys [?]
    S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
    S3 XDva385;XDva385;\??\c:\windows\system32\XDva385.sys --> c:\windows\system32\XDva385.sys [?]
    S3 XDva386;XDva386;\??\c:\windows\system32\XDva386.sys --> c:\windows\system32\XDva386.sys [?]
    S3 XDva387;XDva387;\??\c:\windows\system32\XDva387.sys --> c:\windows\system32\XDva387.sys [?]
    S3 XDva388;XDva388;\??\c:\windows\system32\XDva388.sys --> c:\windows\system32\XDva388.sys [?]
    S3 XDva389;XDva389;\??\c:\windows\system32\XDva389.sys --> c:\windows\system32\XDva389.sys [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-24 c:\windows\Tasks\AdobeAAMUpdater-1.0-JIMMAWAT-Administrator.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-05-31 07:44]
    .
    2011-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
    .
    2011-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
    .
    2011-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500Core.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
    .
    2011-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500UA.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
    .
    2009-11-09 c:\windows\Tasks\Test.job
    - c:\windows\system32\ntbackup.exe [2004-08-04 01:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.orbitdownloader.com/
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z1748ax6.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-24 21:45
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\131.tmp"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(980)
    c:\windows\system32\vrlogon.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\psqlpwd.dll
    c:\program files\Protector Suite QL\homefus2.dll
    c:\program files\Protector Suite QL\infra.dll
    c:\program files\Protector Suite QL\homepass.dll
    c:\program files\Protector Suite QL\bio.dll
    c:\program files\Protector Suite QL\remote.dll
    c:\program files\Protector Suite QL\crypto.dll
    .
    - - - - - - - > 'explorer.exe'(544)
    c:\program files\Protector Suite QL\farchns.dll
    c:\program files\Protector Suite QL\infra.dll
    c:\windows\system32\msi.dll
    c:\windows\IME\SPGRMR.DLL
    c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-08-24 21:47:17
    ComboFix-quarantined-files.txt 2011-08-25 01:47
    ComboFix2.txt 2011-08-24 18:05
    ComboFix3.txt 2011-08-24 03:56
    .
    Pre-Run: 25,843,576,832 bytes free
    Post-Run: 25,816,621,056 bytes free
    .
    - - End Of File - - F38B6AFE497C01FB2BBA18D7FFAA4FF0
     
  24. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    How is computer doing at the moment?


    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2help.dll | c:\windows\system32\ws2help.dll
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  25. JimmaWat

    JimmaWat TS Rookie Topic Starter Posts: 42

    It's still asking me for the CD and during the scans, it asks me over and over if i don't want to restore the original but I've just put it aside for now. Ran ComboFix again, here is the log :

