Hi guys, I'm trying to save one of my two desktop computers. One has already been roughly destroyed (whatever virus ate it, it not only destroyed the boot sector on the HD, but got into the mobo, and even removing the battery on the mobo wouldn't reverse the damage), and this second one is close to following I think.
Any time we try to go to any website, we get redirected to random commercial sites. It took a few dozen tries to get here in fact without being hijacked to some other site. Following are the logs as per the 8-step (6?) directions, copied text only to this thread:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6113
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
3/20/2011 9:43:16 PM
mbam-log-2011-03-20 (21-43-16).txt
Scan type: Quick scan
Objects scanned: 183948
Time elapsed: 1 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 32
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
c:\documents and settings\networkservice\application data\whitesmoketoolbar (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmoketranslator (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketranslator (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\networkservice\application data\whitesmoketoolbar\dtx.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\exeArgs.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\guid.dat (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\setupCfg.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmoketranslator\stat.log (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketranslator\stat.log (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\0x0409.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\config.txt (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\data1.cab (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\data1.hdr (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\data2.cab (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\ISSetup.dll (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\layout.bin (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\setup.exe (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\setup.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\setup.inx (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\setup.iss (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\setup.log (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\setup.ocx (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\0x0409.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\config.txt (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\data1.cab (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\data1.hdr (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\data2.cab (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\ISSetup.dll (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\layout.bin (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\setup.exe (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\setup.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\setup.inx (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\setup.iss (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\setup.log (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\setup.ocx (PUP.WhiteSmoke) -> Quarantined
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-03-20 22:08:30
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 WDC_WD6400AAKS-00E4A0 rev.05.01D05
Running: 3bj1g4qk.exe; Driver: C:\DOCUME~1\ED1EBC~1.KID\LOCALS~1\Temp\pxtdqpoc.sys
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8AE3927F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8AE3927F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8AE3927F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8AE3927F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 8AE3927F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 8AE3927F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP4T0L0-16 8AE3927F
Device \Device\Ide\IdeDeviceP2T0L0-7 -> \??\IDE#DiskWDC_WD6400AAKS-00E4A0___________________05.01D05#5&21fca320&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- EOF - GMER 1.0.15 ----
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Ed at 22:11:34.87 on Sun 03/20/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2817 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Documents and Settings\Ed.KIDS\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DLCDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCDtime.dll,_RunDLLEntry@16
mRun: [dlcdmon.exe] "c:\program files\dell photo aio printer 944\dlcdmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 944\memcard.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\ed1ebc~1.kid\applic~1\mozilla\firefox\profiles\jnvd4nmb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\ed.kids\application data\mozilla\firefox\profiles\jnvd4nmb.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\ed.kids\application data\mozilla\firefox\profiles\jnvd4nmb.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\documents and settings\all users.windows\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\all users.windows\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-18 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-18 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-18 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-18 61960]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2010-12-18 22016]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-12-18 1374464]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-10 136176]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2010-12-18 25984]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2010-12-18 17408]
.
=============== Created Last 30 ================
.
