Inactive Google Redirect Virus Removal

Status
Not open for further replies.
C

Chinikaylo

Posts: 9   +0
Hi, I seem to have acquired the google redirect virus, as many others have.

Ive tried different spyware/adware/malware removal programs, but it still persists. I also tried uninstalling/reinstalling firefox(thats the browser thats infected that I use) but to no avail. Ive tried a couple other things to remove it including using malware bytes.

One thing that seems to be working for people is using Hijack This, posting the log, and having pros look at it. Well I have already downloaded it and made a log, so if anyone could help me get rid of this it would be greatly appreciated, thanks!
 

Attachments

  • hijackthis.log
    8.8 KB · Views: 1
Welcome aboard
yahooo.gif


Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
 
Here's the Logs

Ok, I followed the 8-step Removal process, and here are the requested logs, good sirs:

The MBAM Log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5519

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/14/2011 10:53:19 AM
mbam-log-2011-01-14 (10-53-19).txt

Scan type: Quick scan
Objects scanned: 153452
Time elapsed: 9 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
______________________________________________________

The GMER Log:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-01-14 11:12:52
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 WDC_WD2500JS-60NCB1 rev.10.02E02
Running: r6vfkp1c.exe; Driver: C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\fgldapod.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 488396912 (+254): rootkit-like behavior;

---- System - GMER 1.0.15 ----

SSDT spei.sys ZwEnumerateKey [0xF73D5DA4]
SSDT spei.sys ZwEnumerateValueKey [0xF73D6132]

Code F7C9BC9C ZwRequestPort
Code F7C9BD3C ZwRequestWaitReplyPort
Code F7C9BBFC ZwTraceEvent
Code F7C9BC9B NtRequestPort
Code F7C9BD3B NtRequestWaitReplyPort
Code F7C9BBFB NtTraceEvent

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 85F1AAEA
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F723CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 85F1AAEA
Device \Driver\atapi \Device\Ide\IdePort0 [F723CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 85F1AAEA
Device \Driver\atapi \Device\Ide\IdePort1 [F723CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 85F1AAEA
Device \Driver\atapi \Device\Ide\IdePort2 [F723CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 85F1AAEA
Device \Driver\atapi \Device\Ide\IdePort3 [F723CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 85F1AAEA
Device \Driver\atapi \Device\Ide\IdePort4 [F723CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 85F1AAEA
Device \Driver\atapi \Device\Ide\IdePort5 [F723CB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atyw64k9 \Device\Scsi\atyw64k91Port6Path0Target0Lun0 85A0C500
Device \Driver\atyw64k9 \Device\Scsi\atyw64k91 85A0C500
Device \FileSystem\Ntfs \Ntfs 861D71F8

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)

Device \FileSystem\Fastfat \Fat 85B1B500

AttachedDevice \FileSystem\Fastfat \Fat bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 arkbcfltr.sys (Microsoft AR PS/2 Keyboard Filter Driver (Beta 2 Release 2)/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskWDC_WD2500JS-60NCB1_____________________10.02E02#5&9c402e8&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----
_________________________________________________________________

And the DDS Log:

DDS (Ver_10-12-12.02) - NTFSx86
Run by Compaq_Administrator at 11:48:34.98 on Fri 01/14/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.379 [GMT -5:00]

AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\ZuneLauncher.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
svchost.exe
C:\WINDOWS\arservice.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
K:\Programs\firefox.exe
K:\Programs\plugin-container.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Compaq_Administrator\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearch Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\AxAutoMntSrv.exe" -automount
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [SUPERAntiSpyware] k:\programs\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Zune Launcher] "c:\program files\ZuneLauncher.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - k:\programs\microsoft office cracked\office10\OSA.EXE
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - k:\programs\micros~2\office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: trymedia.com
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - k:\programs\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - k:\programs\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\3x3rarsk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - k:\programs\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {3f963a5b-e555-4543-90e2-c3908898db71} - c:\program files\avg\avg9\Firefox
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-24 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-24 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-24 243024]
R1 SASDIFSV;SASDIFSV;k:\programs\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;k:\programs\SASKUTIL.SYS [2010-5-10 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2009-12-23 370688]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-7-4 119016]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-10-26 517448]

