Inactive "The maximum number of secrets that may be stored in a single system has exceeded..."

Status
Not open for further replies.
J

JimmaWat

Posts: 42   +0
So I've picked up a bit of a doozy of a virus recently. Whenever I would open a program, a message telling me "The maximum number of secrets that may be stored in a single system has exceeded. The length and number of secrets is limited to satisfy United States State Department export restriction." pops up. It also heavily slows down my Firefox when it loads a page that requires flash, and stops any common antivirus programs to be installed and immediately kills any antivirus programs that manages installed and tried to scan anywhere near it, along with rendering the .exe non-reusable. I've also tried process killers, as the offending virus seems to be sticking out like a sore thumb with it's process named in a random string of numbers but while it tells me the process is killed, it comes right back and the program can't seem to find the file that it originated from. So after exhausting all my amateur virus busting knowledge, I've decided to turn to more professional help.

As I stated earlier, all antivirus are rendered useless against it so I couldn't scan with neither Avira, AVG or MBAM (It seems to have a personal grudge with MBAM since it denies me access to installing it), so steps 1 and 2 are out. Here are my GMER logs:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-22 22:27:20
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 TOSHIBA_MK2552GSX rev.LV010A
Running: nley09pc.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwroypod.sys


---- System - GMER 1.0.15 ----

SSDT spnj.sys ZwEnumerateKey [0xB7EC5CA4]
SSDT spnj.sys ZwEnumerateValueKey [0xB7EC6032]

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A915AEA
Device \Driver\atapi \Device\Ide\IdePort0 8AAC81F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A915AEA
Device \Driver\atapi \Device\Ide\IdePort1 8AAC81F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A915AEA
Device \Driver\atapi \Device\Ide\IdePort2 8AAC81F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A915AEA
Device \Driver\atapi \Device\Ide\IdePort3 8AAC81F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A915AEA
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8AAC81F8
Device \Driver\argdxp2s \Device\Scsi\argdxp2s1 8A617370
Device \Driver\argdxp2s \Device\Scsi\argdxp2s1Port4Path0Target0Lun0 8A617370
Device \Driver\JMCR \Device\Scsi\JMCR1 8A8271F8
Device \Driver\JMCR \Device\Scsi\JMCR2 8A8271F8
Device \Driver\JMCR \Device\Scsi\JMCR3 8A8271F8
Device \FileSystem\Ntfs \Ntfs 8AAC71F8

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK2552GSX_______________________LV010A__#5&496c666&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Threads - GMER 1.0.15 ----

Thread System [4:860] AA43FFC0
Thread System [4:864] AA43FFC0
Thread System [4:868] AE7A6105
Thread System [4:872] AE7A6105

---- EOF - GMER 1.0.15 ----

And my DDS Logs:
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Run by Administrator at 22:29:14 on 2011-08-22
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2555.1748 [GMT -4:00]
.
AV: Defense Center *Enabled/Outdated* {28e00e3b-806e-4533-925c-f4c3d79514b9}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\747482349:307458771.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BisonCam\BisonHK.exe
C:\WINDOWS\BisonCam\DeLay.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\EVEREST.Ultimate.Edition.5.30.1954.Beta\everestultimate_build_1954\everest.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.orbitdownloader.com/
uInternet Settings,ProxyServer = http=106.230
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [GateWay] c:\documents and settings\administrator\GateWayMain.exe
uRun: [AdobeBridge]
uRun: [Easy-Hide-IP] c:\program files\easy-hide-ip\easy-hide-ip.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_ActiveX.exe -update activex
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [BisonHK] c:\windows\bisoncam\BisonHK.exe
mRun: [DeLay] c:\windows\bisoncam\DeLay.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\program files\common files\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRunServices: [QuickTimePictureViewer] c:\program files\quicktime alternative\pictureviewer.resources\it.lproj\quicktimequicktime7.6.51327.79.exe
mRunServices: [QuickTimeQuickTimeResources] c:\program files\quicktime alternative\propertypanels\panelhelperbase.resources\de.lproj\quicktimequicktimeresources7.6.41327.58.exe
mRunServices: [PictureViewerQuickTime] c:\program files\quicktime alternative\pictureviewer.resources\it.lproj\quicktimequicktime7.6.51327.79.exe
mRunServices: [StudioMSDIA80] c:\program files\common files\microsoft shared\vc\studiomicrosoft.exe
mRunServices: [AUTHMGRSMPLFSYS] c:\program files\adobe\adobe premiere pro cs3\helix\bin\plugins\realmediasimple.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\shortc~1.lnk - c:\documents and settings\administrator\desktop\bypass\kevin.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: psfus - c:\windows\system32\psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli psqlpwd
mASetup: {0FDEABD1-E3FE-3DDE-FAE8-CADCD636FFB5} - c:\documents and settings\administrator\application data\svchost.exe
IFEO: image file execution options - svchost.exe
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\z1748ax6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101027100&s=
FF - prefs.js: network.proxy.ftp - 109.230.216.23
FF - prefs.js: network.proxy.ftp_port - 1080
FF - prefs.js: network.proxy.http - 109.230.216.23
FF - prefs.js: network.proxy.http_port - 1080
FF - prefs.js: network.proxy.socks - 109.230.216.23
FF - prefs.js: network.proxy.socks_port - 1080
FF - prefs.js: network.proxy.ssl - 109.230.216.23
FF - prefs.js: network.proxy.ssl_port - 1080
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\z1748ax6.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\3.0.40624.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\windows\system32\npOGPPlugin.dll
FF - plugin: c:\windows\system32\npptools.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-3 14336]
R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [2011-3-22 2304]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-1 24652]
R3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\everest.ultimate.edition.5.30.1954.beta\everestultimate_build_1954\kerneld.wnt [2010-8-30 27760]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2008-10-1 84240]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\131.tmp --> c:\windows\system32\131.tmp [?]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2009-12-23 17792]
S0 boci;boci;c:\windows\system32\drivers\sdvhwiu.sys --> c:\windows\system32\drivers\sdvhwiu.sys [?]
S0 dygygdv;dygygdv;c:\windows\system32\drivers\cihytg.sys --> c:\windows\system32\drivers\cihytg.sys [?]
S0 wzrwo;wzrwo; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-6-6 135664]
S2 HDD & SSD access service;HDD & SSD access service;"c:\program files\common files\binarysense\disksvc.exe" --> c:\program files\common files\binarysense\disksvc.exe [?]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-6-6 135664]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2010-4-1 133632]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2010-4-1 79360]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2009-8-31 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2009-8-31 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-8-31 42112]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 XDva285;XDva285;\??\c:\windows\system32\xdva285.sys --> c:\windows\system32\XDva285.sys [?]
S3 XDva296;XDva296;\??\c:\windows\system32\xdva296.sys --> c:\windows\system32\XDva296.sys [?]
S3 XDva326;XDva326;\??\c:\windows\system32\xdva326.sys --> c:\windows\system32\XDva326.sys [?]
S3 XDva328;XDva328;\??\c:\windows\system32\xdva328.sys --> c:\windows\system32\XDva328.sys [?]
S3 XDva332;XDva332;\??\c:\windows\system32\xdva332.sys --> c:\windows\system32\XDva332.sys [?]
S3 XDva337;XDva337;\??\c:\windows\system32\xdva337.sys --> c:\windows\system32\XDva337.sys [?]
S3 XDva341;XDva341;\??\c:\windows\system32\xdva341.sys --> c:\windows\system32\XDva341.sys [?]
S3 XDva343;XDva343;\??\c:\windows\system32\xdva343.sys --> c:\windows\system32\XDva343.sys [?]
S3 XDva346;XDva346;\??\c:\windows\system32\xdva346.sys --> c:\windows\system32\XDva346.sys [?]
S3 XDva347;XDva347;\??\c:\windows\system32\xdva347.sys --> c:\windows\system32\XDva347.sys [?]
S3 XDva349;XDva349;\??\c:\windows\system32\xdva349.sys --> c:\windows\system32\XDva349.sys [?]
S3 XDva351;XDva351;\??\c:\windows\system32\xdva351.sys --> c:\windows\system32\XDva351.sys [?]
S3 XDva352;XDva352;\??\c:\windows\system32\xdva352.sys --> c:\windows\system32\XDva352.sys [?]
S3 XDva354;XDva354;\??\c:\windows\system32\xdva354.sys --> c:\windows\system32\XDva354.sys [?]
S3 XDva358;XDva358;\??\c:\windows\system32\xdva358.sys --> c:\windows\system32\XDva358.sys [?]
S3 XDva359;XDva359;\??\c:\windows\system32\xdva359.sys --> c:\windows\system32\XDva359.sys [?]
S3 XDva362;XDva362;\??\c:\windows\system32\xdva362.sys --> c:\windows\system32\XDva362.sys [?]
S3 XDva370;XDva370;\??\c:\windows\system32\xdva370.sys --> c:\windows\system32\XDva370.sys [?]
S3 XDva375;XDva375;\??\c:\windows\system32\xdva375.sys --> c:\windows\system32\XDva375.sys [?]
S3 XDva380;XDva380;\??\c:\windows\system32\xdva380.sys --> c:\windows\system32\XDva380.sys [?]
S3 XDva383;XDva383;\??\c:\windows\system32\xdva383.sys --> c:\windows\system32\XDva383.sys [?]
S3 XDva385;XDva385;\??\c:\windows\system32\xdva385.sys --> c:\windows\system32\XDva385.sys [?]
S3 XDva386;XDva386;\??\c:\windows\system32\xdva386.sys --> c:\windows\system32\XDva386.sys [?]
S3 XDva387;XDva387;\??\c:\windows\system32\xdva387.sys --> c:\windows\system32\XDva387.sys [?]
S3 XDva388;XDva388;\??\c:\windows\system32\xdva388.sys --> c:\windows\system32\XDva388.sys [?]
S3 XDva389;XDva389;\??\c:\windows\system32\xdva389.sys --> c:\windows\system32\XDva389.sys [?]
S4 dwrfa;dwrfa;c:\windows\system32\drivers\cpma.sys [2010-7-10 54016]
S4 fqlpjiyc;fqlpjiyc;c:\windows\system32\drivers\htubn.sys [2010-7-9 54016]
S4 kwaxi;kwaxi;c:\windows\system32\drivers\vldso.sys [2010-7-9 54016]
S4 nepo;nepo;c:\windows\system32\drivers\dbxd.sys [2010-7-9 54016]
S4 nscb;nscb;c:\windows\system32\drivers\xiip.sys [2010-6-13 54016]
S4 sajy;sajy;c:\windows\system32\drivers\snba.sys [2010-6-13 54016]
.
=============== Created Last 30 ================
.
2073-04-13 21:17:26 203576 ---h--w- c:\program files\microsoft games\age of empires iii\autopatcher2.exe
2011-08-23 02:02:27 -------- d-----w- c:\program files\Avira
2011-08-23 02:02:27 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-08-22 17:59:51 -------- d-----w- c:\program files\Virus Secure Lab
2011-08-18 21:45:32 -------- d-----w- c:\program files\Sophos
2011-08-18 04:28:30 -------- d-----w- c:\program files\Foxit Software
2011-08-18 03:07:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-18 03:07:16 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2011-08-18 02:46:24 -------- d-----w- c:\documents and settings\administrator\application data\SUPERAntiSpyware.com
2011-08-18 02:46:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-18 02:46:00 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-08-18 01:00:08 -------- d-----w- c:\documents and settings\administrator\application data\QuickScan
2011-08-18 00:30:51 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-08-18 00:30:45 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-08-18 00:17:57 331776 ----a-w- c:\windows\system32\EasyRedirect.dll
2011-08-18 00:17:55 -------- d-----w- c:\program files\Easy-Hide-IP
2011-08-17 16:37:25 -------- d-----w- C:\CherryDeGames
2011-08-11 18:00:58 -------- d-----w- c:\program files\InterActual
2011-08-07 23:13:27 -------- d-----w- c:\program files\PCSX2 0.9.8
.
==================== Find3M ====================
.
2011-08-16 18:05:40 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-09 21:16:08 141200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-06-09 21:15:50 281656 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-06-09 21:15:50 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-06-09 20:34:07 281656 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-06-08 09:07:51 201728 ----a-w- C:\zYan_ID_Changer.dll
2011-06-07 23:49:07 138056 ----a-w- c:\documents and settings\administrator\application data\PnkBstrK.sys
2011-06-07 23:48:46 90112 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-06-02 07:36:15 27648 ----a-w- C:\zYan_X.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK2552GSX rev.LV010A -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xAE7A5660]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk0\DR0[0x8A90BAB8]
3 CLASSPNP[0xB810905B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x8A7624D8]
\Driver\00002509[0x8A6B9B10] -> IRP_MJ_CREATE -> 0xAE7A5660
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK2552GSX_______________________LV010A__#5&496c666&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A915AEA
\Driver\atapi -> 0x8aac81f8
user & kernel MBR OK
sectors 488397166 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 22:30:44.54 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/1/2008 9:48:06 PM
System Uptime: 8/18/2011 6:57:26 PM (100 hours ago)
.
Motherboard: CLEVO CO. | | M860TU
Processor: Intel Pentium III processor | U22 | 2394/mhz
Processor: Intel Pentium III processor | U22 | 2393/mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 151 GiB total, 14.831 GiB free.
D: is FIXED (NTFS) - 82 GiB total, 1.902 GiB free.
E: is CDROM ()
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\90F5145890A033
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\90F5145890A033
Service: NIC1394
.
Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: iPod touch
Device ID: ROOT\{140FD12F-CBAE-408D-9942-F919A7CB22CC}\0000
Manufacturer: Apple
Name: iPod touch
PNP Device ID: ROOT\{140FD12F-CBAE-408D-9942-F919A7CB22CC}\0000
Service: WUDFRd
.
==== System Restore Points ===================
.
RP326: 7/13/2011 12:04:17 AM - System Checkpoint
RP327: 7/13/2011 3:54:07 PM - Removed Google Talk Plugin
RP328: 7/18/2011 4:00:56 AM - System Checkpoint
RP329: 7/19/2011 4:43:12 AM - System Checkpoint
RP330: 7/20/2011 5:13:55 AM - System Checkpoint
RP331: 7/20/2011 9:42:53 AM - Installed Windows XP KB917021.
RP332: 7/21/2011 10:26:28 AM - System Checkpoint
RP333: 7/24/2011 5:48:53 AM - System Checkpoint
RP334: 7/25/2011 6:31:14 AM - System Checkpoint
RP335: 7/26/2011 7:33:19 AM - System Checkpoint
RP336: 7/27/2011 8:12:09 AM - System Checkpoint
RP337: 7/28/2011 8:41:25 AM - System Checkpoint
RP338: 7/29/2011 8:53:07 AM - System Checkpoint
RP339: 7/30/2011 9:53:05 AM - System Checkpoint
RP340: 7/31/2011 12:08:33 PM - System Checkpoint
RP341: 8/1/2011 6:07:00 PM - System Checkpoint
RP342: 8/2/2011 9:24:32 PM - System Checkpoint
RP343: 8/5/2011 4:42:12 AM - System Checkpoint
RP344: 8/6/2011 4:46:15 AM - System Checkpoint
RP345: 8/7/2011 4:49:33 AM - System Checkpoint
RP346: 8/8/2011 5:07:59 AM - System Checkpoint
RP347: 8/8/2011 8:14:00 PM - Removed Assassin's Creed II
RP348: 8/10/2011 9:58:09 PM - System Checkpoint
RP349: 8/12/2011 4:32:19 AM - System Checkpoint
RP350: 8/14/2011 12:08:18 AM - System Checkpoint
RP351: 8/16/2011 12:14:08 AM - System Checkpoint
RP352: 8/16/2011 7:48:40 PM - Removed Google Talk Plugin
RP353: 8/17/2011 12:37:24 PM - Installed Dragon Nest SEA
RP354: 8/19/2011 6:32:39 AM - System Checkpoint
RP355: 8/20/2011 7:20:36 AM - System Checkpoint
RP356: 8/21/2011 8:20:39 AM - System Checkpoint
RP357: 8/22/2011 2:15:34 PM - Removed Dragon Nest SEA
.
==== Installed Programs ======================
.
3ivx MPEG-4 5.0.3 (remove only)
7-Zip 4.65
Acrobat.com
Adobe AIR
Adobe Anchor Service CS3
Adobe Anchor Service CS4
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge CS4
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe Community Help
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS4
Adobe Linguistics CS3
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS5
Adobe Photoshop Lightroom 2.6.1
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Reader 9.4.0
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Type Support CS4
Adobe Update Manager CS3
Adobe Update Manager CS4
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Advertising Center
Age of Empires III
Age of Empires III - The Asian Dynasties
Aimersoft MKV Converter(Build 2.0.2.13)
Akamai NetSession Interface
AoA Audio Extractor
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Applian FLV Player
Azureus
Bandisoft MPEG-1 Decoder
Belarc Advisor 8.1
BisonCam
Bonjour
Compatibility Pack for the 2007 Office system
Connect
DAEMON Tools Toolbar
DiskAid 3.1
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
DolbyFiles
DragonNest
Duke Nukem Forever
Elsword version 1.00
EphPod
ESET Online Scanner v3
EVEREST Home Edition v2.20
Express Burn
Foxit Reader 5.0
Free Natural Text to Speech Reader 2008
Free Sound Recorder
Freez FLV to MP3 Converter
GamersFirst LIVE!
Gateway
Google Chrome
Google Talk Plugin
Google Update Helper
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB917021)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
ImagXpress
ips XP 1.11.2600
IrfanView (remove only)
iTunes
Java(TM) 6 Update 14
Java(TM) 6 Update 7
JMicron JMB38X Flash Media Controller
K-Lite Codec Pack 4.1.7 (Full)
kuler
League of Legends
Mabinogi
Menu Templates - Starter Kit
Metal Assault
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
Motorola Driver Installation 3.7.0
Motorola SM56 Data Fax Modem
Movie Templates - Starter Kit
Mozilla Firefox 4.0 (x86 en-US)
MP3 Converter Simple
MSN
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Nero 9 Trial
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero DiscSpeed
Nero DriveSpeed
Nero InfoTool
Nero Installer
Nero PhotoSnap
Nero Recode
Nero Rescue Agent
Nero ShowTime
Nero StartSmart
Nero Vision
Nero WaveEditor
NeroBurningROM
NeroExpress
neroxml
Nexon Game Manager
NJStar Communicator
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
Orbit Downloader
Pando Media Booster
PCSX2 - Playstation 2 Emulator
Pcsx2 0.9.6
PDF Settings CS4
PDF Settings CS5
Photoshop Camera Raw
Pixillion Image Converter
Protector Suite QL 5.6
PSP ISO Compressor
QuickTime
QuickTime Alternative 2.8.0
Ragnarok Online
Real Alternative 1.9.0
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
RegCure
S4 League_EU
Security Task Manager 1.8d
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
Segoe UI
Skype Toolbars
Skype™ 4.2
SoundTrax
Suite Shared Configuration CS4
SUPERAntiSpyware
Switch Sound File Converter
Synaptics Pointing Device Driver
System Requirements Lab
The Core Media Player 4.0
Ubisoft Game Launcher
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB925720)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
VC80CRTRedist - 8.0.50727.4053
Ventrilo Client
Viewpoint Media Player
Virus Effect Remover©
VLC media player 1.1.0
WebFldrs XP
WinAVI MP4 Converter
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB885884
WinRAR archiver
WinSCP 4.2.8
Xilisoft iPod Rip
Yahoo! Messenger
.
==== Event Viewer Messages From Past Week ========
.
8/16/2011 1:05:56 PM, error: Dhcp [1002] - The IP address lease 192.168.1.69 for the Network Card with network address 0016EA5FCAC4 has been denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).
8/16/2011 1:05:47 PM, error: Dhcp [1002] - The IP address lease 129.133.127.105 for the Network Card with network address 0090F58B2C33 has been denied by the DHCP server 129.133.1.5 (The DHCP Server sent a DHCPNACK message).
8/15/2011 10:32:39 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0016EA5FCAC4. The following error occurred: The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
8/15/2011 10:31:30 PM, error: Dhcp [1002] - The IP address lease 129.133.210.213 for the Network Card with network address 0016EA5FCAC4 has been denied by the DHCP server 1.1.1.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================