2011-03-20 21:02:40 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Malwarebytes
2011-03-20 21:02:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-20 21:02:36 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2011-03-20 21:02:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-20 21:02:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-20 05:52:01 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\SPORE
2011-03-20 05:51:53 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-03-20 05:49:00 1216 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2011-03-20 05:48:56 -------- d-----w- c:\docume~1\ed1ebc~1.kid\locals~1\applic~1\Downloaded Installations
2011-03-20 05:30:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-20 05:30:26 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2011-03-19 05:29:32 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Elephant Games
2011-03-19 05:29:32 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Elephant Games
2011-03-19 05:05:02 -------- d-----w- c:\windows\Shadow Wolf Mysteries- Curse of the Full Moon CE
2011-03-19 04:41:31 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Kristanix Games
2011-03-19 04:28:57 -------- d-----w- c:\program files\MahjongChamp
2011-03-19 04:12:45 -------- d-----w- c:\program files\Virtual Villagers - New Believers
2011-03-18 23:46:03 -------- d-----w- c:\docume~1\ed1ebc~1.kid\locals~1\applic~1\Identities
2011-03-17 00:50:57 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Gamers Digital
2011-03-17 00:50:57 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Gamers Digital
2011-03-16 13:42:25 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\CursedOnboard
2011-03-15 00:15:29 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\VampireSaga
2011-03-15 00:09:35 -------- d-----w- c:\windows\Goddess Chronicles
2011-03-15 00:09:35 -------- d-----w- c:\program files\Goddess Chronicles
2011-03-15 00:08:54 -------- d-----w- c:\windows\VampireSagaPandorasBox
2011-03-14 22:35:22 -------- d-----w- c:\windows\Death at Fairing Point - A Dana Knightstone Novel CE
2011-03-10 23:17:57 -------- d-----w- c:\program files\Games
2011-03-10 23:11:57 191299 ----a-w- c:\program files\complus applications\bfgclient\uninstall.exe
2011-03-10 23:11:52 -------- d-----w- c:\program files\bfgclient
2011-03-10 17:38:51 -------- d-----w- c:\windows\system32\appmgmt
2011-03-10 17:38:32 -------- d-sh--w- c:\documents and settings\ed.kids\PrivacIE
2011-03-10 05:01:09 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\GestaltGames
2011-03-10 05:01:09 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\GestaltGames
2011-03-10 04:59:44 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Trymedia
2011-03-10 04:52:24 102400 ----a-w- c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll
2011-03-10 04:52:24 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Zylom
2011-03-10 04:52:07 -------- d-----w- c:\docume~1\ed1ebc~1.kid\locals~1\applic~1\Google
2011-03-10 04:51:37 -------- d-----w- c:\program files\RealArcade
2011-03-07 05:58:56 -------- d-----w- c:\program files\MSXML 4.0
2011-03-05 16:59:43 -------- d-----w- c:\windows\Logs
2011-03-05 16:59:24 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\RIFT
2011-03-05 16:59:21 -------- d-----w- c:\program files\RIFT Game
2011-03-05 04:37:56 -------- d-----w- c:\program files\common files\Jasc Software Inc
2011-03-05 04:37:52 -------- d-----w- c:\program files\Jasc Software Inc
2011-03-05 04:37:08 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2011-03-05 04:36:41 -------- d-----w- c:\program files\Dell Photo AIO Printer 944
2011-03-05 04:36:17 -------- d-----w- c:\program files\Dl_cats
2011-03-05 04:34:50 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-03-05 04:34:50 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-03-05 04:34:42 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-03-05 04:34:42 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-03-05 04:34:39 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2011-03-05 04:34:39 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2011-03-03 05:37:41 -------- d-----w- c:\docume~1\ed1ebc~1.kid\locals~1\applic~1\AskToolbar
2011-03-03 05:37:34 -------- d-----w- c:\program files\Ask.com
2011-03-01 01:58:43 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Namco
2011-03-01 01:58:24 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Alawar
2011-03-01 01:58:06 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Namco
2011-03-01 01:55:58 -------- d-----w- c:\windows\The Stroke of Midnight and Guide
2011-02-27 23:17:10 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Blue Tea Games
2011-02-27 07:29:15 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\DarkParablesBriarRose_BFG
2011-02-26 04:28:39 -------- d-----w- C:\games
2011-02-25 01:33:27 -------- d-----w- c:\program files\Conduit
2011-02-25 01:33:27 -------- d-----w- c:\docume~1\ed1ebc~1.kid\locals~1\applic~1\uTorrentBar
2011-02-25 01:33:27 -------- d-----w- c:\docume~1\ed1ebc~1.kid\locals~1\applic~1\Conduit
2011-02-25 01:33:25 -------- d-----w- c:\program files\ConduitEngine
2011-02-25 01:33:25 -------- d-----w- c:\docume~1\ed1ebc~1.kid\locals~1\applic~1\ConduitEngine
2011-02-25 01:33:24 -------- d-----w- c:\program files\uTorrentBar
2011-02-25 01:33:13 -------- d-----w- c:\program files\uTorrent
2011-02-25 01:32:47 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\uTorrent
2011-02-24 21:47:20 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Boomzap
2011-02-24 18:18:00 47960 ----a-w- c:\program files\complus applications\bfgclient\bfgprocess.exe
2011-02-24 18:17:56 246616 ----a-w- c:\program files\complus applications\bfgclient\bfggameservices.exe
2011-02-24 18:17:54 1464664 ----a-w- c:\program files\complus applications\bfgclient\bfgcommon.dll
2011-02-24 18:17:52 4961112 ----a-w- c:\program files\complus applications\bfgclient\bfgclient.exe
2011-02-24 18:08:07 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\EleFun Games
2011-02-24 14:30:29 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Dying for Daylight Shared
2011-02-24 14:30:29 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Dying for Daylight
2011-02-24 14:30:05 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Dying for Daylight
2011-02-24 06:02:22 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Artogon
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-24 09:54:26 268445779 ----a-w- c:\docume~1\ed1ebc~1.kid\applic~1\Awakening_2_-_Moonfell_Wood_justforfun-games.com.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD6400AAKS-00E4A0 rev.05.01D05 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-7
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AE39439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ae3f7d0]; MOV EAX, [0x8ae3f84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AE01AB8]
