Solved Dell Dimension 4600, Netgear WNA3100 WiFi with Malware

[gluttony]

Thank you in advance for all the help with these vexing problems!

SYMPTOMS:
Google searches redirect to false searches. Pop-ups from cr0zybanner, for instance. Whitesmoke app downloaded to desktop and startup. WNA3100.exe will not load and I cannot get on Internet. fastprox.dll would not copy during Windows XP Repair Install.

BACK STORY, ATTEMPTS TO FIX:
While I was browsing the Internet (mangafox.com if memory serves), IE8 froze. After it started working again, Google searches redirected to false searches and I received pop-ups from cr0zybanner, for example. I quickly attempted a system restore operation, which went through but did not solve the problem. I attempted a restore in safe mode with command prompt which generated the following error : "System restore is not able to protect your computer. Please restart your computer, and then try system restore again." I found a post on this forum with similar symptoms, so I thought a post was in order. However, I found prep instructions at www.techspot.com/vb/topic109461.html. Following these instructions, I downloaded and ran Avira Antivir, Comodo, ATF-Cleaner, Malwarebytes Anti-Malware and SuperAntiSpyware. Here's where it gets interesting. After rebooting, Comodo does not recognize WNA3100.exe and says it is trying to alter "protected registry key HKLM\SYSTEM\ControlSet???\Services\WSWNA3100". WNA3100.exe will not load whether I allowor block and I can't get on the Internet. I've tried to reinstall WNA3100.exe, but I do not have the permissions. I also tried to to perform Windows XP Repair Install to no avail. During this process, fastprox.dll would not copy. So I used a friend's computer to download HiJackThis in an attempt to continue the instructions. However, now I see the updated prep instructions for prep with GMER and DDS. I will run those tonight. In the meantime, I have all the logs from Avira Antivir, Comodo, ATF-Cleaner, Malwarebytes Anti-Malware, SuperAntiSpyware and HJT.

QUESTIONS:
How should I proceed? Should I post the logs I have? Since I am using a friend's computer to post, is it safe to transfer the logs via USB stick? What's the best way to post the logs?

Apologies for the long post, but I wanted to be sure you knew the circumstances around my potentially disruptive attempts at correcting my computer's issues. Many Thanks!

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=======================================================================

Since I am using a friend's computer to post, is it safe to transfer the logs via USB stick?

Very smart question
Do this on your friend computer...

Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)

*Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
• Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Windows Vista and Windows 7 users
Flash Disinfector is not compatible with the above Windows version.
Please, use Panda USB Vaccine


Then....

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

 

[gluttony]

Logs

Hello Broni. Thanks for taking on this project... now let's annihilate some malware!

I tried to follow your instructions to the letter, but ran into some computer behavioral problems detailed below:

1) Flash Disinfector would not run on the infected computer. After clicking it multiple times, "WinRAR self-extracting archive" windows popped up with the following messages: Cannot create nircmd.exe, Cannot create pv.exe, Cannot create Flash_Disinfector.exe. Also, Flash Disinfector behaved a little strangely on my friends clean computer. After double-clicking, I was asked to insert drive. Inserted drive, screen went blank, screen returned, but I never got an option to "exit the program". Ran it a second time and got a dialogue box saying it had finished. Please advise as to whether I've inadvertantly infected friend's PC.

2) Avira scan said it found nothing but the log would not save, saying I could not access the drive. I worked around by pasting the contents of the .txt file into a new notepad file and saving. Also, after the scan, I got the following message: Avira Guard: Malware found 'TR/Dropper.Gen was found in file 'C:\Program Files\Common Files\... \0000NAV~.TMP'

3) GMER would not run, giving me the following message: LoadDriver( "C:\DOCUME~1\SAMUEL~1.SAU\LOCALS~1\Temp\fxliqpow.sys") erroe 0x0000022: Acess is denied. I worked around it by running GMER in Safe Mode.

4) At the end of the DDS run I got the following error on top of the logs: Windows Script Host Can Not find script file "C:\Documents and Settings\User Name\Local Settings\Temp\MSGB.PIF"

That just about does it. So without further ado, here are the logs:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/7/2010 9:59:13 PM
mbam-log-2010-12-07 (21-59-13).txt

Scan type: Quick scan
Objects scanned: 143542
Time elapsed: 12 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-07 22:31:28
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST340014A rev.3.16
Running: r86rzteq.exe; Driver: C:\DOCUME~1\SAMUEL~1.SAU\LOCALS~1\Temp\fxliqpow.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 78124744 (+255): rootkit-like behavior;

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82F30292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 82F30292
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 82F30292
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST340014A_______________________________3.16____#4a33375857534245202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----



DDS (Ver_10-12-05.01) - NTFSx86
Run by Samuel M. Saunders at 22:52:50.54 on Tue 12/07/2010
Internet Explorer: 6.0.2900.5512

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: Web assistant: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [CLRHost] c:\blp\api\office~1\bbxlcmd.exe
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [EPSON Stylus NX400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiega.exe /fu "c:\windows\temp\E_SE1.tmp" /EF "HKCU"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [URLLSTCK.exe] c:\program files\norton internet security\UrlLstCk.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\whitesmoke translator\WSTrayDictMode.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wna3100\WNA3100.exe
mPolicies-system: DisableCAD = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=67633
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1095036083890
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156591399140
DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://adobe.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38128.5721643519
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://sigremote.com/dana-cached/setup/JuniperSetupSP1.cab
TCP: {9210EE3C-4238-4ADD-A7BC-EAC1DB945ED7} = 156.154.70.22,156.154.71.22
TCP: {ABCCC484-D4E5-441D-84AE-52ADC2261EF3} = 156.154.70.22,156.154.71.22
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 91.212.127.226 osguardpro.microsoft.com
Hosts: 91.212.127.226 os-guardpro.com
Hosts: 91.212.127.226 www.os-guardpro.com