Thank you for your help.
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===============================================================

Download TDSSKiller and save it to your desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
Sorry for being a bit late on replying. I would've posted much sooner but my internet decided to stop connecting after the reset TDSSKiller asked me to do. I'm getting the logs through by a USB Drive and another computer now.

Here is the log:

2011/08/22 23:49:17.0984 0820 TDSS rootkit removing tool 2.5.16.0 Aug 19 2011 17:48:17
2011/08/22 23:49:18.0281 0820 ================================================================================
2011/08/22 23:49:18.0281 0820 SystemInfo:
2011/08/22 23:49:18.0281 0820
2011/08/22 23:49:18.0281 0820 OS Version: 5.1.2600 ServicePack: 2.0
2011/08/22 23:49:18.0281 0820 Product type: Workstation
2011/08/22 23:49:18.0281 0820 ComputerName: JIMMAWAT
2011/08/22 23:49:18.0281 0820 UserName: Administrator
2011/08/22 23:49:18.0281 0820 Windows directory: C:\WINDOWS
2011/08/22 23:49:18.0281 0820 System windows directory: C:\WINDOWS
2011/08/22 23:49:18.0281 0820 Processor architecture: Intel x86
2011/08/22 23:49:18.0281 0820 Number of processors: 2
2011/08/22 23:49:18.0281 0820 Page size: 0x1000
2011/08/22 23:49:18.0281 0820 Boot type: Normal boot
2011/08/22 23:49:18.0281 0820 ================================================================================
2011/08/22 23:49:19.0890 0820 Initialize success
2011/08/22 23:49:30.0609 2348 ================================================================================
2011/08/22 23:49:30.0609 2348 Scan started
2011/08/22 23:49:30.0609 2348 Mode: Manual;
2011/08/22 23:49:30.0609 2348 ================================================================================
2011/08/22 23:49:31.0953 2348 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/22 23:49:32.0000 2348 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/08/22 23:49:32.0062 2348 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2011/08/22 23:49:32.0171 2348 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/08/22 23:49:32.0328 2348 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/08/22 23:49:32.0406 2348 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/22 23:49:32.0453 2348 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/22 23:49:32.0515 2348 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/22 23:49:32.0625 2348 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/22 23:49:32.0703 2348 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
2011/08/22 23:49:32.0734 2348 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/22 23:49:32.0781 2348 BthEnum (d24b8d1784c68a25060fffbe8ed34b76) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/08/22 23:49:32.0828 2348 BthPan (10355270be12641b9764235da39dcf0f) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2011/08/22 23:49:32.0875 2348 BTHPORT (95ef6f3f386d93ee1e4d9ca45a50252a) C:\WINDOWS\system32\Drivers\BTHport.sys
2011/08/22 23:49:33.0000 2348 BTHUSB (f06d4cb9918b462a84d9ac00027efc30) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2011/08/22 23:49:33.0062 2348 Cam5607 (ce9f13675fdc354f16962dffecec3041) C:\WINDOWS\system32\Drivers\BisonC07.sys
2011/08/22 23:49:33.0156 2348 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/22 23:49:33.0281 2348 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/08/22 23:49:33.0343 2348 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/22 23:49:33.0406 2348 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/22 23:49:33.0453 2348 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/22 23:49:33.0515 2348 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/08/22 23:49:33.0625 2348 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/08/22 23:49:33.0687 2348 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/22 23:49:33.0734 2348 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/22 23:49:33.0812 2348 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/22 23:49:33.0906 2348 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/22 23:49:33.0953 2348 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/22 23:49:34.0046 2348 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/22 23:49:34.0109 2348 dwrfa (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\cpma.sys
2011/08/22 23:49:34.0234 2348 EverestDriver (6e19f0a386eb53147df1f70da0850306) C:\EVEREST.Ultimate.Edition.5.30.1954.Beta\everestultimate_build_1954\kerneld.wnt
2011/08/22 23:49:34.0375 2348 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/22 23:49:34.0421 2348 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2011/08/22 23:49:34.0484 2348 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/22 23:49:34.0546 2348 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/08/22 23:49:34.0593 2348 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/08/22 23:49:34.0640 2348 fqlpjiyc (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\htubn.sys
2011/08/22 23:49:34.0734 2348 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/22 23:49:34.0765 2348 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/22 23:49:34.0781 2348 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/08/22 23:49:34.0859 2348 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/22 23:49:34.0921 2348 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/08/22 23:49:35.0046 2348 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/22 23:49:35.0109 2348 Htsysm (57bd2878b475f530a9cf965c785c74a3) C:\WINDOWS\system32\HtsysmNT.sys
2011/08/22 23:49:35.0218 2348 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/22 23:49:35.0312 2348 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/22 23:49:35.0437 2348 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/22 23:49:35.0640 2348 IntcAzAudAddService (b2957d6c1226f029230dac2c46d34286) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/08/22 23:49:35.0953 2348 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/22 23:49:35.0984 2348 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/08/22 23:49:36.0015 2348 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/22 23:49:36.0031 2348 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/22 23:49:36.0062 2348 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/22 23:49:36.0265 2348 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/22 23:49:36.0312 2348 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/22 23:49:36.0359 2348 isapnp (786b56d76f27f0117d1d51182078f623) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/22 23:49:36.0359 2348 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\isapnp.sys. Real md5: 786b56d76f27f0117d1d51182078f623, Fake md5: 1837a75fc44e6deb430f4e90b4dfb15a
2011/08/22 23:49:36.0359 2348 isapnp - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/08/22 23:49:36.0421 2348 JMCR (dedb6cc1b166928a8f3f68def1766db0) C:\WINDOWS\system32\DRIVERS\jmcr.sys
2011/08/22 23:49:36.0578 2348 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/22 23:49:36.0656 2348 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/08/22 23:49:36.0734 2348 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/22 23:49:36.0796 2348 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/22 23:49:36.0937 2348 kwaxi (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\vldso.sys
2011/08/22 23:49:37.0078 2348 Mkd2kfNt (6f4d79ea861137ef2f9078e265c2aa83) C:\WINDOWS\system32\drivers\Mkd2kfNt.sys
2011/08/22 23:49:37.0109 2348 Mkd2Nadr (fe7925784f6801e983b41ec118ef62ac) C:\WINDOWS\system32\drivers\Mkd2Nadr.sys
2011/08/22 23:49:37.0156 2348 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/22 23:49:37.0328 2348 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/22 23:49:37.0406 2348 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys
2011/08/22 23:49:37.0437 2348 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
2011/08/22 23:49:37.0468 2348 MotDev (80bda4ac4b2834ca522b7386fc1f6a20) C:\WINDOWS\system32\DRIVERS\motodrv.sys
2011/08/22 23:49:37.0640 2348 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
2011/08/22 23:49:37.0687 2348 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/22 23:49:37.0781 2348 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/22 23:49:37.0875 2348 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/22 23:49:37.0906 2348 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/22 23:49:37.0984 2348 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/22 23:49:38.0046 2348 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/22 23:49:38.0156 2348 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/22 23:49:38.0203 2348 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/22 23:49:38.0250 2348 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/22 23:49:38.0296 2348 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/22 23:49:38.0328 2348 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/08/22 23:49:38.0406 2348 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/22 23:49:38.0609 2348 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/08/22 23:49:38.0640 2348 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/22 23:49:38.0687 2348 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/08/22 23:49:38.0781 2348 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/22 23:49:38.0828 2348 Ndisuio (5146c3d286e66c72328f6ce6e4d983a8) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/22 23:49:38.0937 2348 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/22 23:49:38.0953 2348 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/22 23:49:39.0015 2348 nepo (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\dbxd.sys
2011/08/22 23:49:39.0093 2348 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/22 23:49:39.0281 2348 NETw5x32 (0888844230083ce3b47395102bca8207) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
2011/08/22 23:49:39.0578 2348 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/08/22 23:49:39.0625 2348 nm (60cf8c7192b3614f240838ddbaa4a245) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2011/08/22 23:49:39.0671 2348 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/22 23:49:39.0765 2348 nscb (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\xiip.sys
2011/08/22 23:49:39.0937 2348 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/22 23:49:40.0000 2348 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/22 23:49:40.0062 2348 nv (8d43a34dacd260bf70fcc95e45b69456) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/08/22 23:49:40.0359 2348 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\nv4_mini.sys. Real md5: 8d43a34dacd260bf70fcc95e45b69456, Fake md5: ed9816dbaf6689542ea7d022631906a1
2011/08/22 23:49:40.0390 2348 nv - detected ForgedFile.Multi.Generic (1)
2011/08/22 23:49:40.0546 2348 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/22 23:49:40.0578 2348 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/22 23:49:40.0640 2348 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/08/22 23:49:40.0687 2348 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2011/08/22 23:49:40.0734 2348 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/22 23:49:40.0812 2348 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/22 23:49:40.0906 2348 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/22 23:49:40.0953 2348 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/08/22 23:49:41.0015 2348 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/22 23:49:41.0140 2348 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/22 23:49:41.0218 2348 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/22 23:49:41.0296 2348 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/22 23:49:41.0359 2348 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/08/22 23:49:41.0453 2348 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/22 23:49:41.0468 2348 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/22 23:49:41.0531 2348 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/22 23:49:41.0546 2348 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/22 23:49:41.0593 2348 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/22 23:49:41.0656 2348 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/22 23:49:41.0781 2348 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/08/22 23:49:41.0828 2348 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/22 23:49:41.0875 2348 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/22 23:49:41.0921 2348 RFCOMM (99c4b74981a1413f142a3903130088cb) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/08/22 23:49:41.0984 2348 RTLE8023xp (cd0afbbd81c30e6a8a92cc1089db1ba0) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/08/22 23:49:42.0046 2348 sajy (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\snba.sys
2011/08/22 23:49:42.0218 2348 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/08/22 23:49:42.0234 2348 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/08/22 23:49:42.0406 2348 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/08/22 23:49:42.0437 2348 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/22 23:49:42.0484 2348 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2011/08/22 23:49:42.0578 2348 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/22 23:49:42.0734 2348 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/08/22 23:49:42.0828 2348 smserial (be44ae880e8d22a5615e352c68b278b9) C:\WINDOWS\system32\DRIVERS\smserial.sys
2011/08/22 23:49:42.0921 2348 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/22 23:49:43.0093 2348 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
2011/08/22 23:49:43.0093 2348 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
2011/08/22 23:49:43.0093 2348 sptd - detected LockedFile.Multi.Generic (1)
2011/08/22 23:49:43.0125 2348 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/22 23:49:43.0187 2348 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/22 23:49:43.0281 2348 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/08/22 23:49:43.0390 2348 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/22 23:49:43.0453 2348 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/22 23:49:43.0671 2348 SynTP (d7b9ad3abd0f7f9f694d71f38b5c7b72) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/08/22 23:49:43.0734 2348 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/22 23:49:43.0812 2348 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/22 23:49:43.0890 2348 TcUsb (53900527fa5e2ccc818c5894383772d1) C:\WINDOWS\system32\Drivers\tcusb.sys
2011/08/22 23:49:43.0921 2348 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/22 23:49:43.0968 2348 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/22 23:49:44.0015 2348 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/22 23:49:44.0125 2348 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/22 23:49:44.0265 2348 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/22 23:49:44.0343 2348 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/08/22 23:49:44.0406 2348 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/08/22 23:49:44.0468 2348 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/22 23:49:44.0593 2348 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/22 23:49:44.0640 2348 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/22 23:49:44.0703 2348 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/22 23:49:44.0781 2348 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/22 23:49:44.0859 2348 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/22 23:49:44.0906 2348 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/08/22 23:49:44.0953 2348 VCSVADHWSer (b2abab4ca46bad182e27763dc19c780f) C:\WINDOWS\system32\DRIVERS\vcsvad.sys
2011/08/22 23:49:45.0046 2348 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/08/22 23:49:45.0078 2348 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/22 23:49:45.0125 2348 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/22 23:49:45.0218 2348 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/08/22 23:49:45.0359 2348 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/22 23:49:45.0453 2348 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/08/22 23:49:45.0531 2348 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/08/22 23:49:45.0578 2348 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/08/22 23:49:45.0625 2348 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/22 23:49:45.0718 2348 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/08/22 23:49:46.0109 2348 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/08/22 23:49:46.0250 2348 Boot (0x1200) (376cd6a563b68089149b43ac88d519d5) \Device\Harddisk0\DR0\Partition0
2011/08/22 23:49:46.0281 2348 Boot (0x1200) (43d6dc9dc6c9c8518f76cf3e1dca59ef) \Device\Harddisk0\DR0\Partition1
2011/08/22 23:49:46.0281 2348 ================================================================================
2011/08/22 23:49:46.0281 2348 Scan finished
2011/08/22 23:49:46.0281 2348 ================================================================================
2011/08/22 23:49:46.0296 4592 Detected object count: 3
2011/08/22 23:49:46.0296 4592 Actual detected object count: 3
2011/08/22 23:50:05.0125 4592 isapnp (786b56d76f27f0117d1d51182078f623) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/22 23:50:05.0125 4592 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\isapnp.sys. Real md5: 786b56d76f27f0117d1d51182078f623, Fake md5: 1837a75fc44e6deb430f4e90b4dfb15a
2011/08/22 23:50:05.0140 4592 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\isapnp.sys) error 13
2011/08/22 23:50:06.0171 4592 Backup copy found, using it..
2011/08/22 23:50:06.0187 4592 C:\WINDOWS\system32\DRIVERS\isapnp.sys - will be cured after reboot
2011/08/22 23:50:06.0187 4592 Rootkit.Win32.TDSS.tdl3(isapnp) - User select action: Cure
2011/08/22 23:50:06.0187 4592 ForgedFile.Multi.Generic(nv) - User select action: Skip
2011/08/22 23:50:06.0187 4592 LockedFile.Multi.Generic(sptd) - User select action: Skip
2011/08/22 23:50:27.0203 3784 Deinitialize success
 