=============== Created Last 30 ================

2011-01-13 16:59:27 -------- d-----w- c:\program files\Trend Micro
2011-01-09 02:04:37 -------- d-----w- c:\docume~1\compaq~1\applic~1\SUPERAntiSpyware.com
2011-01-09 02:04:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-01-05 17:06:35 -------- d-----w- c:\docume~1\compaq~1\applic~1\AskToolbar
2011-01-03 18:35:53 -------- d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes
2011-01-03 18:35:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-03 18:35:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-03 18:35:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

==================== Find3M ====================

2010-01-07 18:42:02 912192 ----a-w- c:\program files\ZuneDBApi.dll
2010-01-07 18:42:02 554816 ----a-w- c:\program files\UIXcontrols.dll
2010-01-07 18:42:02 1521472 ----a-w- c:\program files\UIX.dll
2010-01-07 18:42:02 1304384 ----a-w- c:\program files\ZuneShell.dll
2010-01-07 18:42:00 644928 ----a-w- c:\program files\UIX.renderapi.dll
2010-01-07 18:24:16 232448 ----a-w- c:\program files\l3codecp.acm
2007-08-27 19:56:58 1089440 ----a-w- c:\program files\msidcrl40.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JS-60NCB1 rev.10.02E02 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85F1AD01]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x50; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x8442f85b; SUB DWORD [EBP-0x4], 0x8442f12e; PUSH EDI; CALL 0xffffffffffffe0f7; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86080AB8]
3 CLASSPNP[0xF7610FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000078[0x85F84F18]
5 ACPI[0xF737C620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8612A940]
[0x8606F268] -> IRP_MJ_CREATE -> 0x85F1AD01
kernel: MBR read successfully
_asm { XOR DI, DI; MOV SI, 0x200; MOV SS, DI; MOV SP, 0x7a00; MOV BX, 0x7a0; MOV CX, SI; MOV DS, BX; MOV ES, BX; REP MOVSB ; JMP FAR 0x7a0:0x5c; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskWDC_WD2500JS-60NCB1_____________________10.02E02#5&9c402e8&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x85F1AAEA
IoDeviceObjectType -> ParseProcedure -> 0xf7c7c160
\Device\Harddisk0\DR0 -> ParseProcedure -> 0xf7c7c160
user & kernel MBR OK
sectors 488397166 (+255): user != kernel
Warning: possible TDL3 rootkit infection !

============= FINISH: 11:50:22.28 ===============
__________________________________________________________

And the Attach Log:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/16/2010 1:54:41 PM
System Uptime: 1/14/2011 11:22:16 AM (0 hours ago)

Motherboard: ASUSTek Computer INC. | | NAGAMI2
Processor: AMD Athlon(tm) 64 Processor 3800+ | Socket 939 | 2405/199mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 225 GiB total, 148.304 GiB free.
D: is FIXED (FAT32) - 8 GiB total, 0.509 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is CDROM ()
K: is FIXED (NTFS) - 932 GiB total, 461.836 GiB free.
L: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\B71EB011D800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\B71EB011D800
Service: NIC1394