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-12-06 21:29:27 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-12-06 21:29:27 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-12-06 21:29:20 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-12-06 21:29:20 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-12-06 21:13:56 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-12-06 21:13:53 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-12-06 21:13:51 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-12-06 21:13:48 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-12-06 21:13:32 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-12-06 21:13:00 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-12-06 21:12:54 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-12-06 21:12:48 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-12-06 21:12:28 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-12-06 21:12:26 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-12-06 21:12:22 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-12-06 21:12:12 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-12-06 21:12:07 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2010-12-06 21:12:04 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-12-06 21:12:03 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2010-12-06 21:12:02 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2010-12-06 21:10:58 765884 -c--a-w- c:\windows\system32\dllcache\usrti.sys
2010-12-06 21:09:59 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2010-12-06 21:08:56 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys
2010-12-06 21:07:58 103936 -c--a-w- c:\windows\system32\dllcache\sx.sys
2010-12-06 21:06:57 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2010-12-06 21:05:54 63547 -c--a-w- c:\windows\system32\dllcache\sla30nd5.sys
2010-12-06 21:04:59 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-12-06 21:03:57 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll
2010-12-06 21:02:54 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2010-12-06 21:01:59 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
2010-12-06 21:00:57 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
2010-12-06 21:00:54 351616 -c--a-w- c:\windows\system32\dllcache\ovcodek2.sys
2010-12-06 21:00:51 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2010-12-06 21:00:49 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
2010-12-06 21:00:46 28032 -c--a-w- c:\windows\system32\dllcache\ovcd.sys
2010-12-06 21:00:43 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
2010-12-06 21:00:40 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2010-12-06 21:00:38 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2010-12-06 21:00:35 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2010-12-06 21:00:32 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2010-12-06 21:00:29 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2010-12-06 21:00:25 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-12-06 21:00:02 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-12-06 20:58:57 59104 -c--a-w- c:\windows\system32\dllcache\n9i128v2.dll
2010-12-06 20:57:56 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-12-06 20:57:54 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-12-06 20:57:53 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-12-06 20:57:43 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-12-06 20:57:40 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-12-06 20:57:19 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-12-06 20:57:09 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-12-06 20:57:08 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-12-06 20:57:07 34304 -c--a-w- c:\windows\system32\dllcache\migisol.exe
2010-12-06 20:57:03 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2010-12-06 20:57:01 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2010-12-06 20:57:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-12-06 20:57:00 92032 -c--a-w- c:\windows\system32\dllcache\mga.dll
2010-12-06 20:55:58 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys
2010-12-06 20:54:59 35328 -c--a-w- c:\windows\system32\dllcache\iprip.dll
2010-12-06 20:53:58 38528 -c--a-w- c:\windows\system32\dllcache\ibmvcap.sys
2010-12-06 20:52:59 150239 -c--a-w- c:\windows\system32\dllcache\hsf_amos.sys
2010-12-06 20:51:57 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2010-12-06 20:50:58 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys
2010-12-06 20:49:59 241206 -c--a-w- c:\windows\system32\dllcache\el656se5.sys
2010-12-06 20:48:59 103044 -c--a-w- c:\windows\system32\dllcache\digidxb.sys
2010-12-06 20:47:59 10240 -c--a-w- c:\windows\system32\dllcache\compbatt.sys
2010-12-06 20:46:53 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-12-06 20:45:58 96128 -c--a-w- c:\windows\system32\dllcache\ati.dll
2010-12-06 20:44:57 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2010-12-06 19:25:47 388096 ----a-r- c:\docume~1\samuel~1.sau\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2010-12-06 19:25:46 -------- d-----w- c:\program files\Trend Micro
2010-12-05 01:25:28 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-12-05 01:25:28 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-12-05 01:25:28 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-12-05 01:25:28 13312 ----a-w- c:\windows\system32\irclass.dll
2010-12-04 17:04:49 -------- d-----w- c:\windows\Dell
2010-11-30 08:12:57 -------- d-----w- c:\windows\java
2010-11-30 05:12:37 348160 ----a-w- c:\windows\system32\msvc5364.rra
2010-11-29 20:55:53 -------- d-----w- c:\docume~1\samuel~1.sau\applic~1\Avira
2010-11-28 06:35:22 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-11-28 06:35:22 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-28 06:33:36 -------- d-----w- c:\program files\iTunes
2010-11-24 23:26:11 -------- d-----w- c:\program files\iTunes(3)

==================== Find3M ====================

2010-09-11 07:41:40 285480 ----a-w- c:\windows\system32\guard32.dll
2009-08-13 15:11:17 17260 ----a-w- c:\program files\common files\malyle.bin

============= FINISH: 22:55:02.26 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-05.01)


==== Disk Partitions =========================


==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe® Photoshop® Album Starter Edition 3.0
Adobe® Photoshop® Album Starter Edition 3.0.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Banctec Service Agreement
Bonjour
BUM
Business Contact Manager for Outlook 2003
CC_ccProxyMSI
CC_ccStart
ccCommon
COMODO Internet Security
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Dell Networking Guide
Digital Line Detect
EPSON Scan
EPSON Stylus NX400 Series Printer Uninstall
Google Earth Plug-in
Google Update Helper
Help and Support Customization
HiJackThis
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
Internet Explorer Default Page
iTunes
Java 2 Runtime Environment, SE v1.4.2
KODAK EASYSHARE Gallery Easy Upload, v2.0
KODAK EASYSHARE Gallery Upload ActiveX Control
LiveReg (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft ActiveSync 4.0
Microsoft Data Access Components KB870669
Microsoft Office Small Business Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Modem Helper
MSRedist
NETGEAR WNA3100 wireless USB 2.0 adapter
NetWaiting
Norton AntiSpam
Norton AntiVirus
Norton Internet Security
Norton Internet Security (Symantec Corporation)
NVIDIA Windows 2000/XP Display Drivers
OGA Notifier 2.0.0048.0
Panda ActiveScan 2.0
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
SUPERAntiSpyware
Symantec Script Blocking Installer
TD AMERITRADE StrategyDesk 3.4
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WebFldrs XP
Whitesmoke Translator
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 11

==== End Of File ===========================

 

[Broni]

Flash Disinfector would not run on the infected computer

I thought, I clearly said to install it on GOOD (your friend) computer to avoid it being infected through USB stick.

======================================================================

Download TDSSKiller and save it to your desktop.

• Extract (unzip) its contents to your desktop.
• Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

======================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

 

[gluttony]