Good :)

Still no internet?

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".
 
Yeah still no internet. I'm worried the TDSSKiller thing might've done something to mess it up because I know the internet works but not for my computer. Not the wireless or the wired.

Anyways, here's the log:

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0xB692D000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 10604544 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 258.96 )
0xBD012000 C:\WINDOWS\System32\nv4_disp.dll 6344704 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 258.96 )
0xB4F1D000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4874240 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
0xB655B000 C:\WINDOWS\system32\DRIVERS\NETw5x32.sys 3629056 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2142208 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2142208 bytes
0x804D7000 RAW 2142208 bytes
0x804D7000 WMIxWDM 2142208 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB4E11000 C:\WINDOWS\system32\DRIVERS\smserial.sys 1097728 bytes (Motorola Inc., Motorola SM56 Modem WDM Driver)
0xB4B09000 C:\WINDOWS\System32\Drivers\BisonC07.sys 1069056 bytes (Bison Electronics. Inc. , Universal Serial Bus Camera Driver)
0xB7EA6000 PCI_PNP1096 1052672 bytes
0xB7EA6000 spkc.sys 1052672 bytes
0xB7EA6000 sptd 1052672 bytes
0xB7D0A000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB4C0E000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB4D36000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB1A77000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB649A000 C:\WINDOWS\System32\Drivers\aadmviqx.SYS 229376 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB64F5000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 221184 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xB63EB000 C:\WINDOWS\system32\DRIVERS\update.sys 212992 bytes (Microsoft Corporation, Update Driver)
0xB641F000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB7E60000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB7CDD000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB4CA5000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 180224 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB7E0A000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB68D1000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 151552 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB1642000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 143360 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB64D2000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB68F6000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB4D14000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xB6478000 C:\WINDOWS\system32\DRIVERS\portcls.sys 139264 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB4CD1000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0xB4CF3000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
0x806E2000 ACPI_HAL 134400 bytes
0x806E2000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB7DD3000 fltMgr.sys 126976 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB7E30000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB7CC2000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB652B000 C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 110592 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xB7DF2000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB7E8E000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xB7DAA000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB6461000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB6546000 C:\WINDOWS\system32\DRIVERS\jmcr.sys 86016 bytes (JMicron Technology Corp., JMicron JMB38X Memory Card Reader Driver)
0xB32B7000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB6919000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB4D8E000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB7D97000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBD000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB7DC1000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB7E4F000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB6450000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB8138000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xB75C5000 C:\WINDOWS\system32\DRIVERS\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xB80A8000 ohci1394.sys 61440 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xB8308000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB3494000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB7555000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xB80B8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 53248 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xB82F8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xB8108000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xB8218000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xB75B5000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xB80E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xB7595000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB8168000 C:\WINDOWS\System32\Drivers\STREAM.SYS 49152 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xB82E8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xB80D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xB75A5000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
!!!!!!!!!!!Hidden driver: 0xB82C8000 3092378616 40960 bytes
0xB7565000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xB8118000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xB8148000 C:\WINDOWS\System32\Drivers\tcusb.sys 40960 bytes (UPEK Inc., TouchChip USB Kernel Driver)
0xB7575000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB1AE8000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xB80F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB736A000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xB8318000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xB80C8000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB7585000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB738A000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB737A000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB8478000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xB8388000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xB83A8000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xB8348000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xB8328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB8470000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xB33FC000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xB83C8000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xB83B8000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xB83C0000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xB8390000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xB8378000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xB8380000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xB8330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xB8440000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xB8448000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xB8438000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xB8468000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 20480 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xB8430000 C:\WINDOWS\system32\DRIVERS\vcsvad.sys 20480 bytes (Avnex, Avnex Ltd. Virtual Audio Device (WDM))
0xB83D0000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB84C0000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xB7515000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xB8584000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB36C9000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB84C4000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xB84B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB84BC000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xB4DC9000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB750D000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB53C7000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB7511000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0xB8656000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xB85AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xB8654000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xB85A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xB865A000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xB865C000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xB860A000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xB8604000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xB85AA000 C:\WINDOWS\System32\Drivers\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xB87B9000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xB872D000 C:\WINDOWS\System32\Drivers\BANTExt.sys 4096 bytes
0xB868F000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xB879F000 C:\WINDOWS\system32\HtsysmNT.sys 4096 bytes
0xB8723000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xB8671000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xB8670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x8AA571F8 unknown_irp_handler 3592 bytes
0x85C091F8 unknown_irp_handler 3592 bytes
0x8AA581F8 unknown_irp_handler 3592 bytes
0x8A6B91F8 unknown_irp_handler 3592 bytes
0x85A991F8 unknown_irp_handler 3592 bytes
0x8AACA1F8 unknown_irp_handler 3592 bytes
0x8A8581F8 unknown_irp_handler 3592 bytes
0x8AA591F8 unknown_irp_handler 3592 bytes
0x8A7991F8 unknown_irp_handler 3592 bytes
0x8A8371F8 unknown_irp_handler 3592 bytes
0x86A501F8 unknown_irp_handler 3592 bytes
0x8A740500 unknown_irp_handler 2816 bytes
0x8A692500 unknown_irp_handler 2816 bytes
!!!!!!!!!!!Hidden driver: 0xB81CE9D0 00000949 1584 bytes
0xB81CE9D0 unknown_irp_handler 1584 bytes
==============================================
>Stealth
==============================================
0x85B9BF58 LDT (IN GDT of Core 1) Modification, Base+0xA70, DPL_USER, Rpl : 0, Type: CallGate32, Core [1]
0x85B9BF58 LDT (IN GDT of Core 2) Modification, Base+0xA70, DPL_USER, Rpl : 0, Type: CallGate32, Core [2]
0xB81C993C Unknown page with executable code, 1732 bytes
0xB81CB617 Unknown page with executable code, 2537 bytes
0xB81CB4E6 Unknown page with executable code, 2842 bytes
0xB81CE185 Unknown page with executable code, 3707 bytes
WARNING: Virus alike driver modification [i8042prt.sys]
0xB82CCFC0 Unknown thread object [ ETHREAD 0x8A6D5DA8 ] TID: 144, 600 bytes
0xB82CCFC0 Unknown thread object [ ETHREAD 0x8A6BB498 ] TID: 148, 600 bytes
0xB81D0105 Unknown thread object [ ETHREAD 0x8A704DA8 ] TID: 152, 600 bytes
0xB81D0105 Unknown thread object [ ETHREAD 0x8A6EC330 ] TID: 156, 600 bytes
WARNING: File locked for read access [C:\WINDOWS\system32\drivers\sptd.sys]
0xB81CDC20 Unknown page with executable code, 992 bytes
 
Ran TDSSKiller.exe from my desktop; it crashed within a few seconds of scanning, so I put a copy of it onto my USB and ran it from there. Finished scanning all the way through.

Here is the log:

2011/08/23 22:14:21.0796 0572 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/08/23 22:14:21.0812 0572 ================================================================================
2011/08/23 22:14:21.0812 0572 SystemInfo:
2011/08/23 22:14:21.0812 0572
2011/08/23 22:14:21.0812 0572 OS Version: 5.1.2600 ServicePack: 2.0
2011/08/23 22:14:21.0812 0572 Product type: Workstation
2011/08/23 22:14:21.0812 0572 ComputerName: JIMMAWAT
2011/08/23 22:14:21.0812 0572 UserName: Administrator
2011/08/23 22:14:21.0812 0572 Windows directory: C:\WINDOWS
2011/08/23 22:14:21.0812 0572 System windows directory: C:\WINDOWS
2011/08/23 22:14:21.0812 0572 Processor architecture: Intel x86
2011/08/23 22:14:21.0812 0572 Number of processors: 2
2011/08/23 22:14:21.0812 0572 Page size: 0x1000
2011/08/23 22:14:21.0812 0572 Boot type: Normal boot
2011/08/23 22:14:21.0812 0572 ================================================================================
2011/08/23 22:14:21.0984 0572 Initialize success
2011/08/23 22:14:25.0546 3944 ================================================================================
2011/08/23 22:14:25.0546 3944 Scan started
2011/08/23 22:14:25.0546 3944 Mode: Manual;
2011/08/23 22:14:25.0546 3944 ================================================================================
2011/08/23 22:14:26.0468 3944 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/23 22:14:26.0500 3944 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/08/23 22:14:26.0578 3944 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2011/08/23 22:14:26.0734 3944 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/08/23 22:14:27.0203 3944 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/08/23 22:14:27.0343 3944 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/23 22:14:27.0453 3944 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/23 22:14:27.0546 3944 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/23 22:14:27.0609 3944 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/23 22:14:27.0640 3944 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
2011/08/23 22:14:27.0671 3944 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/23 22:14:27.0750 3944 BthEnum (d24b8d1784c68a25060fffbe8ed34b76) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/08/23 22:14:27.0843 3944 BthPan (10355270be12641b9764235da39dcf0f) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2011/08/23 22:14:27.0921 3944 BTHPORT (95ef6f3f386d93ee1e4d9ca45a50252a) C:\WINDOWS\system32\Drivers\BTHport.sys
2011/08/23 22:14:27.0984 3944 BTHUSB (f06d4cb9918b462a84d9ac00027efc30) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2011/08/23 22:14:28.0062 3944 Cam5607 (ce9f13675fdc354f16962dffecec3041) C:\WINDOWS\system32\Drivers\BisonC07.sys
2011/08/23 22:14:28.0171 3944 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/23 22:14:28.0265 3944 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/08/23 22:14:28.0328 3944 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/23 22:14:28.0406 3944 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/23 22:14:28.0500 3944 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/23 22:14:28.0640 3944 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/08/23 22:14:28.0671 3944 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/08/23 22:14:28.0765 3944 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/23 22:14:28.0812 3944 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/23 22:14:28.0859 3944 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/23 22:14:28.0953 3944 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/23 22:14:29.0078 3944 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/23 22:14:29.0156 3944 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/23 22:14:29.0203 3944 dwrfa (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\cpma.sys
2011/08/23 22:14:29.0296 3944 edac8d2c (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\747482349:307458771.exe
2011/08/23 22:14:29.0328 3944 Suspicious file (Hidden): C:\WINDOWS\747482349:307458771.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
2011/08/23 22:14:29.0343 3944 edac8d2c - detected HiddenFile.Multi.Generic (1)
2011/08/23 22:14:29.0546 3944 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/23 22:14:29.0593 3944 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2011/08/23 22:14:29.0656 3944 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/23 22:14:29.0671 3944 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/08/23 22:14:29.0703 3944 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/08/23 22:14:29.0781 3944 fqlpjiyc (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\htubn.sys
2011/08/23 22:14:29.0843 3944 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/23 22:14:29.0875 3944 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/23 22:14:29.0921 3944 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/08/23 22:14:29.0984 3944 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/23 22:14:30.0046 3944 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/08/23 22:14:30.0156 3944 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/23 22:14:30.0265 3944 Htsysm (57bd2878b475f530a9cf965c785c74a3) C:\WINDOWS\system32\HtsysmNT.sys
2011/08/23 22:14:30.0406 3944 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/23 22:14:30.0609 3944 i8042prt (d05bab516dc50198fdf8a849ef4f6645) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/23 22:14:30.0609 3944 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\i8042prt.sys. Real md5: d05bab516dc50198fdf8a849ef4f6645, Fake md5: 5502b58eef7486ee6f93f3f164dcb808
2011/08/23 22:14:30.0609 3944 i8042prt - detected Rootkit.Win32.ZAccess.c (0)
2011/08/23 22:14:30.0687 3944 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/23 22:14:30.0906 3944 IntcAzAudAddService (b2957d6c1226f029230dac2c46d34286) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/08/23 22:14:31.0093 3944 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/23 22:14:31.0140 3944 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/08/23 22:14:31.0171 3944 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/23 22:14:31.0187 3944 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/23 22:14:31.0234 3944 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/23 22:14:31.0390 3944 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/23 22:14:31.0437 3944 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/23 22:14:31.0484 3944 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/23 22:14:31.0562 3944 JMCR (dedb6cc1b166928a8f3f68def1766db0) C:\WINDOWS\system32\DRIVERS\jmcr.sys
2011/08/23 22:14:31.0765 3944 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/23 22:14:31.0812 3944 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/08/23 22:14:31.0875 3944 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/23 22:14:31.0921 3944 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/23 22:14:32.0078 3944 kwaxi (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\vldso.sys
2011/08/23 22:14:32.0250 3944 Mkd2kfNt (6f4d79ea861137ef2f9078e265c2aa83) C:\WINDOWS\system32\drivers\Mkd2kfNt.sys
2011/08/23 22:14:32.0281 3944 Mkd2Nadr (fe7925784f6801e983b41ec118ef62ac) C:\WINDOWS\system32\drivers\Mkd2Nadr.sys
2011/08/23 22:14:32.0328 3944 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/23 22:14:32.0500 3944 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/23 22:14:32.0734 3944 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys
2011/08/23 22:14:32.0765 3944 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
2011/08/23 22:14:32.0796 3944 MotDev (80bda4ac4b2834ca522b7386fc1f6a20) C:\WINDOWS\system32\DRIVERS\motodrv.sys
2011/08/23 22:14:32.0828 3944 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
2011/08/23 22:14:32.0875 3944 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/23 22:14:32.0921 3944 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/23 22:14:33.0078 3944 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/23 22:14:33.0140 3944 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/23 22:14:33.0203 3944 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/23 22:14:33.0250 3944 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/23 22:14:33.0296 3944 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/23 22:14:33.0406 3944 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/23 22:14:33.0421 3944 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/23 22:14:33.0484 3944 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/23 22:14:33.0500 3944 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/08/23 22:14:33.0562 3944 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/23 22:14:33.0703 3944 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/08/23 22:14:33.0750 3944 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/23 22:14:33.0781 3944 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/08/23 22:14:33.0843 3944 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/23 22:14:34.0000 3944 Ndisuio (5146c3d286e66c72328f6ce6e4d983a8) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/23 22:14:34.0046 3944 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/23 22:14:34.0078 3944 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/23 22:14:34.0125 3944 nepo (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\dbxd.sys
2011/08/23 22:14:34.0156 3944 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/23 22:14:34.0437 3944 NETw5x32 (0888844230083ce3b47395102bca8207) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
2011/08/23 22:14:34.0687 3944 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/08/23 22:14:34.0718 3944 nm (60cf8c7192b3614f240838ddbaa4a245) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2011/08/23 22:14:34.0765 3944 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/23 22:14:34.0984 3944 nscb (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\xiip.sys
2011/08/23 22:14:35.0156 3944 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/23 22:14:35.0218 3944 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/23 22:14:35.0593 3944 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/08/23 22:14:36.0187 3944 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/23 22:14:36.0328 3944 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/23 22:14:36.0390 3944 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/08/23 22:14:36.0437 3944 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2011/08/23 22:14:36.0500 3944 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/23 22:14:36.0625 3944 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/23 22:14:36.0671 3944 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/23 22:14:36.0765 3944 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/08/23 22:14:36.0859 3944 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/23 22:14:37.0125 3944 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/23 22:14:37.0140 3944 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/23 22:14:37.0187 3944 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/23 22:14:37.0218 3944 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/08/23 22:14:37.0328 3944 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/23 22:14:37.0406 3944 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/23 22:14:37.0531 3944 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/23 22:14:37.0562 3944 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/23 22:14:37.0593 3944 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/23 22:14:37.0625 3944 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/23 22:14:37.0765 3944 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/08/23 22:14:37.0828 3944 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/23 22:14:37.0875 3944 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/23 22:14:37.0921 3944 RFCOMM (99c4b74981a1413f142a3903130088cb) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/08/23 22:14:38.0031 3944 RTLE8023xp (cd0afbbd81c30e6a8a92cc1089db1ba0) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/08/23 22:14:38.0125 3944 sajy (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\snba.sys
2011/08/23 22:14:38.0421 3944 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/08/23 22:14:38.0437 3944 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/08/23 22:14:38.0562 3944 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/08/23 22:14:38.0640 3944 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/23 22:14:38.0703 3944 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2011/08/23 22:14:38.0750 3944 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/23 22:14:38.0890 3944 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/08/23 22:14:39.0000 3944 smserial (be44ae880e8d22a5615e352c68b278b9) C:\WINDOWS\system32\DRIVERS\smserial.sys
2011/08/23 22:14:39.0093 3944 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/23 22:14:39.0250 3944 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
2011/08/23 22:14:39.0250 3944 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
2011/08/23 22:14:39.0250 3944 sptd - detected LockedFile.Multi.Generic (1)
2011/08/23 22:14:39.0312 3944 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/23 22:14:39.0343 3944 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/23 22:14:39.0468 3944 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/08/23 22:14:39.0515 3944 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/23 22:14:39.0578 3944 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/23 22:14:39.0718 3944 SynTP (d7b9ad3abd0f7f9f694d71f38b5c7b72) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/08/23 22:14:39.0843 3944 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/23 22:14:39.0906 3944 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/23 22:14:39.0984 3944 TcUsb (53900527fa5e2ccc818c5894383772d1) C:\WINDOWS\system32\Drivers\tcusb.sys
2011/08/23 22:14:40.0015 3944 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/23 22:14:40.0140 3944 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/23 22:14:40.0234 3944 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/23 22:14:40.0312 3944 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/23 22:14:40.0421 3944 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/23 22:14:40.0546 3944 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/08/23 22:14:40.0640 3944 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/08/23 22:14:40.0687 3944 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/23 22:14:40.0765 3944 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/23 22:14:40.0843 3944 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/23 22:14:40.0937 3944 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/23 22:14:40.0984 3944 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/23 22:14:41.0015 3944 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/23 22:14:41.0078 3944 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/08/23 22:14:41.0171 3944 VCSVADHWSer (b2abab4ca46bad182e27763dc19c780f) C:\WINDOWS\system32\DRIVERS\vcsvad.sys
2011/08/23 22:14:41.0250 3944 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/08/23 22:14:41.0281 3944 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/23 22:14:41.0328 3944 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/23 22:14:41.0421 3944 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/08/23 22:14:41.0593 3944 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/23 22:14:41.0703 3944 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/08/23 22:14:41.0781 3944 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/08/23 22:14:41.0828 3944 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/08/23 22:14:41.0953 3944 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/23 22:14:42.0015 3944 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/08/23 22:14:42.0515 3944 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/08/23 22:14:42.0718 3944 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR7
2011/08/23 22:14:42.0734 3944 Boot (0x1200) (376cd6a563b68089149b43ac88d519d5) \Device\Harddisk0\DR0\Partition0
2011/08/23 22:14:42.0781 3944 Boot (0x1200) (43d6dc9dc6c9c8518f76cf3e1dca59ef) \Device\Harddisk0\DR0\Partition1
2011/08/23 22:14:42.0781 3944 Boot (0x1200) (c5fb7fc3af5920a6944c3e04abe5d8d3) \Device\Harddisk1\DR7\Partition0
2011/08/23 22:14:42.0796 3944 ================================================================================
2011/08/23 22:14:42.0796 3944 Scan finished
2011/08/23 22:14:42.0796 3944 ================================================================================
2011/08/23 22:14:42.0812 3192 Detected object count: 3
2011/08/23 22:14:42.0812 3192 Actual detected object count: 3
2011/08/23 22:15:50.0218 3192 HiddenFile.Multi.Generic(edac8d2c) - User select action: Skip
2011/08/23 22:15:50.0390 3192 i8042prt (d05bab516dc50198fdf8a849ef4f6645) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/23 22:15:50.0390 3192 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\i8042prt.sys. Real md5: d05bab516dc50198fdf8a849ef4f6645, Fake md5: 5502b58eef7486ee6f93f3f164dcb808
2011/08/23 22:15:50.0625 3192 Backup copy found, using it..
2011/08/23 22:15:50.0625 3192 C:\WINDOWS\system32\DRIVERS\i8042prt.sys - will be cured after reboot
2011/08/23 22:15:50.0625 3192 Rootkit.Win32.ZAccess.c(i8042prt) - User select action: Cure
2011/08/23 22:15:50.0625 3192 LockedFile.Multi.Generic(sptd) - User select action: Skip
 
Ran it again, again from the USB. Here's the log:

2011/08/23 22:29:46.0750 3860 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/08/23 22:29:46.0781 3860 ================================================================================
2011/08/23 22:29:46.0781 3860 SystemInfo:
2011/08/23 22:29:46.0781 3860
2011/08/23 22:29:46.0781 3860 OS Version: 5.1.2600 ServicePack: 2.0
2011/08/23 22:29:46.0781 3860 Product type: Workstation
2011/08/23 22:29:46.0781 3860 ComputerName: JIMMAWAT
2011/08/23 22:29:46.0781 3860 UserName: Administrator
2011/08/23 22:29:46.0781 3860 Windows directory: C:\WINDOWS
2011/08/23 22:29:46.0781 3860 System windows directory: C:\WINDOWS
2011/08/23 22:29:46.0781 3860 Processor architecture: Intel x86
2011/08/23 22:29:46.0781 3860 Number of processors: 2
2011/08/23 22:29:46.0781 3860 Page size: 0x1000
2011/08/23 22:29:46.0781 3860 Boot type: Normal boot
2011/08/23 22:29:46.0781 3860 ================================================================================
2011/08/23 22:29:48.0390 3860 Initialize success
2011/08/23 22:29:49.0750 2868 ================================================================================
2011/08/23 22:29:49.0750 2868 Scan started
2011/08/23 22:29:49.0750 2868 Mode: Manual;
2011/08/23 22:29:49.0750 2868 ================================================================================
2011/08/23 22:29:51.0156 2868 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/23 22:29:51.0187 2868 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/08/23 22:29:51.0281 2868 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2011/08/23 22:29:51.0437 2868 AFD (d9a47e3853528fbcc03ce0e11210fd16) C:\WINDOWS\System32\drivers\afd.sys
2011/08/23 22:29:51.0453 2868 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: d9a47e3853528fbcc03ce0e11210fd16, Fake md5: 55e6e1c51b6d30e54335750955453702
2011/08/23 22:29:51.0453 2868 AFD - detected Rootkit.Win32.ZAccess.c (0)
2011/08/23 22:29:51.0593 2868 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/08/23 22:29:51.0671 2868 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/08/23 22:29:51.0750 2868 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/08/23 22:29:51.0890 2868 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/08/23 22:29:51.0953 2868 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/08/23 22:29:52.0000 2868 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
2011/08/23 22:29:52.0015 2868 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/08/23 22:29:52.0078 2868 BthEnum (d24b8d1784c68a25060fffbe8ed34b76) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/08/23 22:29:52.0125 2868 BthPan (10355270be12641b9764235da39dcf0f) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2011/08/23 22:29:52.0281 2868 BTHPORT (95ef6f3f386d93ee1e4d9ca45a50252a) C:\WINDOWS\system32\Drivers\BTHport.sys
2011/08/23 22:29:52.0343 2868 BTHUSB (f06d4cb9918b462a84d9ac00027efc30) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2011/08/23 22:29:52.0421 2868 Cam5607 (ce9f13675fdc354f16962dffecec3041) C:\WINDOWS\system32\Drivers\BisonC07.sys
2011/08/23 22:29:52.0593 2868 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/08/23 22:29:52.0640 2868 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/08/23 22:29:52.0703 2868 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/08/23 22:29:52.0750 2868 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/08/23 22:29:52.0921 2868 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/08/23 22:29:53.0015 2868 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/08/23 22:29:53.0046 2868 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/08/23 22:29:53.0125 2868 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/08/23 22:29:53.0187 2868 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/08/23 22:29:53.0359 2868 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/08/23 22:29:53.0406 2868 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/08/23 22:29:53.0453 2868 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/08/23 22:29:53.0531 2868 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/08/23 22:29:53.0625 2868 dwrfa (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\cpma.sys
2011/08/23 22:29:53.0765 2868 edac8d2c (8f2bb1827cac01aee6a16e30a1260199) C:\WINDOWS\747482349:307458771.exe
2011/08/23 22:29:53.0796 2868 Suspicious file (Hidden): C:\WINDOWS\747482349:307458771.exe. md5: 8f2bb1827cac01aee6a16e30a1260199
2011/08/23 22:29:53.0812 2868 edac8d2c - detected HiddenFile.Multi.Generic (1)
2011/08/23 22:29:53.0937 2868 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/08/23 22:29:54.0015 2868 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2011/08/23 22:29:54.0078 2868 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/08/23 22:29:54.0109 2868 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/08/23 22:29:54.0140 2868 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/08/23 22:29:54.0250 2868 fqlpjiyc (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\htubn.sys
2011/08/23 22:29:54.0312 2868 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/08/23 22:29:54.0375 2868 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/08/23 22:29:54.0406 2868 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/08/23 22:29:54.0484 2868 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/08/23 22:29:54.0609 2868 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/08/23 22:29:54.0718 2868 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/08/23 22:29:54.0781 2868 Htsysm (57bd2878b475f530a9cf965c785c74a3) C:\WINDOWS\system32\HtsysmNT.sys
2011/08/23 22:29:54.0953 2868 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/08/23 22:29:55.0093 2868 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/08/23 22:29:55.0171 2868 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/08/23 22:29:55.0390 2868 IntcAzAudAddService (b2957d6c1226f029230dac2c46d34286) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/08/23 22:29:55.0593 2868 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/08/23 22:29:55.0640 2868 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/08/23 22:29:55.0671 2868 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/08/23 22:29:55.0687 2868 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/08/23 22:29:55.0734 2868 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/08/23 22:29:55.0937 2868 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/08/23 22:29:55.0984 2868 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/08/23 22:29:56.0031 2868 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/08/23 22:29:56.0109 2868 JMCR (dedb6cc1b166928a8f3f68def1766db0) C:\WINDOWS\system32\DRIVERS\jmcr.sys
2011/08/23 22:29:56.0265 2868 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/08/23 22:29:56.0312 2868 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/08/23 22:29:56.0375 2868 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2011/08/23 22:29:56.0437 2868 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/08/23 22:29:56.0578 2868 kwaxi (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\vldso.sys
2011/08/23 22:29:56.0734 2868 Mkd2kfNt (6f4d79ea861137ef2f9078e265c2aa83) C:\WINDOWS\system32\drivers\Mkd2kfNt.sys
2011/08/23 22:29:56.0765 2868 Mkd2Nadr (fe7925784f6801e983b41ec118ef62ac) C:\WINDOWS\system32\drivers\Mkd2Nadr.sys
2011/08/23 22:29:56.0828 2868 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/08/23 22:29:56.0984 2868 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/08/23 22:29:57.0031 2868 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys
2011/08/23 22:29:57.0046 2868 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
2011/08/23 22:29:57.0078 2868 MotDev (80bda4ac4b2834ca522b7386fc1f6a20) C:\WINDOWS\system32\DRIVERS\motodrv.sys
2011/08/23 22:29:57.0125 2868 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
2011/08/23 22:29:57.0281 2868 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/08/23 22:29:57.0328 2868 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/08/23 22:29:57.0375 2868 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/08/23 22:29:57.0437 2868 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/08/23 22:29:57.0531 2868 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/08/23 22:29:57.0609 2868 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/08/23 22:29:57.0671 2868 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/08/23 22:29:57.0703 2868 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/08/23 22:29:57.0734 2868 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/08/23 22:29:57.0828 2868 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/08/23 22:29:57.0859 2868 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/08/23 22:29:57.0968 2868 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/08/23 22:29:58.0062 2868 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/08/23 22:29:58.0093 2868 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/08/23 22:29:58.0187 2868 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/08/23 22:29:58.0234 2868 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/08/23 22:29:58.0343 2868 Ndisuio (5146c3d286e66c72328f6ce6e4d983a8) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/08/23 22:29:58.0406 2868 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/08/23 22:29:58.0468 2868 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/08/23 22:29:58.0531 2868 nepo (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\dbxd.sys
2011/08/23 22:29:58.0609 2868 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/08/23 22:29:58.0796 2868 NETw5x32 (0888844230083ce3b47395102bca8207) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
2011/08/23 22:29:59.0125 2868 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/08/23 22:29:59.0296 2868 nm (60cf8c7192b3614f240838ddbaa4a245) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2011/08/23 22:29:59.0390 2868 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/08/23 22:29:59.0781 2868 nscb (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\xiip.sys
2011/08/23 22:29:59.0921 2868 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/08/23 22:30:00.0078 2868 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/08/23 22:30:00.0437 2868 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/08/23 22:30:00.0875 2868 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/08/23 22:30:00.0906 2868 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/08/23 22:30:00.0968 2868 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/08/23 22:30:01.0046 2868 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2011/08/23 22:30:01.0109 2868 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/08/23 22:30:01.0234 2868 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/08/23 22:30:01.0265 2868 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/08/23 22:30:01.0328 2868 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/08/23 22:30:01.0390 2868 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/08/23 22:30:01.0562 2868 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/08/23 22:30:01.0703 2868 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/08/23 22:30:01.0734 2868 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/08/23 22:30:01.0796 2868 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/08/23 22:30:01.0890 2868 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/08/23 22:30:01.0921 2868 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/08/23 22:30:02.0015 2868 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/08/23 22:30:02.0156 2868 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/08/23 22:30:02.0187 2868 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/08/23 22:30:02.0203 2868 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/08/23 22:30:02.0281 2868 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/08/23 22:30:02.0328 2868 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/08/23 22:30:02.0468 2868 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/08/23 22:30:02.0515 2868 RFCOMM (99c4b74981a1413f142a3903130088cb) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/08/23 22:30:02.0578 2868 RTLE8023xp (cd0afbbd81c30e6a8a92cc1089db1ba0) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
2011/08/23 22:30:02.0640 2868 sajy (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\snba.sys
2011/08/23 22:30:02.0796 2868 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/08/23 22:30:02.0828 2868 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/08/23 22:30:02.0984 2868 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/08/23 22:30:03.0015 2868 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/08/23 22:30:03.0093 2868 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2011/08/23 22:30:03.0140 2868 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/08/23 22:30:03.0312 2868 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/08/23 22:30:03.0406 2868 smserial (be44ae880e8d22a5615e352c68b278b9) C:\WINDOWS\system32\DRIVERS\smserial.sys
2011/08/23 22:30:03.0609 2868 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2011/08/23 22:30:03.0687 2868 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\system32\Drivers\sptd.sys
2011/08/23 22:30:03.0687 2868 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d15da1ba189770d93eea2d7e18f95af9
2011/08/23 22:30:03.0703 2868 sptd - detected LockedFile.Multi.Generic (1)
2011/08/23 22:30:03.0734 2868 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/08/23 22:30:03.0890 2868 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/08/23 22:30:03.0937 2868 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/08/23 22:30:04.0062 2868 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/08/23 22:30:04.0125 2868 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/08/23 22:30:04.0375 2868 SynTP (d7b9ad3abd0f7f9f694d71f38b5c7b72) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/08/23 22:30:04.0421 2868 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/08/23 22:30:04.0500 2868 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/08/23 22:30:04.0625 2868 TcUsb (53900527fa5e2ccc818c5894383772d1) C:\WINDOWS\system32\Drivers\tcusb.sys
2011/08/23 22:30:04.0671 2868 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/08/23 22:30:04.0687 2868 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/08/23 22:30:04.0765 2868 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/08/23 22:30:04.0859 2868 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/08/23 22:30:05.0000 2868 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/08/23 22:30:05.0078 2868 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/08/23 22:30:05.0171 2868 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/08/23 22:30:05.0218 2868 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/08/23 22:30:05.0359 2868 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/08/23 22:30:05.0375 2868 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/08/23 22:30:05.0437 2868 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/08/23 22:30:05.0500 2868 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/08/23 22:30:05.0625 2868 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/08/23 22:30:05.0671 2868 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/08/23 22:30:05.0718 2868 VCSVADHWSer (b2abab4ca46bad182e27763dc19c780f) C:\WINDOWS\system32\DRIVERS\vcsvad.sys
2011/08/23 22:30:05.0812 2868 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/08/23 22:30:05.0921 2868 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/08/23 22:30:05.0984 2868 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/08/23 22:30:06.0062 2868 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/08/23 22:30:06.0171 2868 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/08/23 22:30:06.0312 2868 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/08/23 22:30:06.0375 2868 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/08/23 22:30:06.0406 2868 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/08/23 22:30:06.0500 2868 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/08/23 22:30:06.0531 2868 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/08/23 22:30:07.0093 2868 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/08/23 22:30:07.0265 2868 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR3
2011/08/23 22:30:07.0281 2868 Boot (0x1200) (376cd6a563b68089149b43ac88d519d5) \Device\Harddisk0\DR0\Partition0
2011/08/23 22:30:07.0296 2868 Boot (0x1200) (43d6dc9dc6c9c8518f76cf3e1dca59ef) \Device\Harddisk0\DR0\Partition1
2011/08/23 22:30:07.0312 2868 Boot (0x1200) (b5eadabcc7b8ecbba42e9877722ef96f) \Device\Harddisk1\DR3\Partition0
2011/08/23 22:30:07.0312 2868 ================================================================================
2011/08/23 22:30:07.0312 2868 Scan finished
2011/08/23 22:30:07.0312 2868 ================================================================================
2011/08/23 22:30:07.0328 2960 Detected object count: 3
2011/08/23 22:30:07.0328 2960 Actual detected object count: 3
2011/08/23 22:31:13.0062 2960 AFD (d9a47e3853528fbcc03ce0e11210fd16) C:\WINDOWS\System32\drivers\afd.sys
2011/08/23 22:31:13.0062 2960 Suspicious file (Forged): C:\WINDOWS\System32\drivers\afd.sys. Real md5: d9a47e3853528fbcc03ce0e11210fd16, Fake md5: 55e6e1c51b6d30e54335750955453702
2011/08/23 22:31:14.0203 2960 Backup copy found, using it..
2011/08/23 22:31:14.0218 2960 C:\WINDOWS\System32\drivers\afd.sys - will be cured after reboot
2011/08/23 22:31:14.0218 2960 Rootkit.Win32.ZAccess.c(AFD) - User select action: Cure
2011/08/23 22:31:14.0218 2960 HiddenFile.Multi.Generic(edac8d2c) - User select action: Skip
2011/08/23 22:31:14.0218 2960 LockedFile.Multi.Generic(sptd) - User select action: Skip
 
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Hmm, this is a bit of a problem. It asks me to install the Recovery console but I need to be connected to the internet, which my computer can't seem to do at the moment.
 
I ran ComboFix and it scanned and asked to reboot. It told me not reboot manually and to let it reboot itself (Or at least I think, I might've seen/remembered it wrong) but it's been a couple of minutes and it still hasn't rebooted. Just wondering if this was normal.
 
Did a manual reset and Combofix ran itself upon signing in. Here is the log:

ComboFix 11-08-23.06 - Administrator 08/23/2011 23:35:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2555.2167 [GMT -4:00]
Running from: H:\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\GateWayMain.exe
c:\documents and settings\Administrator\MBRWiz.exe
C:\feed.txt
C:\Install.exe
c:\windows\$NtUninstallKB40831$
c:\windows\$NtUninstallKB40831$\3946221453
c:\windows\$NtUninstallKB40831$\3987508524\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB40831$\3987508524\click.tlb
c:\windows\$NtUninstallKB40831$\3987508524\L\qectlmpm
c:\windows\$NtUninstallKB40831$\3987508524\loader.tlb
c:\windows\$NtUninstallKB40831$\3987508524\U\$000000c0
c:\windows\$NtUninstallKB40831$\3987508524\U\$000000cb
c:\windows\$NtUninstallKB40831$\3987508524\U\@00000001
c:\windows\$NtUninstallKB40831$\3987508524\U\@000000c0
c:\windows\$NtUninstallKB40831$\3987508524\U\@000000cb
c:\windows\$NtUninstallKB40831$\3987508524\U\@000000cf
c:\windows\$NtUninstallKB40831$\3987508524\U\@80000000
c:\windows\$NtUninstallKB40831$\3987508524\U\@800000c0
c:\windows\$NtUninstallKB40831$\3987508524\U\@800000cb
c:\windows\$NtUninstallKB40831$\3987508524\U\@800000cf
c:\windows\system32\c_98363.nls
c:\windows\system32\comct332.ocx
c:\windows\system32\Thumbs.db
.
Infected copy of c:\windows\system32\drivers\mrxsmb.sys was found and disinfected
Restored copy from - The cat found it :)
c:\windows\system32\ws2help.dll . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_edac8d2c
.
.
((((((((((((((((((((((((( Files Created from 2011-07-24 to 2011-08-24 )))))))))))))))))))))))))))))))
.
.
2073-04-13 21:17 . 2006-11-22 00:48 203576 ---h--w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2011-08-24 02:53 . 2010-02-24 12:31 454016 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys
2011-08-24 02:53 . 2010-02-24 12:31 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-23 03:51 . 2011-08-24 02:33 43408 --sha-w- c:\windows\system32\c_98363.nl_
2011-08-23 02:02 . 2011-08-23 02:02 -------- d-----w- c:\program files\Avira
2011-08-22 17:59 . 2011-08-22 17:59 -------- d-----w- c:\program files\Virus Secure Lab
2011-08-18 21:45 . 2011-08-18 21:45 -------- d-----w- c:\program files\Sophos
2011-08-18 04:28 . 2011-08-18 04:28 -------- d-----w- c:\program files\Foxit Software
2011-08-18 03:07 . 2011-08-23 03:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-18 03:07 . 2011-08-22 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-08-18 02:46 . 2011-08-22 20:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-18 01:00 . 2011-08-18 01:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
2011-08-18 00:30 . 2011-08-18 00:30 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-18 00:30 . 2011-08-18 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-18 00:17 . 2011-05-03 20:14 331776 ----a-w- c:\windows\system32\EasyRedirect.dll
2011-08-18 00:17 . 2011-08-18 02:11 -------- d-----w- c:\program files\Easy-Hide-IP
2011-08-17 16:37 . 2011-08-17 16:37 -------- d-----w- C:\CherryDeGames
2011-08-11 18:00 . 2011-08-11 20:07 -------- d-----w- c:\program files\InterActual
2011-08-07 23:13 . 2011-08-07 23:14 -------- d-----w- c:\program files\PCSX2 0.9.8
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-24 02:32 . 2004-08-04 01:07 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-24 02:18 . 2004-08-04 01:07 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-23 03:51 . 2004-08-04 01:07 35840 ----a-w- c:\windows\system32\drivers\isapnp.sys
2011-08-16 18:05 . 2011-06-15 08:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 23:52 . 2008-11-19 16:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 23:52 . 2008-11-19 16:37 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-09 21:16 . 2009-12-25 21:10 141200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-06-09 20:34 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-06-08 09:07 . 2011-06-13 12:17 201728 ----a-w- C:\zYan_ID_Changer.dll
2011-06-07 23:49 . 2011-06-07 23:49 138056 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
2011-06-07 23:48 . 2009-12-25 21:10 90112 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-06-02 07:36 . 2011-06-13 12:17 27648 ----a-w- C:\zYan_X.dll
2011-04-30 15:16 . 2011-03-27 19:12 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
[-] 2004-08-04 . 647C9A7E33CE84E1ADAFB7E49E5FF413 . 577024 . . [5.1.2600.2180] . . c:\windows\system32\user32.dll
.
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
[-] 2004-08-04 . B8452AB7BAF84D1D621776AF8000BBD4 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
.
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2help.dll
[-] 2004-08-04 . 37C22A702CFBF08E7BE60C91688CACA1 . 19968 . . [5.1.2600.2180] . . c:\windows\system32\ws2help.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824]
"DeLay"="c:\windows\BisonCam\DeLay.exe" [2008-03-11 53248]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-03-26 1208320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-06 49168]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Shortcut to kevin.lnk - c:\documents and settings\Administrator\Desktop\Bypass\kevin.exe [2008-10-1 439191]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-10-1 1843000]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-06-06 03:03 90112 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\alaplaya\\S4League\\patcher_s4.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"58176:TCP"= 58176:TCP:pando Media Booster
"58176:UDP"= 58176:UDP:pando Media Booster
"58417:TCP"= 58417:TCP:pando Media Booster
"58417:UDP"= 58417:UDP:pando Media Booster
"58356:TCP"= 58356:TCP:pando Media Booster
"58356:UDP"= 58356:UDP:pando Media Booster
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/8/2009 10:44 AM 721904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/3/2004 9:07 PM 14336]
R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [3/22/2011 4:16 PM 2304]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/1/2008 11:47 PM 24652]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [10/1/2008 10:23 PM 84240]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [12/23/2009 3:04 PM 17792]
S0 boci;boci;c:\windows\system32\drivers\sdvhwiu.sys --> c:\windows\system32\drivers\sdvhwiu.sys [?]
S0 dygygdv;dygygdv;c:\windows\system32\drivers\cihytg.sys --> c:\windows\system32\drivers\cihytg.sys [?]
S0 wzrwo;wzrwo; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
S2 HDD & SSD access service;HDD & SSD access service;"c:\program files\Common Files\BinarySense\disksvc.exe" --> c:\program files\Common Files\BinarySense\disksvc.exe [?]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 9:07 PM 14336]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\131.tmp --> c:\windows\system32\131.tmp [?]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [4/1/2010 5:55 PM 133632]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [4/1/2010 5:55 PM 79360]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/31/2009 9:15 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/31/2009 9:15 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [8/31/2009 9:15 PM 42112]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 XDva285;XDva285;\??\c:\windows\system32\XDva285.sys --> c:\windows\system32\XDva285.sys [?]
S3 XDva296;XDva296;\??\c:\windows\system32\XDva296.sys --> c:\windows\system32\XDva296.sys [?]
S3 XDva326;XDva326;\??\c:\windows\system32\XDva326.sys --> c:\windows\system32\XDva326.sys [?]
S3 XDva328;XDva328;\??\c:\windows\system32\XDva328.sys --> c:\windows\system32\XDva328.sys [?]
S3 XDva332;XDva332;\??\c:\windows\system32\XDva332.sys --> c:\windows\system32\XDva332.sys [?]
S3 XDva337;XDva337;\??\c:\windows\system32\XDva337.sys --> c:\windows\system32\XDva337.sys [?]
S3 XDva341;XDva341;\??\c:\windows\system32\XDva341.sys --> c:\windows\system32\XDva341.sys [?]
S3 XDva343;XDva343;\??\c:\windows\system32\XDva343.sys --> c:\windows\system32\XDva343.sys [?]
S3 XDva346;XDva346;\??\c:\windows\system32\XDva346.sys --> c:\windows\system32\XDva346.sys [?]
S3 XDva347;XDva347;\??\c:\windows\system32\XDva347.sys --> c:\windows\system32\XDva347.sys [?]
S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]
S3 XDva351;XDva351;\??\c:\windows\system32\XDva351.sys --> c:\windows\system32\XDva351.sys [?]
S3 XDva352;XDva352;\??\c:\windows\system32\XDva352.sys --> c:\windows\system32\XDva352.sys [?]
S3 XDva354;XDva354;\??\c:\windows\system32\XDva354.sys --> c:\windows\system32\XDva354.sys [?]
S3 XDva358;XDva358;\??\c:\windows\system32\XDva358.sys --> c:\windows\system32\XDva358.sys [?]
S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
S3 XDva362;XDva362;\??\c:\windows\system32\XDva362.sys --> c:\windows\system32\XDva362.sys [?]
S3 XDva370;XDva370;\??\c:\windows\system32\XDva370.sys --> c:\windows\system32\XDva370.sys [?]
S3 XDva375;XDva375;\??\c:\windows\system32\XDva375.sys --> c:\windows\system32\XDva375.sys [?]
S3 XDva380;XDva380;\??\c:\windows\system32\XDva380.sys --> c:\windows\system32\XDva380.sys [?]
S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
S3 XDva385;XDva385;\??\c:\windows\system32\XDva385.sys --> c:\windows\system32\XDva385.sys [?]
S3 XDva386;XDva386;\??\c:\windows\system32\XDva386.sys --> c:\windows\system32\XDva386.sys [?]
S3 XDva387;XDva387;\??\c:\windows\system32\XDva387.sys --> c:\windows\system32\XDva387.sys [?]
S3 XDva388;XDva388;\??\c:\windows\system32\XDva388.sys --> c:\windows\system32\XDva388.sys [?]
S3 XDva389;XDva389;\??\c:\windows\system32\XDva389.sys --> c:\windows\system32\XDva389.sys [?]
S4 dwrfa;dwrfa;c:\windows\system32\drivers\cpma.sys [7/10/2010 12:10 AM 54016]
S4 fqlpjiyc;fqlpjiyc;c:\windows\system32\drivers\htubn.sys [7/9/2010 11:51 PM 54016]
S4 kwaxi;kwaxi;c:\windows\system32\drivers\vldso.sys [7/9/2010 11:38 PM 54016]
S4 nepo;nepo;c:\windows\system32\drivers\dbxd.sys [7/9/2010 11:38 PM 54016]
S4 nscb;nscb;c:\windows\system32\drivers\xiip.sys [6/13/2010 8:04 PM 54016]
S4 sajy;sajy;c:\windows\system32\drivers\snba.sys [6/13/2010 8:12 PM 54016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-22 c:\windows\Tasks\AdobeAAMUpdater-1.0-JIMMAWAT-Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-05-31 07:44]
.
2011-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
.
2011-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
.
2011-08-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
.
2011-08-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
.
2011-08-24 c:\windows\Tasks\RegCure Startup.job
- c:\regcure\RegCure.exe [2010-02-23 01:29]
.
2009-11-09 c:\windows\Tasks\Test.job
- c:\windows\system32\ntbackup.exe [2004-08-04 01:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.orbitdownloader.com/
uInternet Settings,ProxyServer = http=106.230
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z1748ax6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101027100&s=
FF - prefs.js: network.proxy.ftp - 109.230.216.23
FF - prefs.js: network.proxy.ftp_port - 1080
FF - prefs.js: network.proxy.http - 109.230.216.23
FF - prefs.js: network.proxy.http_port - 1080
FF - prefs.js: network.proxy.socks - 109.230.216.23
FF - prefs.js: network.proxy.socks_port - 1080
FF - prefs.js: network.proxy.ssl - 109.230.216.23
FF - prefs.js: network.proxy.ssl_port - 1080
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-GateWay - c:\documents and settings\Administrator\GateWayMain.exe
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-Easy-Hide-IP - c:\program files\Easy-Hide-IP\easy-hide-ip.exe
HKLM-Run-Malwarebytes Anti-Malware (rootkit-scan) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
SafeBoot-37585001.sys
SafeBoot-85521509.sys
SafeBoot-98100742.sys
SafeBoot-klmdb.sys
HKLM_ActiveSetup-{0FDEABD1-E3FE-3DDE-FAE8-CADCD636FFB5} - c:\documents and settings\Administrator\Application Data\svchost.exe
AddRemove-{0166E190-92D7-482A-A220-DE8B7354383A} - c:\documents and settings\Administrator\Local Settings\Application Data\{67C33A62-5B1D-43D1-9600-16006F36EB2B}\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-23 23:53
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\131.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT\Parameters]
@DACL=(02 0000)
"TransportBindName"="\\Device\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(980)
c:\windows\system32\vrlogon.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
.
- - - - - - - > 'explorer.exe'(3272)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\msi.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Orbitdownloader\orbitnet.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-08-23 23:56:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-24 03:56
.
Pre-Run: 16,290,906,112 bytes free
Post-Run: 25,813,757,952 bytes free
.
- - End Of File - - A4965A98A248B5D01FE134A1969F4509
 
Uninstall RegCure.
Registry cleaners/optimizers are not recommended for several reasons:

  • Registry cleaners are extremely powerful applications that can damage the registry by using aggressive cleaning routines and cause your computer to become unbootable.

    The Windows registry is a central repository (database) for storing configuration data, user settings and machine-dependent settings, and options for the operating system. It contains information and settings for all hardware, software, users, and preferences. Whenever a user makes changes to settings, file associations, system policies, or installed software, the changes are reflected and stored in this repository. The registry is a crucial component because it is where Windows "remembers" all this information, how it works together, how Windows boots the system and what files it uses when it does. The registry is also a vulnerable subsystem, in that relatively small changes done incorrectly can render the system inoperable. For a more detailed explanation, read Understanding The Registry.
  • Not all registry cleaners are created equal. There are a number of them available but they do not all work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad entry". One cleaner may find entries on your system that will not cause problems when removed, another may not find the same entries, and still another may want to remove entries required for a program to work.
  • Not all registry cleaners create a backup of the registry before making changes. If the changes prevent the system from booting up, then there is no backup available to restore it in order to regain functionality. A backup of the registry is essential BEFORE making any changes to the registry.
  • Improperly removing registry entries can hamper malware disinfection and make the removal process more difficult if your computer becomes infected. For example, removing malware related registry entries before the infection is properly identified can contribute to system instability and even make the malware undetectable to removal tools.
  • The usefulness of cleaning the registry is highly overrated and can be dangerous. In most cases, using a cleaner to remove obsolete, invalid, and erroneous entries does not affect system performance but it can result in "unpredictable results".
Unless you have a particular problem that requires a registry edit to correct it, I would suggest you leave the registry alone. Using registry cleaning tools unnecessarily or incorrectly could lead to disastrous effects on your operating system such as preventing it from ever starting again. For routine use, the benefits to your computer are negligible while the potential risks are great.


====================================================================

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

==================================================================

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box
  • Click OK
Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\system32\c_98363.nl_
c:\windows\system32\drivers\sdvhwiu.sys
c:\windows\system32\drivers\cihytg.sys
c:\windows\system32\drivers\snba.sys
c:\windows\system32\drivers\xiip.sys
c:\windows\system32\drivers\dbxd.sys
c:\windows\system32\drivers\vldso.sys
c:\windows\system32\drivers\htubn.sys
c:\windows\system32\drivers\cpma.sys
c:\windows\Tasks\RegCure Startup.job


Folder::

Driver::
boci
dygygdv
wzrwo
dwrfa
fqlpjiyc
kwaxi
nepo
nscb
sajy

DDS::
uInternet Settings,ProxyServer = http=106.230

FireFox::
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z1748ax6.default\
FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101027100&s=
FF - prefs.js: network.proxy.ftp - 109.230.216.23
FF - prefs.js: network.proxy.ftp_port - 1080
FF - prefs.js: network.proxy.http - 109.230.216.23
FF - prefs.js: network.proxy.http_port - 1080
FF - prefs.js: network.proxy.socks - 109.230.216.23
FF - prefs.js: network.proxy.socks_port - 1080
FF - prefs.js: network.proxy.ssl - 109.230.216.23
FF - prefs.js: network.proxy.ssl_port - 1080
FF - prefs.js: network.proxy.type - 0

Registry::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
Sorry, I thought you logged off for the night so I turned in to sleep. Ran ComboFix.exe with the CFScript.txt.