    ComboFix 11-08-23.06 - Administrator 08/24/2011 22:16:12.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2555.1794 [GMT -4:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    Command switches used :: H:\CFScript.txt
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    .
    --------------- FCopy ---------------
    .
    c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2help.dll --> c:\windows\system32\ws2help.dll
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-25 to 2011-08-25 )))))))))))))))))))))))))))))))
    .
    .
    2073-04-13 21:17 . 2006-11-22 00:48 203576 ---h--w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
    2011-08-24 02:53 . 2010-02-24 12:31 454016 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys
    2011-08-24 02:53 . 2010-02-24 12:31 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-08-23 02:02 . 2011-08-23 02:02 -------- d-----w- c:\program files\Avira
    2011-08-22 17:59 . 2011-08-22 17:59 -------- d-----w- c:\program files\Virus Secure Lab
    2011-08-18 21:45 . 2011-08-18 21:45 -------- d-----w- c:\program files\Sophos
    2011-08-18 04:28 . 2011-08-18 04:28 -------- d-----w- c:\program files\Foxit Software
    2011-08-18 03:07 . 2011-08-23 03:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2011-08-18 03:07 . 2011-08-22 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
    2011-08-18 02:46 . 2011-08-22 20:21 -------- d-----w- c:\program files\SUPERAntiSpyware
    2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2011-08-18 01:00 . 2011-08-18 01:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
    2011-08-18 00:30 . 2011-08-18 00:30 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2011-08-18 00:30 . 2011-08-18 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-08-18 00:17 . 2011-05-03 20:14 331776 ----a-w- c:\windows\system32\EasyRedirect.dll
    2011-08-18 00:17 . 2011-08-18 02:11 -------- d-----w- c:\program files\Easy-Hide-IP
    2011-08-17 16:37 . 2011-08-17 16:37 -------- d-----w- C:\CherryDeGames
    2011-08-11 18:00 . 2011-08-11 20:07 -------- d-----w- c:\program files\InterActual
    2011-08-07 23:13 . 2011-08-07 23:14 -------- d-----w- c:\program files\PCSX2 0.9.8
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-08-24 02:32 . 2004-08-04 01:07 138368 ----a-w- c:\windows\system32\drivers\afd.sys
    2011-08-24 02:18 . 2004-08-04 01:07 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2011-08-23 03:51 . 2004-08-04 01:07 35840 ----a-w- c:\windows\system32\drivers\isapnp.sys
    2011-08-16 18:05 . 2011-06-15 08:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-06 23:52 . 2008-11-19 16:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-06 23:52 . 2008-11-19 16:37 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-09 21:16 . 2009-12-25 21:10 141200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
    2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
    2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.xtr
    2011-06-09 20:34 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.ex0
    2011-06-08 09:07 . 2011-06-13 12:17 201728 ----a-w- C:\zYan_ID_Changer.dll
    2011-06-07 23:49 . 2011-06-07 23:49 138056 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
    2011-06-07 23:48 . 2009-12-25 21:10 90112 ----a-w- c:\windows\system32\PnkBstrA.exe
    2011-06-02 07:36 . 2011-06-13 12:17 27648 ----a-w- C:\zYan_X.dll
    2011-04-30 15:16 . 2011-03-27 19:12 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    [-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
    [-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.2180] . . c:\windows\system32\user32.dll
    .
    [-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
    [-] 2004-08-04 . B8452AB7BAF84D1D621776AF8000BBD4 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
    .
    [-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2help.dll
    [-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-08-24_03.51.41 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-08-24 18:01 . 2011-08-24 18:01 16384 c:\windows\Temp\Perflib_Perfdata_69c.dat
    + 2011-08-24 18:01 . 2011-08-24 18:01 16384 c:\windows\Temp\Perflib_Perfdata_2b4.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
    @="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
    [HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
    2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
    @="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
    [HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
    2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824]
    "DeLay"="c:\windows\BisonCam\DeLay.exe" [2008-03-11 53248]
    "RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
    "SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-03-26 1208320]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
    "PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-06 49168]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
    "nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    "SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
    "AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
    "DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
    .
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    Shortcut to kevin.lnk - c:\documents and settings\Administrator\Desktop\Bypass\kevin.exe [2008-10-1 439191]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
    Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-10-1 1843000]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
    2007-06-06 03:03 90112 ----a-w- c:\windows\system32\psqlpwd.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
    "c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\alaplaya\\S4League\\patcher_s4.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP"= 5353:TCP:Adobe CSI CS4
    "58176:TCP"= 58176:TCP:pando Media Booster
    "58176:UDP"= 58176:UDP:pando Media Booster
    "58417:TCP"= 58417:TCP:pando Media Booster
    "58417:UDP"= 58417:UDP:pando Media Booster
    "58356:TCP"= 58356:TCP:pando Media Booster
    "58356:UDP"= 58356:UDP:pando Media Booster
    .
    R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/8/2009 10:44 AM 721904]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/3/2004 9:07 PM 14336]