2010/12/10 12:36:40.0328 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
2010/12/10 12:36:40.0328 ================================================================================
2010/12/10 12:36:40.0328 SystemInfo:
2010/12/10 12:36:40.0328
2010/12/10 12:36:40.0328 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/10 12:36:40.0328 Product type: Workstation
2010/12/10 12:36:40.0328 ComputerName: GLUTTONY
2010/12/10 12:36:40.0328 UserName: Samuel M. Saunders
2010/12/10 12:36:40.0328 Windows directory: C:\WINDOWS
2010/12/10 12:36:40.0328 System windows directory: C:\WINDOWS
2010/12/10 12:36:40.0328 Processor architecture: Intel x86
2010/12/10 12:36:40.0328 Number of processors: 1
2010/12/10 12:36:40.0328 Page size: 0x1000
2010/12/10 12:36:40.0328 Boot type: Normal boot
2010/12/10 12:36:40.0328 ================================================================================
2010/12/10 12:36:40.0937 Initialize success
2010/12/10 12:36:49.0609 ================================================================================
2010/12/10 12:36:49.0609 Scan started
2010/12/10 12:36:49.0609 Mode: Manual;
2010/12/10 12:36:49.0609 ================================================================================
2010/12/10 12:36:50.0562 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
2010/12/10 12:36:50.0750 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/10 12:36:50.0875 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/10 12:36:51.0031 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
2010/12/10 12:36:51.0187 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/12/10 12:36:51.0328 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/10 12:36:51.0484 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
2010/12/10 12:36:51.0609 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/12/10 12:36:51.0750 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
2010/12/10 12:36:51.0859 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
2010/12/10 12:36:52.0046 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
2010/12/10 12:36:52.0203 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
2010/12/10 12:36:52.0328 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
2010/12/10 12:36:52.0453 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys
2010/12/10 12:36:52.0562 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys
2010/12/10 12:36:52.0718 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
2010/12/10 12:36:52.0890 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
2010/12/10 12:36:53.0046 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
2010/12/10 12:36:53.0187 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
2010/12/10 12:36:53.0390 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/10 12:36:53.0531 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/10 12:36:53.0703 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/12/10 12:36:53.0890 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/10 12:36:54.0031 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/10 12:36:54.0187 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/12/10 12:36:54.0312 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2010/12/10 12:36:54.0437 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2010/12/10 12:36:54.0640 BCMH43XX (b770039886598aab7cf5eaeec2409e31) C:\WINDOWS\system32\DRIVERS\bcmwlhigh5.sys
2010/12/10 12:36:54.0859 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/10 12:36:55.0031 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
2010/12/10 12:36:55.0250 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
2010/12/10 12:36:55.0359 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/10 12:36:55.0500 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
2010/12/10 12:36:55.0656 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/10 12:36:55.0781 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/10 12:36:55.0937 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/10 12:36:56.0234 cmdGuard (bbe9f023dfd2c4d2755da3fa47e4da08) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
2010/12/10 12:36:56.0359 cmdHlp (111e6755acb5f236e2465e24508f6367) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
2010/12/10 12:36:56.0453 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
2010/12/10 12:36:56.0593 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
2010/12/10 12:36:56.0718 CVirtA (72f820e457bc8a1c61aeb86df89dd41a) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2010/12/10 12:36:56.0875 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
2010/12/10 12:36:57.0046 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
2010/12/10 12:36:57.0250 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/10 12:36:57.0375 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/10 12:36:57.0609 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2010/12/10 12:36:57.0750 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/10 12:36:57.0875 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/10 12:36:58.0015 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
2010/12/10 12:36:58.0187 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/10 12:36:58.0343 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/12/10 12:36:58.0500 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2010/12/10 12:36:58.0671 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/10 12:36:58.0812 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/10 12:36:58.0953 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/10 12:36:59.0078 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/10 12:36:59.0234 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/10 12:36:59.0343 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/10 12:36:59.0500 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/10 12:36:59.0609 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/12/10 12:36:59.0781 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/10 12:36:59.0921 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/10 12:37:00.0046 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
2010/12/10 12:37:00.0234 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2010/12/10 12:37:00.0406 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2010/12/10 12:37:00.0656 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/10 12:37:00.0843 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/12/10 12:37:00.0984 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys
2010/12/10 12:37:01.0156 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/10 12:37:01.0296 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2010/12/10 12:37:01.0468 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2010/12/10 12:37:01.0625 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2010/12/10 12:37:01.0750 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2010/12/10 12:37:01.0890 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2010/12/10 12:37:02.0015 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2010/12/10 12:37:02.0187 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2010/12/10 12:37:02.0312 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2010/12/10 12:37:02.0531 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2010/12/10 12:37:02.0656 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2010/12/10 12:37:02.0843 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/10 12:37:03.0015 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
2010/12/10 12:37:03.0140 Inspect (343ac4733c1e8b7ab6454178e4fcd4ad) C:\WINDOWS\system32\DRIVERS\inspect.sys
2010/12/10 12:37:03.0312 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys
2010/12/10 12:37:03.0484 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/10 12:37:03.0625 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/10 12:37:03.0781 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/10 12:37:03.0921 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/10 12:37:04.0046 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/10 12:37:04.0234 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/10 12:37:04.0406 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/10 12:37:04.0546 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/10 12:37:04.0687 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/10 12:37:04.0859 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/10 12:37:05.0015 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/10 12:37:05.0250 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/12/10 12:37:05.0421 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/10 12:37:05.0593 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/10 12:37:05.0718 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/12/10 12:37:05.0859 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
2010/12/10 12:37:06.0000 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/10 12:37:06.0140 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/10 12:37:06.0281 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
2010/12/10 12:37:06.0421 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/10 12:37:06.0593 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/10 12:37:06.0765 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/10 12:37:06.0890 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/10 12:37:07.0000 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/10 12:37:07.0125 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/10 12:37:07.0312 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/10 12:37:07.0468 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/10 12:37:07.0687 NAVENG (33f1e35e6d090b6cea1f5f5f4d79fcbb) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040809.037\NAVENG.Sys
2010/12/10 12:37:07.0921 NAVEX15 (db4e799a537535499394a530f1c3a872) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040809.037\NavEx15.Sys
2010/12/10 12:37:08.0078 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/10 12:37:08.0203 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/10 12:37:08.0390 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/10 12:37:08.0562 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/10 12:37:08.0718 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/10 12:37:08.0875 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/10 12:37:09.0015 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/10 12:37:09.0250 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\DRIVERS\npf.sys
2010/12/10 12:37:09.0421 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/10 12:37:09.0578 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/10 12:37:09.0765 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/10 12:37:09.0953 nv (66c90afbf0d10a93789f6544be459e72) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/10 12:37:10.0171 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/10 12:37:10.0312 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/10 12:37:10.0484 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
2010/12/10 12:37:10.0656 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2010/12/10 12:37:10.0828 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/10 12:37:11.0046 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/10 12:37:11.0171 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/10 12:37:11.0312 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys
2010/12/10 12:37:11.0437 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/10 12:37:11.0640 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/10 12:37:11.0765 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/10 12:37:12.0171 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
2010/12/10 12:37:12.0328 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
2010/12/10 12:37:12.0546 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/10 12:37:12.0718 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/12/10 12:37:12.0906 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/10 12:37:13.0031 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/10 12:37:13.0171 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
2010/12/10 12:37:13.0312 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
2010/12/10 12:37:13.0484 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
2010/12/10 12:37:13.0625 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
2010/12/10 12:37:13.0781 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
2010/12/10 12:37:13.0953 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/10 12:37:14.0078 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/10 12:37:14.0250 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/10 12:37:14.0406 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/10 12:37:14.0593 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/10 12:37:14.0734 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/10 12:37:14.0875 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/10 12:37:15.0109 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/10 12:37:15.0296 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/10 12:37:15.0578 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/10 12:37:15.0812 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/12/10 12:37:16.0015 SAVRT (7a1dcba368dacb5ca41e40f97f43aaa8) C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS
2010/12/10 12:37:16.0140 SAVRTPEL (395df1ccad06b8d47f2d78c2d78f4cd5) C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS
2010/12/10 12:37:16.0343 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/10 12:37:16.0546 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/10 12:37:16.0718 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/10 12:37:16.0906 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/10 12:37:17.0109 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys
2010/12/10 12:37:17.0281 smwdm (5018a9db5eb62e3edb3110f82f556285) C:\WINDOWS\system32\drivers\smwdm.sys
2010/12/10 12:37:17.0484 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
2010/12/10 12:37:17.0625 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/10 12:37:17.0765 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/10 12:37:17.0921 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/10 12:37:18.0062 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2010/12/10 12:37:18.0265 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/10 12:37:18.0406 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/10 12:37:18.0562 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
2010/12/10 12:37:18.0734 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
2010/12/10 12:37:18.0875 SYMDNS (2287d8411157815dd202a4f133ae482d) C:\WINDOWS\System32\Drivers\SYMDNS.SYS
2010/12/10 12:37:19.0031 SymEvent (05d9613efe7809e384c10da26958dfa4) C:\Program Files\Symantec\SYMEVENT.SYS
2010/12/10 12:37:19.0171 SYMFW (11e32c865f1dfe7c0986900ec7aeb4b8) C:\WINDOWS\System32\Drivers\SYMFW.SYS
2010/12/10 12:37:19.0312 SYMIDS (157e49ab4f9ccce37361b28ac25096a9) C:\WINDOWS\System32\Drivers\SYMIDS.SYS
2010/12/10 12:37:19.0453 SYMIDSCO (e9fb63f2fcf05c452dde7280790f37f7) C:\WINDOWS\System32\Drivers\SYMIDSCO.SYS
2010/12/10 12:37:19.0640 SYMNDIS (ef3ad6fc8a1ef592e4e6409a4b4f4c3a) C:\WINDOWS\System32\Drivers\SYMNDIS.SYS
2010/12/10 12:37:19.0781 SYMREDRV (121448e97995a6828422cd897c5c7456) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2010/12/10 12:37:19.0937 SYMTDI (42bc4d0917737debe50df861fe8cdcb9) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2010/12/10 12:37:20.0093 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
2010/12/10 12:37:20.0250 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
2010/12/10 12:37:20.0406 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/10 12:37:20.0640 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/10 12:37:20.0859 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/10 12:37:21.0015 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/10 12:37:21.0125 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/10 12:37:21.0281 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
2010/12/10 12:37:21.0421 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/10 12:37:21.0578 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
2010/12/10 12:37:21.0734 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/10 12:37:21.0937 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/12/10 12:37:22.0140 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/10 12:37:22.0312 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/10 12:37:22.0453 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/10 12:37:22.0625 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/10 12:37:22.0765 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/10 12:37:22.0875 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/10 12:37:23.0031 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/10 12:37:23.0125 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys
2010/12/10 12:37:23.0265 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/10 12:37:23.0406 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys
2010/12/10 12:37:23.0593 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
2010/12/10 12:37:23.0796 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/10 12:37:23.0968 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/10 12:37:24.0171 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/12/10 12:37:24.0453 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/10 12:37:24.0687 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/12/10 12:37:25.0062 WpdUsb (c1b3d9d75c3fb735f5fa3a5806aded57) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/12/10 12:37:25.0265 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/10 12:37:25.0406 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/10 12:37:25.0593 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/10 12:37:25.0843 ================================================================================
2010/12/10 12:37:25.0843 Scan finished
2010/12/10 12:37:25.0843 ================================================================================
2010/12/10 12:37:25.0875 Detected object count: 1
2010/12/10 12:37:36.0500 \HardDisk0 - will be cured after reboot
2010/12/10 12:37:36.0515 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/10 12:38:06.0671 Deinitialize success


MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000001d

Kernel Drivers (total 139):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF8C36000 \WINDOWS\system32\KDCOM.DLL
0xF8B46000 \WINDOWS\system32\BOOTVID.dll
0xF86E7000 ACPI.sys
0xF8C38000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF86D6000 pci.sys
0xF8736000 isapnp.sys
0xF8CFE000 pciide.sys
0xF89B6000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8746000 MountMgr.sys
0xF86B7000 ftdisk.sys
0xF8C3A000 dmload.sys
0xF8691000 dmio.sys
0xF89BE000 PartMgr.sys
0xF89C6000 pavboot.sys
0xF8756000 VolSnap.sys
0xF8679000 atapi.sys
0xF8766000 disk.sys
0xF8776000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF8659000 fltmgr.sys
0xF8647000 sr.sys
0xF8630000 KSecDD.sys
0xF861D000 WudfPf.sys
0xF8590000 Ntfs.sys
0xF857B000 inspect.sys
0xF854E000 \WINDOWS\System32\DRIVERS\NDIS.SYS
0xF89CE000 \WINDOWS\System32\DRIVERS\TDI.SYS
0xF8534000 Mup.sys
0xF8786000 agp440.sys
0xF89A6000 \SystemRoot\System32\DRIVERS\intelppm.sys
0xF83A6000 \SystemRoot\System32\DRIVERS\nv4_mini.sys
0xF8392000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF8A86000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF836E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF8A8E000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF833A000 \SystemRoot\System32\DRIVERS\HSFHWBS2.sys
0xF8317000 \SystemRoot\System32\DRIVERS\ks.sys
0xF8218000 \SystemRoot\System32\DRIVERS\HSF_DP.sys
0xF8171000 \SystemRoot\System32\DRIVERS\HSF_CNXT.sys
0xF8A96000 \SystemRoot\System32\Drivers\Modem.SYS
0xF814D000 \SystemRoot\System32\DRIVERS\e100b325.sys
0xF8A9E000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF87A6000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF8AA6000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF8AAE000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF87B6000 \SystemRoot\system32\DRIVERS\serial.sys
0xF8C06000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF8139000 \SystemRoot\System32\DRIVERS\parport.sys
0xF87C6000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF87D6000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF87E6000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF8AB6000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF80AB000 \SystemRoot\system32\drivers\smwdm.sys
0xF8087000 \SystemRoot\system32\drivers\portcls.sys
0xF87F6000 \SystemRoot\system32\drivers\drmk.sys
0xF8C5C000 \SystemRoot\system32\drivers\aeaudio.sys
0xF8DD8000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF8806000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF8C0E000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF8070000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF8816000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF8826000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF805F000 \SystemRoot\System32\DRIVERS\psched.sys
0xF8836000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF8ABE000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF8AC6000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF8007000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF8846000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF8C5E000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF7FA9000 \SystemRoot\System32\DRIVERS\update.sys
0xF8ACE000 \SystemRoot\System32\DRIVERS\omci.sys
0xF8C26000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF8896000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF88A6000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8C66000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF84DF000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF8AD6000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF8BDE000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xEED55000 \SystemRoot\System32\DRIVERS\cmdguard.sys
0xEED04000 \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS
0xEECF1000 \??\C:\Program Files\Symantec\SYMEVENT.SYS
0xF88D6000 \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS
0xF8C6A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8DBD000 \SystemRoot\System32\Drivers\Null.SYS
0xF8C6C000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8AEE000 \SystemRoot\System32\drivers\vga.sys
0xF8C7E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8C80000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF8AF6000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF8AFE000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8057000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xEEC00000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xEEBA7000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF8B06000 \SystemRoot\System32\DRIVERS\cmdhlp.sys
0xEEB67000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xF804F000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xF8C86000 \SystemRoot\System32\Drivers\SYMDNS.SYS
0xF8906000 \SystemRoot\System32\Drivers\SYMNDIS.SYS
0xEEB3F000 \SystemRoot\System32\Drivers\SYMFW.SYS
0xEEB19000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF8916000 \SystemRoot\System32\Drivers\SYMIDS.SYS
0xEEAF0000 \SystemRoot\System32\Drivers\SYMIDSCO.SYS
0xEEAC8000 \SystemRoot\System32\DRIVERS\netbt.sys
0xEEAA6000 \SystemRoot\System32\drivers\afd.sys
0xF8926000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF8B0E000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xEEA84000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF8B16000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF8956000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xEEA59000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xEE9E9000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF8966000 \SystemRoot\System32\Drivers\Fips.SYS
0xEE9C6000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xF8C98000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xF8986000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEE8E6000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8CB4000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF8BDA000 \SystemRoot\System32\drivers\Dxapi.sys
0xF8B36000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8D50000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xEE39A000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xEE322000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xEE075000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF8C90000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEDF48000 \SystemRoot\system32\drivers\wdmaud.sys
0xEE122000 \SystemRoot\system32\drivers\sysaudio.sys
0xEDB30000 \SystemRoot\System32\DRIVERS\srv.sys
0xEDC7E000 \SystemRoot\System32\DRIVERS\mdmxsdk.sys
0xED37D000 \SystemRoot\System32\Drivers\HTTP.sys
0xED359000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF8A66000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xEC307000 \SystemRoot\system32\drivers\kmixer.sys
0xEC271000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040809.037\NavEx15.Sys
0xEC3C2000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20040809.037\NAVENG.Sys
0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