Here is the log:

ComboFix 11-08-23.06 - Administrator 08/24/2011 13:47:31.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2555.1918 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: H:\CFScript.txt
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
FILE ::
"c:\windows\system32\c_98363.nl_"
"c:\windows\system32\drivers\cihytg.sys"
"c:\windows\system32\drivers\cpma.sys"
"c:\windows\system32\drivers\dbxd.sys"
"c:\windows\system32\drivers\htubn.sys"
"c:\windows\system32\drivers\sdvhwiu.sys"
"c:\windows\system32\drivers\snba.sys"
"c:\windows\system32\drivers\vldso.sys"
"c:\windows\system32\drivers\xiip.sys"
"c:\windows\Tasks\RegCure Startup.job"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\c_98363.nl_
c:\windows\system32\drivers\cpma.sys
c:\windows\system32\drivers\dbxd.sys
c:\windows\system32\drivers\htubn.sys
c:\windows\system32\drivers\snba.sys
c:\windows\system32\drivers\vldso.sys
c:\windows\system32\drivers\xiip.sys
.
c:\windows\system32\ws2help.dll . . . is infected!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_DWRFA
-------\Legacy_FQLPJIYC
-------\Legacy_KWAXI
-------\Legacy_NEPO
-------\Legacy_NSCB
-------\Legacy_SAJY
-------\Legacy_WZRWO
-------\Service_boci
-------\Service_dwrfa
-------\Service_dygygdv
-------\Service_fqlpjiyc
-------\Service_kwaxi
-------\Service_nepo
-------\Service_nscb
-------\Service_sajy
-------\Service_wzrwo
.
.
((((((((((((((((((((((((( Files Created from 2011-07-24 to 2011-08-24 )))))))))))))))))))))))))))))))
.
.
2073-04-13 21:17 . 2006-11-22 00:48 203576 ---h--w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2011-08-24 02:53 . 2010-02-24 12:31 454016 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys
2011-08-24 02:53 . 2010-02-24 12:31 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-23 02:02 . 2011-08-23 02:02 -------- d-----w- c:\program files\Avira
2011-08-22 17:59 . 2011-08-22 17:59 -------- d-----w- c:\program files\Virus Secure Lab
2011-08-18 21:45 . 2011-08-18 21:45 -------- d-----w- c:\program files\Sophos
2011-08-18 04:28 . 2011-08-18 04:28 -------- d-----w- c:\program files\Foxit Software
2011-08-18 03:07 . 2011-08-23 03:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-18 03:07 . 2011-08-22 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-08-18 02:46 . 2011-08-22 20:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-18 01:00 . 2011-08-18 01:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
2011-08-18 00:30 . 2011-08-18 00:30 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-18 00:30 . 2011-08-18 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-18 00:17 . 2011-05-03 20:14 331776 ----a-w- c:\windows\system32\EasyRedirect.dll
2011-08-18 00:17 . 2011-08-18 02:11 -------- d-----w- c:\program files\Easy-Hide-IP
2011-08-17 16:37 . 2011-08-17 16:37 -------- d-----w- C:\CherryDeGames
2011-08-11 18:00 . 2011-08-11 20:07 -------- d-----w- c:\program files\InterActual
2011-08-07 23:13 . 2011-08-07 23:14 -------- d-----w- c:\program files\PCSX2 0.9.8
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-24 02:32 . 2004-08-04 01:07 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-24 02:18 . 2004-08-04 01:07 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-23 03:51 . 2004-08-04 01:07 35840 ----a-w- c:\windows\system32\drivers\isapnp.sys
2011-08-16 18:05 . 2011-06-15 08:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 23:52 . 2008-11-19 16:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 23:52 . 2008-11-19 16:37 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-09 21:16 . 2009-12-25 21:10 141200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-06-09 20:34 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-06-08 09:07 . 2011-06-13 12:17 201728 ----a-w- C:\zYan_ID_Changer.dll
2011-06-07 23:49 . 2011-06-07 23:49 138056 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
2011-06-07 23:48 . 2009-12-25 21:10 90112 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-06-02 07:36 . 2011-06-13 12:17 27648 ----a-w- C:\zYan_X.dll
2011-04-30 15:16 . 2011-03-27 19:12 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
[-] 2004-08-04 . 647C9A7E33CE84E1ADAFB7E49E5FF413 . 577024 . . [5.1.2600.2180] . . c:\windows\system32\user32.dll
.
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
[-] 2004-08-04 . B8452AB7BAF84D1D621776AF8000BBD4 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
.
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2help.dll
[-] 2004-08-04 . 37C22A702CFBF08E7BE60C91688CACA1 . 19968 . . [5.1.2600.2180] . . c:\windows\system32\ws2help.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-08-24_03.51.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-24 18:01 . 2011-08-24 18:01 16384 c:\windows\Temp\Perflib_Perfdata_69c.dat
+ 2011-08-24 18:01 . 2011-08-24 18:01 16384 c:\windows\Temp\Perflib_Perfdata_2b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824]
"DeLay"="c:\windows\BisonCam\DeLay.exe" [2008-03-11 53248]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-03-26 1208320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-06 49168]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Shortcut to kevin.lnk - c:\documents and settings\Administrator\Desktop\Bypass\kevin.exe [2008-10-1 439191]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-10-1 1843000]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-06-06 03:03 90112 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\alaplaya\\S4League\\patcher_s4.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"58176:TCP"= 58176:TCP:pando Media Booster
"58176:UDP"= 58176:UDP:pando Media Booster
"58417:TCP"= 58417:TCP:pando Media Booster
"58417:UDP"= 58417:UDP:pando Media Booster
"58356:TCP"= 58356:TCP:pando Media Booster
"58356:UDP"= 58356:UDP:pando Media Booster
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/8/2009 10:44 AM 721904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/3/2004 9:07 PM 14336]
R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [3/22/2011 4:16 PM 2304]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [10/1/2008 10:23 PM 84240]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [12/23/2009 3:04 PM 17792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
S2 HDD & SSD access service;HDD & SSD access service;"c:\program files\Common Files\BinarySense\disksvc.exe" --> c:\program files\Common Files\BinarySense\disksvc.exe [?]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 9:07 PM 14336]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\131.tmp --> c:\windows\system32\131.tmp [?]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [4/1/2010 5:55 PM 133632]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [4/1/2010 5:55 PM 79360]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/31/2009 9:15 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/31/2009 9:15 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [8/31/2009 9:15 PM 42112]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 XDva285;XDva285;\??\c:\windows\system32\XDva285.sys --> c:\windows\system32\XDva285.sys [?]
S3 XDva296;XDva296;\??\c:\windows\system32\XDva296.sys --> c:\windows\system32\XDva296.sys [?]
S3 XDva326;XDva326;\??\c:\windows\system32\XDva326.sys --> c:\windows\system32\XDva326.sys [?]
S3 XDva328;XDva328;\??\c:\windows\system32\XDva328.sys --> c:\windows\system32\XDva328.sys [?]
S3 XDva332;XDva332;\??\c:\windows\system32\XDva332.sys --> c:\windows\system32\XDva332.sys [?]
S3 XDva337;XDva337;\??\c:\windows\system32\XDva337.sys --> c:\windows\system32\XDva337.sys [?]
S3 XDva341;XDva341;\??\c:\windows\system32\XDva341.sys --> c:\windows\system32\XDva341.sys [?]
S3 XDva343;XDva343;\??\c:\windows\system32\XDva343.sys --> c:\windows\system32\XDva343.sys [?]
S3 XDva346;XDva346;\??\c:\windows\system32\XDva346.sys --> c:\windows\system32\XDva346.sys [?]
S3 XDva347;XDva347;\??\c:\windows\system32\XDva347.sys --> c:\windows\system32\XDva347.sys [?]
S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]
S3 XDva351;XDva351;\??\c:\windows\system32\XDva351.sys --> c:\windows\system32\XDva351.sys [?]
S3 XDva352;XDva352;\??\c:\windows\system32\XDva352.sys --> c:\windows\system32\XDva352.sys [?]
S3 XDva354;XDva354;\??\c:\windows\system32\XDva354.sys --> c:\windows\system32\XDva354.sys [?]
S3 XDva358;XDva358;\??\c:\windows\system32\XDva358.sys --> c:\windows\system32\XDva358.sys [?]
S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
S3 XDva362;XDva362;\??\c:\windows\system32\XDva362.sys --> c:\windows\system32\XDva362.sys [?]
S3 XDva370;XDva370;\??\c:\windows\system32\XDva370.sys --> c:\windows\system32\XDva370.sys [?]
S3 XDva375;XDva375;\??\c:\windows\system32\XDva375.sys --> c:\windows\system32\XDva375.sys [?]
S3 XDva380;XDva380;\??\c:\windows\system32\XDva380.sys --> c:\windows\system32\XDva380.sys [?]
S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
S3 XDva385;XDva385;\??\c:\windows\system32\XDva385.sys --> c:\windows\system32\XDva385.sys [?]
S3 XDva386;XDva386;\??\c:\windows\system32\XDva386.sys --> c:\windows\system32\XDva386.sys [?]
S3 XDva387;XDva387;\??\c:\windows\system32\XDva387.sys --> c:\windows\system32\XDva387.sys [?]
S3 XDva388;XDva388;\??\c:\windows\system32\XDva388.sys --> c:\windows\system32\XDva388.sys [?]
S3 XDva389;XDva389;\??\c:\windows\system32\XDva389.sys --> c:\windows\system32\XDva389.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-24 c:\windows\Tasks\AdobeAAMUpdater-1.0-JIMMAWAT-Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-05-31 07:44]
.
2011-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
.
2011-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
.
2011-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
.
2011-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
.
2009-11-09 c:\windows\Tasks\Test.job
- c:\windows\system32\ntbackup.exe [2004-08-04 01:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.orbitdownloader.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z1748ax6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-24 14:02
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\131.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NetBT\Parameters]
@DACL=(02 0000)
"TransportBindName"="\\Device\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(980)
c:\windows\system32\vrlogon.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
.
- - - - - - - > 'explorer.exe'(1516)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\msi.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\windows\system32\browselc.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\program files\Microsoft Office\Office10\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Orbitdownloader\orbitnet.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-08-24 14:05:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-24 18:05
ComboFix2.txt 2011-08-24 03:56
.
Pre-Run: 25,852,653,568 bytes free
Post-Run: 25,826,570,240 bytes free
.
- - End Of File - - 13786804F529E6649CC8EA2FD94ADF72
 
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box
  • Click OK
Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
FCopy::
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll | c:\windows\system32\user32.dll


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
I ran the scan and as it was scanning, a prompt came up and told me that I needed to insert my Windows XP Professional Service Pack 2 CD to replace some files with the original. I don't have the CD with me though, and I'm not sure where I've placed it. What should I do?
 
Here's the log :

ComboFix 11-08-23.06 - Administrator 08/24/2011 21:36:14.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2555.1790 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\ws2help.dll . . . is infected!!
.
.
--------------- FCopy ---------------
.
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll --> c:\windows\system32\user32.dll
.
((((((((((((((((((((((((( Files Created from 2011-07-25 to 2011-08-25 )))))))))))))))))))))))))))))))
.
.
2073-04-13 21:17 . 2006-11-22 00:48 203576 ---h--w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2011-08-24 02:53 . 2010-02-24 12:31 454016 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys
2011-08-24 02:53 . 2010-02-24 12:31 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-23 02:02 . 2011-08-23 02:02 -------- d-----w- c:\program files\Avira
2011-08-22 17:59 . 2011-08-22 17:59 -------- d-----w- c:\program files\Virus Secure Lab
2011-08-18 21:45 . 2011-08-18 21:45 -------- d-----w- c:\program files\Sophos
2011-08-18 04:28 . 2011-08-18 04:28 -------- d-----w- c:\program files\Foxit Software
2011-08-18 03:07 . 2011-08-23 03:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-18 03:07 . 2011-08-22 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-08-18 02:46 . 2011-08-22 20:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-18 01:00 . 2011-08-18 01:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
2011-08-18 00:30 . 2011-08-18 00:30 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-18 00:30 . 2011-08-18 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-18 00:17 . 2011-05-03 20:14 331776 ----a-w- c:\windows\system32\EasyRedirect.dll
2011-08-18 00:17 . 2011-08-18 02:11 -------- d-----w- c:\program files\Easy-Hide-IP
2011-08-17 16:37 . 2011-08-17 16:37 -------- d-----w- C:\CherryDeGames
2011-08-11 18:00 . 2011-08-11 20:07 -------- d-----w- c:\program files\InterActual
2011-08-07 23:13 . 2011-08-07 23:14 -------- d-----w- c:\program files\PCSX2 0.9.8
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-24 02:32 . 2004-08-04 01:07 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-24 02:18 . 2004-08-04 01:07 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-23 03:51 . 2004-08-04 01:07 35840 ----a-w- c:\windows\system32\drivers\isapnp.sys
2011-08-16 18:05 . 2011-06-15 08:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 23:52 . 2008-11-19 16:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 23:52 . 2008-11-19 16:37 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-09 21:16 . 2009-12-25 21:10 141200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-06-09 20:34 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-06-08 09:07 . 2011-06-13 12:17 201728 ----a-w- C:\zYan_ID_Changer.dll
2011-06-07 23:49 . 2011-06-07 23:49 138056 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
2011-06-07 23:48 . 2009-12-25 21:10 90112 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-06-02 07:36 . 2011-06-13 12:17 27648 ----a-w- C:\zYan_X.dll
2011-04-30 15:16 . 2011-03-27 19:12 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.2180] . . c:\windows\system32\user32.dll
.
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
[-] 2004-08-04 . B8452AB7BAF84D1D621776AF8000BBD4 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
.
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2help.dll
[-] 2004-08-04 . 37C22A702CFBF08E7BE60C91688CACA1 . 19968 . . [5.1.2600.2180] . . c:\windows\system32\ws2help.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-08-24_03.51.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-24 18:01 . 2011-08-24 18:01 16384 c:\windows\Temp\Perflib_Perfdata_69c.dat
+ 2011-08-24 18:01 . 2011-08-24 18:01 16384 c:\windows\Temp\Perflib_Perfdata_2b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824]
"DeLay"="c:\windows\BisonCam\DeLay.exe" [2008-03-11 53248]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-03-26 1208320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-06 49168]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Shortcut to kevin.lnk - c:\documents and settings\Administrator\Desktop\Bypass\kevin.exe [2008-10-1 439191]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-10-1 1843000]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-06-06 03:03 90112 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\alaplaya\\S4League\\patcher_s4.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"58176:TCP"= 58176:TCP:pando Media Booster
"58176:UDP"= 58176:UDP:pando Media Booster
"58417:TCP"= 58417:TCP:pando Media Booster
"58417:UDP"= 58417:UDP:pando Media Booster
"58356:TCP"= 58356:TCP:pando Media Booster
"58356:UDP"= 58356:UDP:pando Media Booster
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/8/2009 10:44 AM 721904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/3/2004 9:07 PM 14336]
R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [3/22/2011 4:16 PM 2304]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [10/1/2008 10:23 PM 84240]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [12/23/2009 3:04 PM 17792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
S2 HDD & SSD access service;HDD & SSD access service;"c:\program files\Common Files\BinarySense\disksvc.exe" --> c:\program files\Common Files\BinarySense\disksvc.exe [?]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 9:07 PM 14336]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\131.tmp --> c:\windows\system32\131.tmp [?]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [4/1/2010 5:55 PM 133632]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [4/1/2010 5:55 PM 79360]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/31/2009 9:15 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/31/2009 9:15 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [8/31/2009 9:15 PM 42112]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 XDva285;XDva285;\??\c:\windows\system32\XDva285.sys --> c:\windows\system32\XDva285.sys [?]
S3 XDva296;XDva296;\??\c:\windows\system32\XDva296.sys --> c:\windows\system32\XDva296.sys [?]
S3 XDva326;XDva326;\??\c:\windows\system32\XDva326.sys --> c:\windows\system32\XDva326.sys [?]
S3 XDva328;XDva328;\??\c:\windows\system32\XDva328.sys --> c:\windows\system32\XDva328.sys [?]
S3 XDva332;XDva332;\??\c:\windows\system32\XDva332.sys --> c:\windows\system32\XDva332.sys [?]
S3 XDva337;XDva337;\??\c:\windows\system32\XDva337.sys --> c:\windows\system32\XDva337.sys [?]
S3 XDva341;XDva341;\??\c:\windows\system32\XDva341.sys --> c:\windows\system32\XDva341.sys [?]
S3 XDva343;XDva343;\??\c:\windows\system32\XDva343.sys --> c:\windows\system32\XDva343.sys [?]
S3 XDva346;XDva346;\??\c:\windows\system32\XDva346.sys --> c:\windows\system32\XDva346.sys [?]
S3 XDva347;XDva347;\??\c:\windows\system32\XDva347.sys --> c:\windows\system32\XDva347.sys [?]
S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]
S3 XDva351;XDva351;\??\c:\windows\system32\XDva351.sys --> c:\windows\system32\XDva351.sys [?]
S3 XDva352;XDva352;\??\c:\windows\system32\XDva352.sys --> c:\windows\system32\XDva352.sys [?]
S3 XDva354;XDva354;\??\c:\windows\system32\XDva354.sys --> c:\windows\system32\XDva354.sys [?]
S3 XDva358;XDva358;\??\c:\windows\system32\XDva358.sys --> c:\windows\system32\XDva358.sys [?]
S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
S3 XDva362;XDva362;\??\c:\windows\system32\XDva362.sys --> c:\windows\system32\XDva362.sys [?]
S3 XDva370;XDva370;\??\c:\windows\system32\XDva370.sys --> c:\windows\system32\XDva370.sys [?]
S3 XDva375;XDva375;\??\c:\windows\system32\XDva375.sys --> c:\windows\system32\XDva375.sys [?]
S3 XDva380;XDva380;\??\c:\windows\system32\XDva380.sys --> c:\windows\system32\XDva380.sys [?]
S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
S3 XDva385;XDva385;\??\c:\windows\system32\XDva385.sys --> c:\windows\system32\XDva385.sys [?]
S3 XDva386;XDva386;\??\c:\windows\system32\XDva386.sys --> c:\windows\system32\XDva386.sys [?]
S3 XDva387;XDva387;\??\c:\windows\system32\XDva387.sys --> c:\windows\system32\XDva387.sys [?]
S3 XDva388;XDva388;\??\c:\windows\system32\XDva388.sys --> c:\windows\system32\XDva388.sys [?]
S3 XDva389;XDva389;\??\c:\windows\system32\XDva389.sys --> c:\windows\system32\XDva389.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-24 c:\windows\Tasks\AdobeAAMUpdater-1.0-JIMMAWAT-Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-05-31 07:44]
.
2011-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
.
2011-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
.
2011-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
.
2011-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
.
2009-11-09 c:\windows\Tasks\Test.job
- c:\windows\system32\ntbackup.exe [2004-08-04 01:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.orbitdownloader.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z1748ax6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-24 21:45
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\131.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(980)
c:\windows\system32\vrlogon.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
.
- - - - - - - > 'explorer.exe'(544)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\msi.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-24 21:47:17
ComboFix-quarantined-files.txt 2011-08-25 01:47
ComboFix2.txt 2011-08-24 18:05
ComboFix3.txt 2011-08-24 03:56
.
Pre-Run: 25,843,576,832 bytes free
Post-Run: 25,816,621,056 bytes free
.
- - End Of File - - F38B6AFE497C01FB2BBA18D7FFAA4FF0
 