==== System Restore Points ===================

RP187: 10/16/2010 6:23:59 PM - System Checkpoint
RP188: 10/17/2010 8:47:35 PM - System Checkpoint
RP189: 10/19/2010 1:23:59 AM - System Checkpoint
RP190: 10/20/2010 9:41:21 AM - System Checkpoint
RP191: 10/21/2010 2:16:51 PM - System Checkpoint
RP192: 10/22/2010 2:41:11 PM - System Checkpoint
RP193: 10/23/2010 7:01:24 PM - System Checkpoint
RP194: 10/24/2010 11:34:06 PM - System Checkpoint
RP195: 10/25/2010 11:53:57 PM - System Checkpoint
RP196: 10/26/2010 9:47:57 AM - Avg Update
RP197: 10/27/2010 11:54:27 AM - System Checkpoint
RP198: 10/28/2010 5:18:16 PM - System Checkpoint
RP199: 10/29/2010 5:25:55 PM - System Checkpoint
RP200: 10/30/2010 5:28:13 PM - System Checkpoint
RP201: 10/31/2010 7:14:59 AM - Installed Google SketchUp 8
RP202: 11/1/2010 7:21:23 AM - System Checkpoint
RP203: 11/2/2010 7:31:26 AM - System Checkpoint
RP204: 11/3/2010 9:43:17 AM - System Checkpoint
RP205: 11/4/2010 11:14:58 AM - System Checkpoint
RP206: 11/5/2010 12:08:03 PM - System Checkpoint
RP207: 11/6/2010 4:25:25 PM - System Checkpoint
RP208: 11/6/2010 5:45:12 PM - Installed Windows XP KB942288-v3.
RP209: 11/6/2010 5:45:42 PM - Installed DirectX
RP210: 11/6/2010 5:45:53 PM - Installed DirectX
RP211: 11/7/2010 8:24:54 PM - System Checkpoint
RP212: 11/8/2010 9:49:04 PM - System Checkpoint
RP213: 11/9/2010 10:32:51 AM - Avg Update
RP214: 11/9/2010 10:34:33 AM - Avg Update
RP215: 11/10/2010 11:16:21 AM - System Checkpoint
RP216: 11/11/2010 7:05:59 PM - System Checkpoint
RP217: 11/12/2010 10:22:44 PM - System Checkpoint
RP218: 11/14/2010 12:09:04 AM - System Checkpoint
RP219: 11/15/2010 7:49:21 AM - System Checkpoint
RP220: 11/16/2010 10:32:05 AM - System Checkpoint
RP221: 11/17/2010 10:36:35 AM - System Checkpoint
RP222: 11/18/2010 11:35:35 AM - System Checkpoint
RP223: 11/19/2010 12:10:49 PM - System Checkpoint
RP224: 11/20/2010 1:58:31 PM - System Checkpoint
RP225: 11/21/2010 9:15:09 PM - System Checkpoint
RP226: 11/23/2010 12:39:43 AM - System Checkpoint
RP227: 11/24/2010 7:52:55 AM - System Checkpoint
RP228: 11/24/2010 8:00:57 AM - Avg Update
RP229: 11/24/2010 8:02:25 AM - Avg Update
RP230: 11/25/2010 8:38:27 AM - System Checkpoint
RP231: 11/26/2010 4:43:22 PM - System Checkpoint
RP232: 11/27/2010 5:59:29 PM - System Checkpoint
RP233: 11/28/2010 6:32:21 PM - System Checkpoint
RP234: 11/29/2010 6:52:27 PM - System Checkpoint
RP235: 11/30/2010 7:05:24 PM - System Checkpoint
RP236: 12/1/2010 8:44:19 PM - System Checkpoint
RP237: 12/3/2010 12:39:22 PM - System Checkpoint
RP238: 12/4/2010 5:20:47 PM - System Checkpoint
RP239: 12/5/2010 11:30:09 PM - System Checkpoint
RP240: 12/7/2010 6:54:28 AM - System Checkpoint
RP241: 12/8/2010 7:54:43 AM - System Checkpoint
RP242: 12/9/2010 11:45:08 AM - System Checkpoint
RP243: 12/10/2010 12:46:27 PM - System Checkpoint
RP244: 12/11/2010 5:07:36 PM - System Checkpoint
RP245: 12/13/2010 7:53:31 AM - System Checkpoint
RP246: 12/14/2010 12:21:37 PM - System Checkpoint
RP247: 12/15/2010 2:27:40 PM - System Checkpoint
RP248: 12/16/2010 2:53:39 PM - System Checkpoint
RP249: 12/17/2010 5:52:53 PM - System Checkpoint
RP250: 12/18/2010 8:19:41 PM - System Checkpoint
RP251: 12/20/2010 8:11:43 AM - System Checkpoint
RP252: 12/21/2010 9:00:30 AM - System Checkpoint
RP253: 12/22/2010 10:00:30 AM - System Checkpoint
RP254: 12/23/2010 11:49:57 AM - System Checkpoint
RP255: 12/24/2010 12:46:10 PM - System Checkpoint
RP256: 12/25/2010 1:38:38 PM - System Checkpoint
RP257: 12/26/2010 3:12:58 PM - System Checkpoint
RP258: 12/27/2010 9:51:37 PM - System Checkpoint
RP259: 12/29/2010 3:04:50 PM - System Checkpoint
RP260: 12/30/2010 5:24:53 PM - System Checkpoint
RP261: 12/31/2010 6:14:00 PM - System Checkpoint
RP262: 1/1/2011 11:12:54 PM - System Checkpoint
RP263: 1/3/2011 6:14:13 PM - System Checkpoint
RP264: 1/4/2011 10:00:07 PM - System Checkpoint
RP265: 1/5/2011 10:36:57 PM - System Checkpoint
RP266: 1/7/2011 12:55:13 PM - System Checkpoint
RP267: 1/8/2011 6:39:15 PM - System Checkpoint
RP268: 1/9/2011 7:18:31 PM - System Checkpoint
RP269: 1/10/2011 10:25:24 PM - System Checkpoint
RP270: 1/12/2011 9:05:57 AM - System Checkpoint
RP271: 1/13/2011 2:23:36 PM - System Checkpoint