Processes (total 48):
0 System Idle Process
4 System
612 C:\WINDOWS\SYSTEM32\smss.exe
688 csrss.exe
744 C:\WINDOWS\SYSTEM32\winlogon.exe
788 C:\WINDOWS\SYSTEM32\services.exe
800 C:\WINDOWS\SYSTEM32\lsass.exe
964 C:\WINDOWS\SYSTEM32\svchost.exe
1028 svchost.exe
1068 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
1092 C:\WINDOWS\SYSTEM32\svchost.exe
1280 C:\WINDOWS\SYSTEM32\svchost.exe
1440 svchost.exe
1464 svchost.exe
1532 C:\WINDOWS\SYSTEM32\LEXBCES.EXE
1564 C:\WINDOWS\SYSTEM32\spoolsv.exe
1576 C:\WINDOWS\SYSTEM32\LEXPPS.EXE
1628 C:\Program Files\Avira\AntiVir Desktop\sched.exe
1748 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
1768 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1780 C:\Program Files\Bonjour\mDNSResponder.exe
1792 C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
1808 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
184 C:\Program Files\Google\Update\GoogleUpdate.exe
252 C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
420 C:\WINDOWS\explorer.exe
508 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
664 C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
996 C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
1228 C:\WINDOWS\SYSTEM32\nvsvc32.exe
1448 C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
1988 C:\WINDOWS\SYSTEM32\svchost.exe
2004 C:\Program Files\Viewpoint\Common\ViewpointService.exe
2020 C:\Program Files\NETGEAR\WNA3100\WifiSvc.exe
2128 C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
2348 C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
2424 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
2472 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
2644 C:\Program Files\iTunes\iTunesHelper.exe
2664 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
2716 C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
2736 C:\WINDOWS\SYSTEM32\ctfmon.exe
2868 C:\Program Files\Microsoft ActiveSync\wcescomm.exe
3164 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
3200 C:\Program Files\Digital Line Detect\DLG.exe
3432 C:\PROGRA~1\MI3AA1~1\rapimgr.exe
3692 C:\Program Files\iPod\bin\iPodService.exe
408 C:\Documents and Settings\Samuel M. Saunders\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

PhysicalDrive0 Model Number: ST340014A, Rev: 3.16

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

 

[Broni]

Good job

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.pif
Rkill.exe

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[gluttony]

Thanks Broni. I cannot follow the above instructions exactly. I do not have Internet access, so I can't download directly to desktop. Will a copy from USB to desktop work?

 

[Broni]

Absolutely.

 

[gluttony]

Hi Broni. I hope you had a wonderful weekend. FYI:

1) ComboFix wouldn't run in Normal mode. Claimed it was a corrupt version. It ran in Safe Mode.

2) Rkill.pif appears to be a broken link.

Please find ComboFix log below:

ComboFix 10-12-13.02 - Samuel M. Saunders 12/13/2010 18:29:42.1.1 - x86 MINIMAL
Running from: c:\documents and settings\Samuel M. Saunders\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kittie\Desktop\movieland.url
c:\documents and settings\Samuel M. Saunders\Application Data\Install.dat
c:\windows\system32\comrepl.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_NPF
-------\Service_6to4
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-11-14 to 2010-12-14 )))))))))))))))))))))))))))))))
.