3 CLASSPNP[0xBA118FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006a[0x8AE80F18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AE02940]
\Driver\atapi[0x8AE4F970] -> IRP_MJ_CREATE -> 0x8AE39439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-7 -> \??\IDE#DiskWDC_WD6400AAKS-00E4A0___________________05.01D05#5&21fca320&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AE3927F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 22:12:45.07 ===============
Let me know if I need to take any more steps. It looks like the kits got past Avira with no trouble, which makes me question whether or not I should look for another antivirus program. Whatever ate my other computer, it too got through Avira, and during an update (it was on scheduled updating, daily check), the virus STOPPED the updating process, disabled Avira, then the system began to hang, forcing me to reset. With every reset, things got only worse, then finally I couldn't even wipe the drive with my windows disk because the motherboard got fubared (for some reason, it would not longer detect any device and would give a detect error).
Any time we try to go to any website, we get redirected to random commercial sites. It took a few dozen tries to get here in fact without being hijacked to some other site. Following are the logs as per the 8-step (6?) directions, copied text only to this thread:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6113
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
3/20/2011 9:43:16 PM
mbam-log-2011-03-20 (21-43-16).txt
Scan type: Quick scan
Objects scanned: 183948
Time elapsed: 1 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 32
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
c:\documents and settings\networkservice\application data\whitesmoketoolbar (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmoketranslator (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketranslator (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\networkservice\application data\whitesmoketoolbar\dtx.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\exeArgs.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\guid.dat (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketoolbar\setupCfg.xml (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmoketranslator\stat.log (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmoketranslator\stat.log (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\0x0409.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\config.txt (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\data1.cab (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\data1.hdr (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\data2.cab (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\ISSetup.dll (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\layout.bin (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\setup.exe (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\setup.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\setup.inx (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\setup.iss (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\setup.log (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\ed\application data\whitesmokesetup\setup.ocx (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\0x0409.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\config.txt (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\data1.cab (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\data1.hdr (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\data2.cab (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\ISSetup.dll (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\layout.bin (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\setup.exe (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\setup.ini (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\setup.inx (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\setup.iss (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\setup.log (PUP.WhiteSmoke) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\whitesmokesetup\setup.ocx (PUP.WhiteSmoke) -> Quarantined
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-03-20 22:08:30
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 WDC_WD6400AAKS-00E4A0 rev.05.01D05
Running: 3bj1g4qk.exe; Driver: C:\DOCUME~1\ED1EBC~1.KID\LOCALS~1\Temp\pxtdqpoc.sys
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8AE3927F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8AE3927F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8AE3927F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8AE3927F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 8AE3927F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 8AE3927F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP4T0L0-16 8AE3927F
Device \Device\Ide\IdeDeviceP2T0L0-7 -> \??\IDE#DiskWDC_WD6400AAKS-00E4A0___________________05.01D05#5&21fca320&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- EOF - GMER 1.0.15 ----
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Ed at 22:11:34.87 on Sun 03/20/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2817 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Documents and Settings\Ed.KIDS\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [HDAudDeck] c:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [DLCDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCDtime.dll,_RunDLLEntry@16
mRun: [dlcdmon.exe] "c:\program files\dell photo aio printer 944\dlcdmon.exe"
mRun: [MemoryCardManager] "c:\program files\dell photo aio printer 944\memcard.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\ed1ebc~1.kid\applic~1\mozilla\firefox\profiles\jnvd4nmb.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\ed.kids\application data\mozilla\firefox\profiles\jnvd4nmb.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\ed.kids\application data\mozilla\firefox\profiles\jnvd4nmb.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\documents and settings\all users.windows\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\all users.windows\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: uTorrentBar Community Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - %profile%\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-12-18 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-12-18 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-12-18 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-12-18 61960]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2010-12-18 22016]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-12-18 1374464]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-10 136176]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2010-12-18 25984]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2010-12-18 17408]
.