==== Installed Programs ======================

µTorrent
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.5
Adobe Shockwave Player 11.5
Agere Systems PCI-SV92PP Soft Modem
Ask Toolbar
AVG Free 9.0
BufferChm
Cheat Engine 5.6
Command & Conquer Generals
Compaq Connections (remove only)
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
Creeper World DEMO
Creeper World Map Editor
CueTour
Customer Experience Enhancement
Destinations
DeviceManagementQFolder
DISCover
Easy Internet Sign-up
Enhanced Multimedia Keyboard Solution
Evil Genius
ffdshow v1.1.3355 [2010-04-11]
FullDPAppQFolder
Garry's Mod
Google SketchUp 7
Google SketchUp 8
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
HP Boot Optimizer
HP DVD Play 2.1
HP Game Console
HP Imaging Device Functions 7.0
HP Photosmart Premier Software 6.5
HP Software Update
HP Support Overview
HP Web Helper
HPPhotoSmartExpress
HpSdpAppCoreApp
InstantShareDevices
J2SE Runtime Environment 5.0 Update 5
LightScribe System Software
Linksys EasyLink Advisor 1.5 (1010)
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Away Mode
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office 2003 Edition 60 Days Trial Welcome Tour
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Standard Edition 2003
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.9
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 1.0
Microsoft Works
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Notepad++
NVIDIA Drivers
OptionalContentQFolder
Otto
PhotoGallery
Portal
PowerISO
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
Quicken 2006
RandMap
Realtek High Definition Audio Driver
Sandboxie 3.46
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
SkinsHP1
SlideShow
SlideShowMusic
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
SUPERAntiSpyware
TortoiseSVN 1.6.11.20210 (32 bit)
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB980182)
Update Rollup 2 for Windows XP Media Center Edition 2005
VobSub v2.23 (Remove Only)
WebFldrs XP
WildTangent Web Driver
Windows Imaging Component
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB912067
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
Zune
Zune Language Pack (DE)
Zune Language Pack (ES)
Zune Language Pack (FR)
Zune Language Pack (IT)

==== Event Viewer Messages From Past Week ========

1/13/2011 11:14:58 AM, error: ipnathlp [30013] - The DHCP allocator has disabled itself on IP address 192.168.1.103, since the IP address is outside the 192.168.0.0/255.255.255.0 scope from which addresses are being allocated to DHCP clients. To enable the DHCP allocator on this IP address, please change the scope to include the IP address, or change the IP address to fall within the scope.
1/13/2011 11:14:44 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SASDIFSV SASKUTIL
1/13/2011 11:14:42 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
1/13/2011 11:14:42 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.