2010-12-06 21:29 . 2008-04-14 13:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-12-06 21:29 . 2008-04-14 13:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-12-06 21:29 . 2008-04-14 08:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-12-06 21:29 . 2008-04-14 08:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-12-06 21:13 . 2008-04-14 13:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-12-06 21:13 . 2001-08-18 06:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-12-06 21:13 . 2008-04-14 13:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-12-06 21:13 . 2001-08-18 06:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-12-06 21:13 . 2001-08-18 06:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-12-06 21:13 . 2001-08-18 06:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-12-06 21:12 . 2001-08-17 20:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-12-06 21:12 . 2008-04-14 13:42 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-12-06 21:12 . 2008-04-14 08:06 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-12-06 21:12 . 2008-04-14 06:05 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-12-06 21:12 . 2001-08-17 20:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-12-06 21:12 . 2001-08-17 21:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-12-06 21:12 . 2001-08-18 06:36 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2010-12-06 21:12 . 2001-08-18 06:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-12-06 21:12 . 2008-04-14 07:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2010-12-06 21:12 . 2008-04-14 07:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2010-12-06 21:10 . 2001-08-17 21:28 765884 -c--a-w- c:\windows\system32\dllcache\usrti.sys
2010-12-06 21:09 . 2001-08-18 06:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2010-12-06 21:08 . 2001-08-17 22:02 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys
2010-12-06 21:07 . 2001-08-17 21:50 103936 -c--a-w- c:\windows\system32\dllcache\sx.sys
2010-12-06 21:06 . 2001-08-17 20:51 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2010-12-06 21:05 . 2008-04-14 06:05 63547 -c--a-w- c:\windows\system32\dllcache\sla30nd5.sys
2010-12-06 21:04 . 2001-08-18 06:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-12-06 21:03 . 2001-08-17 22:56 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll
2010-12-06 21:02 . 2001-08-17 21:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2010-12-06 21:01 . 2001-08-18 06:36 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
2010-12-06 21:00 . 2001-08-18 06:36 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
2010-12-06 21:00 . 2001-08-17 22:05 351616 -c--a-w- c:\windows\system32\dllcache\ovcodek2.sys
2010-12-06 21:00 . 2001-08-18 06:36 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2010-12-06 21:00 . 2001-08-17 22:05 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
2010-12-06 21:00 . 2001-08-17 22:05 28032 -c--a-w- c:\windows\system32\dllcache\ovcd.sys
2010-12-06 21:00 . 2001-08-17 22:05 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
2010-12-06 21:00 . 2001-08-17 22:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2010-12-06 21:00 . 2001-08-17 21:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2010-12-06 21:00 . 2001-08-17 20:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2010-12-06 21:00 . 2001-08-17 20:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2010-12-06 21:00 . 2001-08-17 20:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2010-12-06 21:00 . 2008-04-14 08:16 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-12-06 21:00 . 2001-08-17 20:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-12-06 20:58 . 2001-08-18 06:36 59104 -c--a-w- c:\windows\system32\dllcache\n9i128v2.dll
2010-12-06 20:57 . 2001-08-17 22:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-12-06 20:57 . 2008-04-14 08:24 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-12-06 20:57 . 2008-04-14 07:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-12-06 20:57 . 2001-08-17 22:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-12-06 20:57 . 2001-08-17 21:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-12-06 20:57 . 2001-08-17 21:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-12-06 20:57 . 2001-08-17 21:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-12-06 20:57 . 2008-04-14 07:00 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-12-06 20:57 . 2008-04-14 07:00 34304 -c--a-w- c:\windows\system32\dllcache\migisol.exe
2010-12-06 20:57 . 2001-08-17 20:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2010-12-06 20:57 . 2001-08-17 22:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2010-12-06 20:57 . 2008-04-14 07:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-12-06 20:57 . 2008-04-14 07:00 92032 -c--a-w- c:\windows\system32\dllcache\mga.dll
2010-12-06 20:55 . 2001-08-17 20:12 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys
2010-12-06 20:54 . 2008-04-14 07:00 35328 -c--a-w- c:\windows\system32\dllcache\iprip.dll
2010-12-06 20:53 . 2001-08-17 22:06 38528 -c--a-w- c:\windows\system32\dllcache\ibmvcap.sys
2010-12-06 20:52 . 2001-08-17 21:28 150239 -c--a-w- c:\windows\system32\dllcache\hsf_amos.sys
2010-12-06 20:51 . 2008-04-14 08:15 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2010-12-06 20:50 . 2001-08-17 21:52 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys
2010-12-06 20:49 . 2001-08-17 21:28 241206 -c--a-w- c:\windows\system32\dllcache\el656se5.sys
2010-12-06 20:48 . 2001-08-17 20:13 103044 -c--a-w- c:\windows\system32\dllcache\digidxb.sys
2010-12-06 20:47 . 2008-04-14 08:06 10240 -c--a-w- c:\windows\system32\dllcache\compbatt.sys
2010-12-06 20:46 . 2001-08-17 21:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-12-06 20:45 . 2001-08-17 22:55 96128 -c--a-w- c:\windows\system32\dllcache\ati.dll
2010-12-06 20:44 . 2008-04-14 07:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2010-12-06 19:25 . 2010-12-06 19:25 388096 ----a-r- c:\documents and settings\Samuel M. Saunders\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-06 19:25 . 2010-12-06 19:25 -------- d-----w- c:\program files\Trend Micro
2010-12-05 01:25 . 2008-04-14 07:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-12-05 01:25 . 2008-04-14 07:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-12-05 01:25 . 2008-04-14 07:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-12-05 01:25 . 2008-04-14 07:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-12-04 17:04 . 2010-12-04 17:04 -------- d-----w- c:\windows\Dell
2010-11-30 08:12 . 2010-11-30 08:12 -------- d-----w- c:\windows\java
2010-11-30 05:12 . 2006-10-13 00:28 348160 ----a-w- c:\windows\system32\msvc5364.rra
2010-11-29 20:55 . 2010-11-29 20:55 -------- d-----w- c:\documents and settings\Samuel M. Saunders\Application Data\Avira
2010-11-28 06:35 . 2010-11-28 06:35 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-28 06:33 . 2010-11-28 06:34 -------- d-----w- c:\program files\iTunes
2010-11-27 22:51 . 2010-11-27 22:51 -------- d-sh--w- c:\documents and settings\Guest\IETldCache
2010-11-27 20:44 . 2010-11-27 20:44 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 15:11 . 2009-08-13 15:11 17260 ----a-w- c:\program files\Common Files\malyle.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2004-06-30 95344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\combofix\CF26865.cfxxe" [X]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 70816]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 70800]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-03 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-03 281768]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-09-11 2500552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-5-13 24576]
Launch Whitesmoke Translator.lnk - c:\program files\WhiteSmoke Translator\WSTrayDictMode.exe [2004-2-20 671744]
NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2010-8-5 4562944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\blp\\Wintrv\\wintrv.exe"=
"c:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\blp\\API\\bbcomm.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 cerc6;cerc6; [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 135664]
R2 WSWNA3100;WSWNA3100;c:\program files\NETGEAR\WNA3100\WifiSvc.exe [2010-01-12 278528]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh5.sys [2009-11-06 642432]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-09-11 239240]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-09-11 25240]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2010-08-03 135336]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

.
Contents of the 'Scheduled Tasks' folder

2010-12-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-12-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:45]

2010-12-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:45]

2010-12-11 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2004-05-20 22:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {9210EE3C-4238-4ADD-A7BC-EAC1DB945ED7} = 156.154.70.22,156.154.71.22
TCP: {ABCCC484-D4E5-441D-84AE-52ADC2261EF3} = 156.154.70.22,156.154.71.22
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-CLRHost - c:\blp\API\OFFICE~1\bbxlcmd.exe
HKCU-Run-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-13 18:41
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(788)
c:\windows\system32\guard32.dll

- - - - - - - > 'Explorer.EXE'(660)
c:\windows\system32\guard32.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\windows\system32\ieframe.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\progra~1\COMMON~1\SYMANT~1\ANTISPAM\asOEHook.dll
.
Completion time: 2010-12-13 18:54:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-14 02:54

Pre-Run: 5,981,376,512 bytes free
Post-Run: 6,606,585,856 bytes free

- - End Of File - - 73C748650A5EF3A37B97353E4BB6D1C2

 

[Broni]

Which one is your current security program?
I can see Norton, Comodo and Avira installed.

==================================================================

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

====================================================================

Still no internet?