=============== Created Last 30 ================
.
2011-03-20 21:02:40 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Malwarebytes
2011-03-20 21:02:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-20 21:02:36 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2011-03-20 21:02:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-20 21:02:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-20 05:52:01 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\SPORE
2011-03-20 05:51:53 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2011-03-20 05:49:00 1216 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2011-03-20 05:48:56 -------- d-----w- c:\docume~1\ed1ebc~1.kid\locals~1\applic~1\Downloaded Installations
2011-03-20 05:30:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-20 05:30:26 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2011-03-19 05:29:32 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Elephant Games
2011-03-19 05:29:32 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Elephant Games
2011-03-19 05:05:02 -------- d-----w- c:\windows\Shadow Wolf Mysteries- Curse of the Full Moon CE
2011-03-19 04:41:31 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Kristanix Games
2011-03-19 04:28:57 -------- d-----w- c:\program files\MahjongChamp
2011-03-19 04:12:45 -------- d-----w- c:\program files\Virtual Villagers - New Believers
2011-03-18 23:46:03 -------- d-----w- c:\docume~1\ed1ebc~1.kid\locals~1\applic~1\Identities
2011-03-17 00:50:57 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Gamers Digital
2011-03-17 00:50:57 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Gamers Digital
2011-03-16 13:42:25 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\CursedOnboard
2011-03-15 00:15:29 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\VampireSaga
2011-03-15 00:09:35 -------- d-----w- c:\windows\Goddess Chronicles
2011-03-15 00:09:35 -------- d-----w- c:\program files\Goddess Chronicles
2011-03-15 00:08:54 -------- d-----w- c:\windows\VampireSagaPandorasBox
2011-03-14 22:35:22 -------- d-----w- c:\windows\Death at Fairing Point - A Dana Knightstone Novel CE
2011-03-10 23:17:57 -------- d-----w- c:\program files\Games
2011-03-10 23:11:57 191299 ----a-w- c:\program files\complus applications\bfgclient\uninstall.exe
2011-03-10 23:11:52 -------- d-----w- c:\program files\bfgclient
2011-03-10 17:38:51 -------- d-----w- c:\windows\system32\appmgmt
2011-03-10 17:38:32 -------- d-sh--w- c:\documents and settings\ed.kids\PrivacIE
2011-03-10 05:01:09 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\GestaltGames
2011-03-10 05:01:09 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\GestaltGames
2011-03-10 04:59:44 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Trymedia
2011-03-10 04:52:24 102400 ----a-w- c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll
2011-03-10 04:52:24 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Zylom
2011-03-10 04:52:07 -------- d-----w- c:\docume~1\ed1ebc~1.kid\locals~1\applic~1\Google
2011-03-10 04:51:37 -------- d-----w- c:\program files\RealArcade
2011-03-07 05:58:56 -------- d-----w- c:\program files\MSXML 4.0
2011-03-05 16:59:43 -------- d-----w- c:\windows\Logs
2011-03-05 16:59:24 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\RIFT
2011-03-05 16:59:21 -------- d-----w- c:\program files\RIFT Game
2011-03-05 04:37:56 -------- d-----w- c:\program files\common files\Jasc Software Inc
2011-03-05 04:37:52 -------- d-----w- c:\program files\Jasc Software Inc
2011-03-05 04:37:08 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2011-03-05 04:36:41 -------- d-----w- c:\program files\Dell Photo AIO Printer 944
2011-03-05 04:36:17 -------- d-----w- c:\program files\Dl_cats
2011-03-05 04:34:50 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2011-03-05 04:34:50 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2011-03-05 04:34:42 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-03-05 04:34:42 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-03-05 04:34:39 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2011-03-05 04:34:39 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2011-03-03 05:37:41 -------- d-----w- c:\docume~1\ed1ebc~1.kid\locals~1\applic~1\AskToolbar