==== End Of File ===========================

_____________________________________________________________

Thats it, hopefully I did everything right, I will be anxiously awaiting your reply.
 
Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
TDSSKiller Log

Here it is:

2011/01/14 12:25:36.0140 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11
2011/01/14 12:25:36.0140 ================================================================================
2011/01/14 12:25:36.0140 SystemInfo:
2011/01/14 12:25:36.0140
2011/01/14 12:25:36.0140 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/14 12:25:36.0140 Product type: Workstation
2011/01/14 12:25:36.0140 ComputerName: PENIS
2011/01/14 12:25:36.0140 UserName: Compaq_Administrator
2011/01/14 12:25:36.0140 Windows directory: C:\WINDOWS
2011/01/14 12:25:36.0140 System windows directory: C:\WINDOWS
2011/01/14 12:25:36.0140 Processor architecture: Intel x86
2011/01/14 12:25:36.0140 Number of processors: 1
2011/01/14 12:25:36.0140 Page size: 0x1000
2011/01/14 12:25:36.0140 Boot type: Normal boot
2011/01/14 12:25:36.0140 ================================================================================
2011/01/14 12:25:37.0625 Initialize success

PS, excuse my computer name
 
Where do I find the log? I had to reboot after the initial scan. After I just opened up TDSSKiller and clicked on report, and copied that in. Is there a different log elsewhere?
 