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\msvc5364.rra
c:\program files\Common Files\malyle.bin

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[gluttony]

Hi Broni. Thanks for responding so quickly. Viewpoint Manager has been removed Norton, Comodo and Avira are all running. Should I remove any of them? What about that Whitesmoke Translator program?

WNA3100 remains inoperable with "Failed to run Service" message.

 

[Broni]

Norton, Comodo and Avira are all running

You can be running only one AV program.
Before you do anything, let me know, which one you want to KEEP.

What about that Whitesmoke Translator program?

I don't know. Do you use it?

 

[gluttony]

I'll keep Comodo, unless you suggest otherwise. Whitesmoke was downloaded by the malware, so I'd like to get rid of it.

 

[Broni]

I can see Whitesmoke Translator in Add\Remove. Uninstall it.

Uninstall Norton, using Norton Removal Tool: http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN

Uninstall Avira through Add\Remove.

I assume you have a whole Comodo suite, including a firewall?

When done, post fresh Combofix log.

 

[gluttony]

When attempting to remove Whitesmoke, Comodo alerts InstallScript Setup Launcher setup.exe could not be recognized and requests unlimited access to your computer. Should I allow?

Since I don't have access to the Internet right now (replying on a phone), is there any way to work around Norton?

Avira uninstalled.

Comodo Firewall and Defense+ installed.

Am I running ComboFix through the CFScript procedure detailed earlier?

 

[Broni]

Since I don't have access to the Internet right now (replying on a phone), is there any way to work around Norton?

Leave it for now. We'll try to re-establish your internet connection in a moment...

Am I running ComboFix through the CFScript procedure detailed earlier?

Yes.

 

[gluttony]

Still getting that corrupt version ComboFix message in normal mode. Ok to run in safe mode?

 

[Broni]

Perfectly fine....

 

[gluttony]

Ok, ran ComboFix. I'll post the log tomorrow. Is there anything else we can do? Thanks for all the help tonight.

 

[Broni]

I can't comment until I see Combofix log....

 

[gluttony]

Good day to you Broni. Please find log below:

ComboFix 10-12-13.02 - Samuel M. Saunders 12/14/2010 20:32:30.2.1 - x86 MINIMAL
Running from: c:\documents and settings\Samuel M. Saunders\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Samuel M. Saunders\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\program files\Common Files\malyle.bin"
"c:\windows\system32\msvc5364.rra"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\malyle.bin
c:\windows\system32\msvc5364.rra

.
((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
.

2010-12-06 21:29 . 2008-04-14 13:41 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-12-06 21:29 . 2008-04-14 13:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-12-06 21:29 . 2008-04-14 08:15 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-12-06 21:29 . 2008-04-14 08:15 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-12-06 21:13 . 2008-04-14 13:42 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-12-06 21:13 . 2001-08-18 06:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-12-06 21:13 . 2008-04-14 13:42 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-12-06 21:13 . 2001-08-18 06:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-12-06 21:13 . 2001-08-18 06:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-12-06 21:13 . 2001-08-18 06:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-12-06 21:12 . 2001-08-17 20:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-12-06 21:12 . 2008-04-14 13:42 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-12-06 21:12 . 2008-04-14 08:06 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-12-06 21:12 . 2008-04-14 06:05 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-12-06 21:12 . 2001-08-17 20:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-12-06 21:12 . 2001-08-17 21:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-12-06 21:12 . 2001-08-18 06:36 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2010-12-06 21:12 . 2001-08-18 06:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-12-06 21:12 . 2008-04-14 07:00 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2010-12-06 21:12 . 2008-04-14 07:00 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2010-12-06 21:10 . 2001-08-17 21:28 765884 -c--a-w- c:\windows\system32\dllcache\usrti.sys
2010-12-06 21:09 . 2001-08-18 06:36 50176 -c--a-w- c:\windows\system32\dllcache\umaxp60.dll
2010-12-06 21:08 . 2001-08-17 22:02 230912 -c--a-w- c:\windows\system32\dllcache\tosdvd03.sys
2010-12-06 21:07 . 2001-08-17 21:50 103936 -c--a-w- c:\windows\system32\dllcache\sx.sys
2010-12-06 21:06 . 2001-08-17 20:51 37040 -c--a-w- c:\windows\system32\dllcache\sonypi.sys
2010-12-06 21:05 . 2008-04-14 06:05 63547 -c--a-w- c:\windows\system32\dllcache\sla30nd5.sys
2010-12-06 21:04 . 2001-08-18 06:36 386560 -c--a-w- c:\windows\system32\dllcache\sgiul50.dll
2010-12-06 21:03 . 2001-08-17 22:56 179264 -c--a-w- c:\windows\system32\dllcache\s3sav3d.dll
2010-12-06 21:02 . 2001-08-17 21:51 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys
2010-12-06 21:01 . 2001-08-18 06:36 121344 -c--a-w- c:\windows\system32\dllcache\phvfwext.dll
2010-12-06 21:00 . 2001-08-18 06:36 20480 -c--a-w- c:\windows\system32\dllcache\ovcomc.dll
2010-12-06 21:00 . 2001-08-17 22:05 351616 -c--a-w- c:\windows\system32\dllcache\ovcodek2.sys
2010-12-06 21:00 . 2001-08-18 06:36 116736 -c--a-w- c:\windows\system32\dllcache\ovcodec2.dll
2010-12-06 21:00 . 2001-08-17 22:05 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
2010-12-06 21:00 . 2001-08-17 22:05 28032 -c--a-w- c:\windows\system32\dllcache\ovcd.sys
2010-12-06 21:00 . 2001-08-17 22:05 48000 -c--a-w- c:\windows\system32\dllcache\ovcam2.sys
2010-12-06 21:00 . 2001-08-17 22:05 25088 -c--a-w- c:\windows\system32\dllcache\ovca.sys
2010-12-06 21:00 . 2001-08-17 21:28 54186 -c--a-w- c:\windows\system32\dllcache\otcsercb.sys
2010-12-06 21:00 . 2001-08-17 20:12 43689 -c--a-w- c:\windows\system32\dllcache\otceth5.sys
2010-12-06 21:00 . 2001-08-17 20:12 27209 -c--a-w- c:\windows\system32\dllcache\otc06x5.sys
2010-12-06 21:00 . 2001-08-17 20:20 54528 -c--a-w- c:\windows\system32\dllcache\opl3sax.sys
2010-12-06 21:00 . 2008-04-14 08:16 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-12-06 21:00 . 2001-08-17 20:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2010-12-06 20:58 . 2001-08-18 06:36 59104 -c--a-w- c:\windows\system32\dllcache\n9i128v2.dll
2010-12-06 20:57 . 2001-08-17 22:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-12-06 20:57 . 2008-04-14 08:24 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-12-06 20:57 . 2008-04-14 07:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-12-06 20:57 . 2001-08-17 22:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-12-06 20:57 . 2001-08-17 21:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-12-06 20:57 . 2001-08-17 21:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-12-06 20:57 . 2001-08-17 21:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2010-12-06 20:57 . 2008-04-14 07:00 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2010-12-06 20:57 . 2008-04-14 07:00 34304 -c--a-w- c:\windows\system32\dllcache\migisol.exe
2010-12-06 20:57 . 2001-08-17 20:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2010-12-06 20:57 . 2001-08-17 22:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2010-12-06 20:57 . 2008-04-14 07:00 92416 -c--a-w- c:\windows\system32\dllcache\mga.sys
2010-12-06 20:57 . 2008-04-14 07:00 92032 -c--a-w- c:\windows\system32\dllcache\mga.dll
2010-12-06 20:55 . 2001-08-17 20:12 26442 -c--a-w- c:\windows\system32\dllcache\lanepic5.sys
2010-12-06 20:54 . 2008-04-14 07:00 35328 -c--a-w- c:\windows\system32\dllcache\iprip.dll
2010-12-06 20:53 . 2001-08-17 22:06 38528 -c--a-w- c:\windows\system32\dllcache\ibmvcap.sys
2010-12-06 20:52 . 2001-08-17 21:28 150239 -c--a-w- c:\windows\system32\dllcache\hsf_amos.sys
2010-12-06 20:51 . 2008-04-14 08:15 59136 -c--a-w- c:\windows\system32\dllcache\gckernel.sys
2010-12-06 20:50 . 2001-08-17 21:52 7040 -c--a-w- c:\windows\system32\dllcache\exabyte2.sys
2010-12-06 20:49 . 2001-08-17 21:28 241206 -c--a-w- c:\windows\system32\dllcache\el656se5.sys
2010-12-06 20:48 . 2001-08-17 20:13 103044 -c--a-w- c:\windows\system32\dllcache\digidxb.sys
2010-12-06 20:47 . 2008-04-14 08:06 10240 -c--a-w- c:\windows\system32\dllcache\compbatt.sys
2010-12-06 20:46 . 2001-08-17 21:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2010-12-06 20:45 . 2001-08-17 22:55 96128 -c--a-w- c:\windows\system32\dllcache\ati.dll
2010-12-06 20:44 . 2008-04-14 07:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2010-12-06 19:25 . 2010-12-06 19:25 388096 ----a-r- c:\documents and settings\Samuel M. Saunders\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-06 19:25 . 2010-12-06 19:25 -------- d-----w- c:\program files\Trend Micro
2010-12-05 01:25 . 2008-04-14 07:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2010-12-05 01:25 . 2008-04-14 07:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2010-12-05 01:25 . 2008-04-14 07:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2010-12-05 01:25 . 2008-04-14 07:00 13312 ----a-w- c:\windows\system32\irclass.dll
2010-12-04 17:04 . 2010-12-04 17:04 -------- d-----w- c:\windows\Dell
2010-11-30 08:12 . 2010-11-30 08:12 -------- d-----w- c:\windows\java
2010-11-28 06:35 . 2010-11-28 06:35 -------- d-----w- c:\windows\system32\wbem\Repository
2010-11-28 06:33 . 2010-11-28 06:34 -------- d-----w- c:\program files\iTunes
2010-11-27 22:51 . 2010-11-27 22:51 -------- d-sh--w- c:\documents and settings\Guest\IETldCache
2010-11-27 20:44 . 2010-11-27 20:44 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2004-06-30 95344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-11-03 4800512]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2003-11-10 70816]
"URLLSTCK.exe"="c:\program files\Norton Internet Security\UrlLstCk.exe" [2003-12-11 70800]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-03 185896]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-09-11 2500552]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-5-13 24576]
Launch Whitesmoke Translator.lnk - c:\program files\WhiteSmoke Translator\WSTrayDictMode.exe [2004-2-20 671744]
NETGEAR WNA3100 Smart Wizard.lnk - c:\program files\NETGEAR\WNA3100\WNA3100.exe [2010-8-5 4562944]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt\0sprestrt