2011-03-03 05:37:34 -------- d-----w- c:\program files\Ask.com
2011-03-01 01:58:43 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Namco
2011-03-01 01:58:24 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Alawar
2011-03-01 01:58:06 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Namco
2011-03-01 01:55:58 -------- d-----w- c:\windows\The Stroke of Midnight and Guide
2011-02-27 23:17:10 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Blue Tea Games
2011-02-27 07:29:15 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\DarkParablesBriarRose_BFG
2011-02-26 04:28:39 -------- d-----w- C:\games
2011-02-25 01:33:27 -------- d-----w- c:\program files\Conduit
2011-02-25 01:33:27 -------- d-----w- c:\docume~1\ed1ebc~1.kid\locals~1\applic~1\uTorrentBar
2011-02-25 01:33:27 -------- d-----w- c:\docume~1\ed1ebc~1.kid\locals~1\applic~1\Conduit
2011-02-25 01:33:25 -------- d-----w- c:\program files\ConduitEngine
2011-02-25 01:33:25 -------- d-----w- c:\docume~1\ed1ebc~1.kid\locals~1\applic~1\ConduitEngine
2011-02-25 01:33:24 -------- d-----w- c:\program files\uTorrentBar
2011-02-25 01:33:13 -------- d-----w- c:\program files\uTorrent
2011-02-25 01:32:47 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\uTorrent
2011-02-24 21:47:20 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Boomzap
2011-02-24 18:18:00 47960 ----a-w- c:\program files\complus applications\bfgclient\bfgprocess.exe
2011-02-24 18:17:56 246616 ----a-w- c:\program files\complus applications\bfgclient\bfggameservices.exe
2011-02-24 18:17:54 1464664 ----a-w- c:\program files\complus applications\bfgclient\bfgcommon.dll
2011-02-24 18:17:52 4961112 ----a-w- c:\program files\complus applications\bfgclient\bfgclient.exe
2011-02-24 18:08:07 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\EleFun Games
2011-02-24 14:30:29 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Dying for Daylight Shared
2011-02-24 14:30:29 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Dying for Daylight
2011-02-24 14:30:05 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Dying for Daylight
2011-02-24 06:02:22 -------- d-----w- c:\docume~1\ed1ebc~1.kid\applic~1\Artogon
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-24 09:54:26 268445779 ----a-w- c:\docume~1\ed1ebc~1.kid\applic~1\Awakening_2_-_Moonfell_Wood_justforfun-games.com.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD6400AAKS-00E4A0 rev.05.01D05 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-7
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AE39439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ae3f7d0]; MOV EAX, [0x8ae3f84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AE01AB8]
3 CLASSPNP[0xBA118FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006a[0x8AE80F18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AE02940]
\Driver\atapi[0x8AE4F970] -> IRP_MJ_CREATE -> 0x8AE39439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-7 -> \??\IDE#DiskWDC_WD6400AAKS-00E4A0___________________05.01D05#5&21fca320&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AE3927F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 22:12:45.07 ===============
Let me know if I need to take any more steps. It looks like the kits got past Avira with no trouble, which makes me question whether or not I should look for another antivirus program. Whatever ate my other computer, it too got through Avira, and during an update (it was on scheduled updating, daily check), the virus STOPPED the updating process, disabled Avira, then the system began to hang, forcing me to reset. With every reset, things got only worse, then finally I couldn't even wipe the drive with my windows disk because the motherboard got fubared (for some reason, it would not longer detect any device and would give a detect error).