Here it is I think

2011/01/14 12:15:46.0937 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11
2011/01/14 12:15:46.0937 ================================================================================
2011/01/14 12:15:46.0937 SystemInfo:
2011/01/14 12:15:46.0937
2011/01/14 12:15:46.0937 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/14 12:15:46.0937 Product type: Workstation
2011/01/14 12:15:46.0937 ComputerName: PENIS
2011/01/14 12:15:46.0937 UserName: Compaq_Administrator
2011/01/14 12:15:46.0937 Windows directory: C:\WINDOWS
2011/01/14 12:15:46.0937 System windows directory: C:\WINDOWS
2011/01/14 12:15:46.0937 Processor architecture: Intel x86
2011/01/14 12:15:46.0937 Number of processors: 1
2011/01/14 12:15:46.0937 Page size: 0x1000
2011/01/14 12:15:46.0937 Boot type: Normal boot
2011/01/14 12:15:46.0937 ================================================================================
2011/01/14 12:15:47.0640 Initialize success
2011/01/14 12:15:55.0265 ================================================================================
2011/01/14 12:15:55.0265 Scan started
2011/01/14 12:15:55.0265 Mode: Manual;
2011/01/14 12:15:55.0265 ================================================================================
2011/01/14 12:15:55.0937 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/14 12:15:56.0000 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/14 12:15:56.0125 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/14 12:15:56.0265 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/14 12:15:56.0500 AgereSoftModem (994a42d273c35b43ee9d1e8a5d8bc639) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/01/14 12:15:56.0953 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/01/14 12:15:57.0515 aracpi (00523019e3579c8f8a94457fe25f0f24) C:\WINDOWS\system32\DRIVERS\aracpi.sys
2011/01/14 12:15:57.0703 arhidfltr (9fedaa46eb1a572ac4d9ee6b5f123cf2) C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
2011/01/14 12:15:57.0750 arkbcfltr (82969576093cd983dd559f5a86f382b4) C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
2011/01/14 12:15:57.0781 armoucfltr (9b21791d8a78faece999fadbebda6c22) C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
2011/01/14 12:15:57.0890 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/01/14 12:15:57.0937 ARPolicy (7a2da7c7b0c524ef26a79f17a5c69fde) C:\WINDOWS\system32\DRIVERS\arpolicy.sys
2011/01/14 12:15:58.0109 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/14 12:15:58.0187 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/14 12:15:58.0250 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/14 12:15:58.0312 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/14 12:15:58.0437 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
2011/01/14 12:15:58.0531 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
2011/01/14 12:15:58.0578 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\system32\Drivers\avgtdix.sys
2011/01/14 12:15:58.0796 bb-run (7270d070173b20ac9487ea16bb08b45f) C:\WINDOWS\system32\DRIVERS\bb-run.sys
2011/01/14 12:15:58.0875 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/14 12:15:58.0953 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/14 12:15:59.0000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/14 12:15:59.0156 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/14 12:15:59.0265 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/14 12:15:59.0562 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/14 12:15:59.0656 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/14 12:15:59.0796 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/14 12:16:00.0046 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/14 12:16:00.0125 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/14 12:16:00.0281 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/14 12:16:00.0406 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/14 12:16:00.0500 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/01/14 12:16:00.0578 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/14 12:16:00.0640 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/01/14 12:16:00.0734 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/14 12:16:00.0812 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/14 12:16:00.0859 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/14 12:16:00.0953 ftsata2 (a81d26e33d160a4ac09eed0b0bd7d49b) C:\WINDOWS\system32\DRIVERS\ftsata2.sys
2011/01/14 12:16:00.0953 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ftsata2.sys. Real md5: a81d26e33d160a4ac09eed0b0bd7d49b, Fake md5: 6a628f06225b20975a721ca6b2ed0d37
2011/01/14 12:16:00.0968 ftsata2 - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/01/14 12:16:01.0203 GoProto (3800262165ce4a2b9d1ed09e2bce3e9c) C:\WINDOWS\system32\DRIVERS\goprot51.sys
2011/01/14 12:16:01.0328 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/14 12:16:01.0453 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/01/14 12:16:01.0640 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/14 12:16:01.0859 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/14 12:16:01.0937 iaStor (9a65e42664d1534b68512caad0efe963) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/01/14 12:16:02.0000 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/14 12:16:02.0296 IntcAzAudAddService (64be56b8858ca0153c725c720ffd194f) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/01/14 12:16:02.0484 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/01/14 12:16:02.0703 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/14 12:16:02.0812 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/14 12:16:02.0906 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/14 12:16:02.0968 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/14 12:16:03.0109 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/14 12:16:03.0156 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/14 12:16:03.0250 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/14 12:16:03.0359 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/14 12:16:03.0484 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/14 12:16:03.0578 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/14 12:16:03.0640 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/14 12:16:03.0921 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/01/14 12:16:03.0968 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/14 12:16:04.0125 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/14 12:16:04.0203 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/14 12:16:04.0343 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/14 12:16:04.0484 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/14 12:16:04.0609 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/14 12:16:04.0765 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/14 12:16:04.0953 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/14 12:16:05.0109 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/14 12:16:05.0218 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/14 12:16:05.0265 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/14 12:16:05.0343 