How is computer doing at the moment?


1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box
  • Click OK
Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
FCopy::
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2help.dll | c:\windows\system32\ws2help.dll


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
It's still asking me for the CD and during the scans, it asks me over and over if i don't want to restore the original but I've just put it aside for now. Ran ComboFix again, here is the log :

ComboFix 11-08-23.06 - Administrator 08/24/2011 22:16:12.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2555.1794 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: H:\CFScript.txt
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2help.dll --> c:\windows\system32\ws2help.dll
.
((((((((((((((((((((((((( Files Created from 2011-07-25 to 2011-08-25 )))))))))))))))))))))))))))))))
.
.
2073-04-13 21:17 . 2006-11-22 00:48 203576 ---h--w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2011-08-24 02:53 . 2010-02-24 12:31 454016 -c--a-w- c:\windows\system32\dllcache\mrxsmb.sys
2011-08-24 02:53 . 2010-02-24 12:31 454016 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-08-23 02:02 . 2011-08-23 02:02 -------- d-----w- c:\program files\Avira
2011-08-22 17:59 . 2011-08-22 17:59 -------- d-----w- c:\program files\Virus Secure Lab
2011-08-18 21:45 . 2011-08-18 21:45 -------- d-----w- c:\program files\Sophos
2011-08-18 04:28 . 2011-08-18 04:28 -------- d-----w- c:\program files\Foxit Software
2011-08-18 03:07 . 2011-08-23 03:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-08-18 03:07 . 2011-08-22 19:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-08-18 02:46 . 2011-08-22 20:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-18 02:46 . 2011-08-18 02:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-08-18 01:00 . 2011-08-18 01:00 -------- d-----w- c:\documents and settings\Administrator\Application Data\QuickScan
2011-08-18 00:30 . 2011-08-18 00:30 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-08-18 00:30 . 2011-08-18 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-08-18 00:17 . 2011-05-03 20:14 331776 ----a-w- c:\windows\system32\EasyRedirect.dll
2011-08-18 00:17 . 2011-08-18 02:11 -------- d-----w- c:\program files\Easy-Hide-IP
2011-08-17 16:37 . 2011-08-17 16:37 -------- d-----w- C:\CherryDeGames
2011-08-11 18:00 . 2011-08-11 20:07 -------- d-----w- c:\program files\InterActual
2011-08-07 23:13 . 2011-08-07 23:14 -------- d-----w- c:\program files\PCSX2 0.9.8
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-24 02:32 . 2004-08-04 01:07 138368 ----a-w- c:\windows\system32\drivers\afd.sys
2011-08-24 02:18 . 2004-08-04 01:07 52736 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-08-23 03:51 . 2004-08-04 01:07 35840 ----a-w- c:\windows\system32\drivers\isapnp.sys
2011-08-16 18:05 . 2011-06-15 08:14 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-06 23:52 . 2008-11-19 16:37 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-06 23:52 . 2008-11-19 16:37 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-09 21:16 . 2009-12-25 21:10 141200 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.exe
2011-06-09 21:15 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.xtr
2011-06-09 20:34 . 2009-12-25 21:10 281656 ----a-w- c:\windows\system32\PnkBstrB.ex0
2011-06-08 09:07 . 2011-06-13 12:17 201728 ----a-w- C:\zYan_ID_Changer.dll
2011-06-07 23:49 . 2011-06-07 23:49 138056 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
2011-06-07 23:48 . 2009-12-25 21:10 90112 ----a-w- c:\windows\system32\PnkBstrA.exe
2011-06-02 07:36 . 2011-06-13 12:17 27648 ----a-w- C:\zYan_X.dll
2011-04-30 15:16 . 2011-03-27 19:12 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\user32.dll
[-] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.2180] . . c:\windows\system32\user32.dll
.
[-] 2008-04-14 . 2CCC474EB85CEAA3E1FA1726580A3E5A . 82432 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2_32.dll
[-] 2004-08-04 . B8452AB7BAF84D1D621776AF8000BBD4 . 82944 . . [5.1.2600.2180] . . c:\windows\system32\ws2_32.dll
.
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ws2help.dll
[-] 2008-04-14 . 9789E95E1D88EEB4B922BF3EA7779C28 . 19968 . . [5.1.2600.5512] . . c:\windows\system32\ws2help.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-08-24_03.51.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-08-24 18:01 . 2011-08-24 18:01 16384 c:\windows\Temp\Perflib_Perfdata_69c.dat
+ 2011-08-24 18:01 . 2011-08-24 18:01 16384 c:\windows\Temp\Perflib_Perfdata_2b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-09-10 19:35 2957312 ---ha-w- c:\program files\Protector Suite QL\farchns.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-09-02 13351304]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"BisonHK"="c:\windows\BisonCam\BisonHK.exe" [2008-03-25 77824]
"DeLay"="c:\windows\BisonCam\DeLay.exe" [2008-03-11 53248]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2008-03-26 1208320]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 1024000]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-06 49168]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-07-08 1753192]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-07-09 13923432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-07-09 110696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Shortcut to kevin.lnk - c:\documents and settings\Administrator\Desktop\Bypass\kevin.exe [2008-10-1 439191]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2008-10-1 1843000]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2007-06-06 03:03 90112 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\alaplaya\\S4League\\patcher_s4.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"58176:TCP"= 58176:TCP:pando Media Booster
"58176:UDP"= 58176:UDP:pando Media Booster
"58417:TCP"= 58417:TCP:pando Media Booster
"58417:UDP"= 58417:UDP:pando Media Booster
"58356:TCP"= 58356:TCP:pando Media Booster
"58356:UDP"= 58356:UDP:pando Media Booster
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/8/2009 10:44 AM 721904]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/3/2004 9:07 PM 14336]
R2 Htsysm;Htsysm;c:\windows\system32\HtsysmNT.sys [3/22/2011 4:16 PM 2304]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [10/1/2008 10:23 PM 84240]
R3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [12/23/2009 3:04 PM 17792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
S2 HDD & SSD access service;HDD & SSD access service;"c:\program files\Common Files\BinarySense\disksvc.exe" --> c:\program files\Common Files\BinarySense\disksvc.exe [?]
S3 1394hub;1394 Enabled Hub;c:\windows\system32\svchost.exe -k netsvcs [8/3/2004 9:07 PM 14336]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/6/2011 6:58 PM 135664]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\131.tmp --> c:\windows\system32\131.tmp [?]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [4/1/2010 5:55 PM 133632]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [4/1/2010 5:55 PM 79360]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/31/2009 9:15 PM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/31/2009 9:15 PM 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [8/31/2009 9:15 PM 42112]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 XDva285;XDva285;\??\c:\windows\system32\XDva285.sys --> c:\windows\system32\XDva285.sys [?]
S3 XDva296;XDva296;\??\c:\windows\system32\XDva296.sys --> c:\windows\system32\XDva296.sys [?]
S3 XDva326;XDva326;\??\c:\windows\system32\XDva326.sys --> c:\windows\system32\XDva326.sys [?]
S3 XDva328;XDva328;\??\c:\windows\system32\XDva328.sys --> c:\windows\system32\XDva328.sys [?]
S3 XDva332;XDva332;\??\c:\windows\system32\XDva332.sys --> c:\windows\system32\XDva332.sys [?]
S3 XDva337;XDva337;\??\c:\windows\system32\XDva337.sys --> c:\windows\system32\XDva337.sys [?]
S3 XDva341;XDva341;\??\c:\windows\system32\XDva341.sys --> c:\windows\system32\XDva341.sys [?]
S3 XDva343;XDva343;\??\c:\windows\system32\XDva343.sys --> c:\windows\system32\XDva343.sys [?]
S3 XDva346;XDva346;\??\c:\windows\system32\XDva346.sys --> c:\windows\system32\XDva346.sys [?]
S3 XDva347;XDva347;\??\c:\windows\system32\XDva347.sys --> c:\windows\system32\XDva347.sys [?]
S3 XDva349;XDva349;\??\c:\windows\system32\XDva349.sys --> c:\windows\system32\XDva349.sys [?]
S3 XDva351;XDva351;\??\c:\windows\system32\XDva351.sys --> c:\windows\system32\XDva351.sys [?]
S3 XDva352;XDva352;\??\c:\windows\system32\XDva352.sys --> c:\windows\system32\XDva352.sys [?]
S3 XDva354;XDva354;\??\c:\windows\system32\XDva354.sys --> c:\windows\system32\XDva354.sys [?]
S3 XDva358;XDva358;\??\c:\windows\system32\XDva358.sys --> c:\windows\system32\XDva358.sys [?]
S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
S3 XDva362;XDva362;\??\c:\windows\system32\XDva362.sys --> c:\windows\system32\XDva362.sys [?]
S3 XDva370;XDva370;\??\c:\windows\system32\XDva370.sys --> c:\windows\system32\XDva370.sys [?]
S3 XDva375;XDva375;\??\c:\windows\system32\XDva375.sys --> c:\windows\system32\XDva375.sys [?]
S3 XDva380;XDva380;\??\c:\windows\system32\XDva380.sys --> c:\windows\system32\XDva380.sys [?]
S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
S3 XDva385;XDva385;\??\c:\windows\system32\XDva385.sys --> c:\windows\system32\XDva385.sys [?]
S3 XDva386;XDva386;\??\c:\windows\system32\XDva386.sys --> c:\windows\system32\XDva386.sys [?]
S3 XDva387;XDva387;\??\c:\windows\system32\XDva387.sys --> c:\windows\system32\XDva387.sys [?]
S3 XDva388;XDva388;\??\c:\windows\system32\XDva388.sys --> c:\windows\system32\XDva388.sys [?]
S3 XDva389;XDva389;\??\c:\windows\system32\XDva389.sys --> c:\windows\system32\XDva389.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-24 c:\windows\Tasks\AdobeAAMUpdater-1.0-JIMMAWAT-Administrator.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-05-31 07:44]
.
2011-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
.
2011-08-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-06-06 22:58]
.
2011-08-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500Core.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
.
2011-08-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1767777339-725345543-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-14 18:46]
.
2009-11-09 c:\windows\Tasks\Test.job
- c:\windows\system32\ntbackup.exe [2004-08-04 01:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.orbitdownloader.com/
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z1748ax6.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-24 22:19
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\131.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(980)
c:\windows\system32\vrlogon.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll
.
- - - - - - - > 'explorer.exe'(1248)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\msi.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-24 22:21:07
ComboFix-quarantined-files.txt 2011-08-25 02:21
ComboFix2.txt 2011-08-25 01:47
ComboFix3.txt 2011-08-24 18:05
ComboFix4.txt 2011-08-24 03:56
.
Pre-Run: 25,836,244,992 bytes free
Post-Run: 25,811,058,688 bytes free
.
- - End Of File - - AE40CCC8FA4566C0E2E72DDD86A7D941
 
Status
Not open for further replies.

Similar threads

E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni
S
  • Locked
Inactive Am I infected?
Replies
8
Views
3K
Broni
Broni
L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni

Latest posts

Back