    R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [3/22/2011 4:16 PM 2304]
    R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [10/1/2008 10:23 PM 84240]
    R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [12/23/2009 3:04 PM 17792]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
    S2 HDD & SSD access service;HDD & SSD access service;"c:\program files\Common Files\BinarySense\disksvc.exe" --> c:\program files\Common Files\BinarySense\disksvc.exe [?]
    S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 9:07 PM 14336]
    S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\131.tmp --> c:\windows\system32\131.tmp [?]
    S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [4/1/2010 5:55 PM 133632]
    S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [4/1/2010 5:55 PM 79360]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/31/2009 9:15 PM 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/31/2009 9:15 PM 8320]
    S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [8/31/2009 9:15 PM 42112]
    S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
    S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
    S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    S3 XDva285;XDva285;\??\c:\windows\system32\XDva285.sys --> c:\windows\system32\XDva285.sys [?]
    S3 XDva296;XDva296;\??\c:\windows\system32\XDva296.sys --> c:\windows\system32\XDva296.sys [?]
    S3 XDva326;XDva326;\??\c:\windows\system32\XDva326.sys --> c:\windows\system32\XDva326.sys [?]
    S3 XDva328;XDva328;\??\c:\windows\system32\XDva328.sys --> c:\windows\system32\XDva328.sys [?]
    S3 XDva332;XDva332;\??\c:\windows\system32\XDva332.sys --> c:\windows\system32\XDva332.sys [?]
    S3 XDva337;XDva337;\??\c:\windows\system32\XDva337.sys --> c:\windows\system32\XDva337.sys [?]
    S3 XDva341;XDva341;\??\c:\windows\system32\XDva341.sys --> c:\windows\system32\XDva341.sys [?]
    S3 XDva343;XDva343;\??\c:\windows\system32\XDva343.sys --> c:\windows\system32\XDva343.sys [?]
    S3 XDva346;XDva346;\??\c:\windows\system32\XDva346.sys --> c:\windows\system32\XDva346.sys [?]
    S3 XDva347;XDva347;\??\c:\windows\system32\XDva347.sys --> c:\windows\system32\XDva347.sys [?]
    S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]
    S3 XDva351;XDva351;\??\c:\windows\system32\XDva351.sys --> c:\windows\system32\XDva351.sys [?]
    S3 XDva352;XDva352;\??\c:\windows\system32\XDva352.sys --> c:\windows\system32\XDva352.sys [?]
    S3 XDva354;XDva354;\??\c:\windows\system32\XDva354.sys --> c:\windows\system32\XDva354.sys [?]
    S3 XDva358;XDva358;\??\c:\windows\system32\XDva358.sys --> c:\windows\system32\XDva358.sys [?]
    S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
    S3 XDva362;XDva362;\??\c:\windows\system32\XDva362.sys --> c:\windows\system32\XDva362.sys [?]
    S3 XDva370;XDva370;\??\c:\windows\system32\XDva370.sys --> c:\windows\system32\XDva370.sys [?]
    S3 XDva375;XDva375;\??\c:\windows\system32\XDva375.sys --> c:\windows\system32\XDva375.sys [?]
    S3 XDva380;XDva380;\??\c:\windows\system32\XDva380.sys --> c:\windows\system32\XDva380.sys [?]
    S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
    S3 XDva385;XDva385;\??\c:\windows\system32\XDva385.sys --> c:\windows\system32\XDva385.sys [?]
    S3 XDva386;XDva386;\??\c:\windows\system32\XDva386.sys --> c:\windows\system32\XDva386.sys [?]
    S3 XDva387;XDva387;\??\c:\windows\system32\XDva387.sys --> c:\windows\system32\XDva387.sys [?]
    S3 XDva388;XDva388;\??\c:\windows\system32\XDva388.sys --> c:\windows\system32\XDva388.sys [?]
    S3 XDva389;XDva389;\??\c:\windows\system32\XDva389.sys --> c:\windows\system32\XDva389.sys [?]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-08-24 c:\windows\Tasks\AdobeAAMUpdater-1.0-JIMMAWAT-Administrator.job
    - c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-05-31 07:44]
    .
    2011-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
    .
    2011-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
    .
    2011-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500Core.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
    .
    2011-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500UA.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
    .
    2009-11-09 c:\windows\Tasks\Test.job
    - c:\windows\system32\ntbackup.exe [2004-08-04 01:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://search.orbitdownloader.com/
    IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
    IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
    IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
    IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z1748ax6.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    FF - user.js: network.protocol-handler.warn-external.dnupdate - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-24 22:19
    Windows 5.1.2600 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\131.tmp"
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
    "ImagePath"="c:\windows\system32\GameMon.des -service"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(980)
    c:\windows\system32\vrlogon.dll
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\psqlpwd.dll
    c:\program files\Protector Suite QL\homefus2.dll
    c:\program files\Protector Suite QL\infra.dll
    c:\program files\Protector Suite QL\homepass.dll
    c:\program files\Protector Suite QL\bio.dll
    c:\program files\Protector Suite QL\remote.dll
    c:\program files\Protector Suite QL\crypto.dll
    .
    - - - - - - - > 'explorer.exe'(1248)
    c:\program files\Protector Suite QL\farchns.dll
    c:\program files\Protector Suite QL\infra.dll
    c:\windows\system32\msi.dll
    c:\windows\IME\SPGRMR.DLL
    c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-08-24 22:21:07
    ComboFix-quarantined-files.txt 2011-08-25 02:21
    ComboFix2.txt 2011-08-25 01:47
    ComboFix3.txt 2011-08-24 18:05
    ComboFix4.txt 2011-08-24 03:56
    .
    Pre-Run: 25,836,244,992 bytes free
    Post-Run: 25,811,058,688 bytes free
    .
    - - End Of File - - AE40CCC8FA4566C0E2E72DDD86A7D941
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.