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/14 12:16:05.0421 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/14 12:16:05.0515 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/14 12:16:05.0609 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/14 12:16:05.0812 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/14 12:16:06.0015 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/14 12:16:06.0218 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/14 12:16:06.0328 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/14 12:16:06.0515 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/01/14 12:16:06.0609 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/14 12:16:06.0687 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/14 12:16:06.0796 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/14 12:16:07.0078 nv (ce58f42b11be20a47c3d8d2f38da254e) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/01/14 12:16:07.0281 NVENETFD (22eedb34c4d7613a25b10c347c6c4c21) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/01/14 12:16:07.0453 nvnetbus (5e3f6ad5cad0f12d3cccd06fd964087a) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/01/14 12:16:07.0609 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/14 12:16:07.0687 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/14 12:16:07.0781 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/01/14 12:16:07.0875 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/14 12:16:07.0921 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/14 12:16:08.0140 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/14 12:16:08.0203 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/14 12:16:08.0406 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/14 12:16:08.0468 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/14 12:16:08.0765 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/14 12:16:08.0859 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/01/14 12:16:08.0937 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys
2011/01/14 12:16:09.0000 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/14 12:16:09.0062 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/14 12:16:09.0140 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/14 12:16:09.0390 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/14 12:16:09.0468 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/14 12:16:09.0546 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/14 12:16:09.0718 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/14 12:16:09.0859 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/14 12:16:09.0937 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/14 12:16:10.0046 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/14 12:16:10.0234 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/14 12:16:10.0421 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/14 12:16:10.0531 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/01/14 12:16:10.0765 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) K:\Programs\SASDIFSV.SYS
2011/01/14 12:16:10.0828 SASKUTIL (61db0d0756a99506207fd724e3692b25) K:\Programs\SASKUTIL.SYS
2011/01/14 12:16:11.0000 SbieDrv (2cdab8553e703c7754be9ce1c4454eb5) C:\Program Files\Sandboxie\SbieDrv.sys
2011/01/14 12:16:11.0140 SCDEmu (16b1abe7f3e35f21dac57592b6c5d464) C:\WINDOWS\system32\drivers\SCDEmu.sys
2011/01/14 12:16:11.0281 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/14 12:16:11.0390 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/01/14 12:16:11.0562 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/14 12:16:11.0781 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/14 12:16:11.0937 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/01/14 12:16:11.0937 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/01/14 12:16:11.0953 sptd - detected Locked file (1)
2011/01/14 12:16:12.0000 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/14 12:16:12.0093 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/14 12:16:12.0265 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/01/14 12:16:12.0406 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/14 12:16:12.0515 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/14 12:16:12.0734 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/14 12:16:12.0843 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/14 12:16:13.0015 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/14 12:16:13.0140 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/14 12:16:13.0203 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/14 12:16:13.0328 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/14 12:16:13.0468 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/14 12:16:13.0671 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/14 12:16:13.0812 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/14 12:16:13.0937 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/14 12:16:14.0078 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/01/14 12:16:14.0187 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/14 12:16:14.0359 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/14 12:16:14.0437 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/14 12:16:14.0515 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/14 12:16:14.0656 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/14 12:16:14.0750 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/01/14 12:16:14.0812 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/14 12:16:14.0906 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/14 12:16:15.0031 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/01/14 12:16:15.0234 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/14 12:16:15.0375 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
2011/01/14 12:16:15.0500 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/01/14 12:16:15.0609 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/01/14 12:16:15.0687 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/01/14 12:16:15.0828 zumbus (6bfb54f73aae470e9299e66cbc7bb632) C:\WINDOWS\system32\DRIVERS\zumbus.sys
2011/01/14 12:16:16.0250 ================================================================================
2011/01/14 12:16:16.0250 Scan finished
2011/01/14 12:16:16.0250 ================================================================================
2011/01/14 12:16:16.0265 Detected object count: 2
2011/01/14 12:16:39.0156 ftsata2 (a81d26e33d160a4ac09eed0b0bd7d49b) C:\WINDOWS\system32\DRIVERS\ftsata2.sys
2011/01/14 12:16:39.0171 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ftsata2.sys. Real md5: a81d26e33d160a4ac09eed0b0bd7d49b, Fake md5: 6a628f06225b20975a721ca6b2ed0d37
2011/01/14 12:16:40.0562 Backup copy not found, trying to cure infected file..
2011/01/14 12:16:40.0562 Cure success, using it..
2011/01/14 12:16:40.0593 C:\WINDOWS\system32\DRIVERS\ftsata2.sys - will be cured after reboot
2011/01/14 12:16:40.0593 Rootkit.Win32.TDSS.tdl3(ftsata2) - User select action: Cure
2011/01/14 12:16:40.0593 Locked file(sptd) - User select action: Skip
2011/01/14 12:19:29.0625 Deinitialize success
 