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 cerc6;cerc6; [x]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2010-09-11 239240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2010-09-11 25240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 135664]
R2 WSWNA3100;WSWNA3100;c:\program files\NETGEAR\WNA3100\WifiSvc.exe [2010-01-12 278528]
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\DRIVERS\bcmwlhigh5.sys [2009-11-06 642432]

.
Contents of the 'Scheduled Tasks' folder

2010-12-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:45]

2010-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 22:45]

2010-12-11 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2004-05-20 22:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: {9210EE3C-4238-4ADD-A7BC-EAC1DB945ED7} = 156.154.70.22,156.154.71.22
TCP: {ABCCC484-D4E5-441D-84AE-52ADC2261EF3} = 156.154.70.22,156.154.71.22
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-14 20:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(256)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2010-12-14 20:47:02
ComboFix-quarantined-files.txt 2010-12-15 04:46
ComboFix2.txt 2010-12-14 02:54

Pre-Run: 7,266,643,968 bytes free
Post-Run: 7,258,415,104 bytes free

- - End Of File - - 4435CFB4D809A5407B0DD70C169FE6B8

 

[Broni]

Good

Let's see what we can do about your internet connection.

1. Click Start>Run (Start>"Start search" in Vista).

2. Type in (or copy and paste):

cmd /c ping google.com>%temp%\$.$&notepad %temp%\$.$

and press Enter.

3. Notepad will open.

4. Copy all text in Notepad ([Ctrl-A], then [Ctrl-C]), and then post it (paste = [Ctrl-V]) in your next reply.

====================================================================

Go Start>Run ("Start search" in Vista), type in:
cmd
Click OK (hit Enter in Vista).

At Command Prompt, paste this:
ipconfig /all>c:\ipconfig_all.txt&notepad c:\ipconfig_all.txt&exit
Hit Enter.

Copy and paste what you see in Notepad into a Reply here.

 

[gluttony]

Hi Broni. Is that light I see at the end of the tunnel?

FYI: PC is connecting to the internet via WiFi Netgear N300 Wireless USB Adapter. The driver (WNA3100.exe) will not run, producing a message box "Failed to run Service".

All text in Notepad as follows:

Ping request could not find host google.com. Please check the name and try again.

 

[Broni]

Please, post a log from the second command, I mentioned in my previous reply.

Did you try to reinstall wireless driver?

Will your computer connect, if hardwired, using ethernet cable?

 

[gluttony]

PC wouldn't allow Wna3100 install when infected. Ok to try now? Modem is in another room, so quite difficult to connect via Ethernet.

Whoops. Second command log:

Windows IP Configuration
Host Name............: Gluttony
Primary Dns Suffix:
Node Type............: Hybrid
IP Routing Enabled: No
WINS Proxy Enabled: No

Ethernet adapter Local Area Connection 2:

Media State...........: Media disconnected
Description ...........: Intel(R) PRO/100 VE Network Connection
Physical Address..: 00-0C-F1-D1-99-6F