Good :)

How is redirection?

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

===================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Heres the MBR Check

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000ffc

Kernel Drivers (total 133):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF7AB0000 \WINDOWS\system32\KDCOM.DLL
0xF79C0000 \WINDOWS\system32\BOOTVID.dll
0xF749D000 klmdb.sys
0xF73AA000 spbp.sys
0xF7AB2000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF7392000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF7364000 ACPI.sys
0xF7353000 pci.sys
0xF75B0000 ohci1394.sys
0xF75C0000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF75D0000 isapnp.sys
0xF7B78000 pciide.sys
0xF7830000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF75E0000 MountMgr.sys
0xF7334000 ftdisk.sys
0xF7AB8000 dmload.sys
0xF730E000 dmio.sys
0xF7838000 PartMgr.sys
0xF75F0000 VolSnap.sys
0xF7221000 atapi.sys
0xF71DE000 tsk48.tmp
0xF7600000 disk.sys
0xF7610000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF71BE000 fltmgr.sys
0xF71AC000 sr.sys
0xF7620000 bb-run.sys
0xF7630000 PxHelp20.sys
0xF7195000 KSecDD.sys
0xF7108000 Ntfs.sys
0xF70DB000 NDIS.sys
0xF70C1000 Mup.sys
0xF6623000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF7940000 \SystemRoot\system32\DRIVERS\aracpi.sys
0xF621E000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF620A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7948000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF61E6000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7950000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6613000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF6603000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF65F3000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF61C3000 \SystemRoot\system32\DRIVERS\ks.sys
0xF60AA000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF7AE8000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7958000 \SystemRoot\System32\Drivers\Modem.SYS
0xF605A000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7AA0000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xF600F000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xF5FD8000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
0xF5FA1000 \SystemRoot\System32\Drivers\ap7toycn.SYS
0xF65E3000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7840000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7AEE000 \SystemRoot\system32\DRIVERS\armoucfltr.sys
0xF7880000 \SystemRoot\system32\DRIVERS\PS2.sys
0xF7888000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7AF0000 \SystemRoot\system32\DRIVERS\arkbcfltr.sys
0xF709D000 \SystemRoot\system32\DRIVERS\arpolicy.sys
0xF7AF2000 \SystemRoot\system32\DRIVERS\serscan.sys
0xF7CB0000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF65D3000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7099000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5F8A000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF65C3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF65B3000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7890000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5F79000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7670000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7898000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF78A0000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF5F49000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7680000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7AF4000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5EEB000 \SystemRoot\system32\DRIVERS\update.sys
0xF707D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7690000 \SystemRoot\system32\DRIVERS\zumbus.sys
0xF76A0000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xF5E52000 \SystemRoot\System32\Drivers\wdf01000.sys
0xF76B0000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF76C0000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF3477000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xF3453000 \SystemRoot\system32\drivers\portcls.sys
0xF76E0000 \SystemRoot\system32\drivers\drmk.sys
0xF76F0000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xF7AF8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B97000 \SystemRoot\System32\Drivers\Null.SYS
0xF7AFA000 \SystemRoot\System32\Drivers\Beep.SYS
0xF78D8000 \SystemRoot\System32\drivers\vga.sys
0xF7AFC000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7AFE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF78E0000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF78E8000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6086000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF33F8000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF339F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF3365000 \SystemRoot\System32\Drivers\avgtdix.sys
0xF333F000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7700000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF78F0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF32EF000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF32CD000 \SystemRoot\System32\drivers\afd.sys
0xF7720000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF7740000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xF31DA000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF3142000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7750000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7900000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xF310E000 \SystemRoot\System32\Drivers\avgldx86.sys
0xF30EA000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF30D2000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B3C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF3225000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7938000 \SystemRoot\System32\watchdog.sys
0xBF9C4000 \SystemRoot\System32\drivers\dxg.sys
0xF7C9D000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9D6000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBACD1000 \SystemRoot\system32\DRIVERS\WudfPf.sys
0xBAC3A000 \??\C:\Program Files\Sandboxie\SbieDrv.sys
0xBACE8000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xBA12D000 \SystemRoot\system32\drivers\wdmaud.sys
0xBABBA000 \SystemRoot\system32\drivers\sysaudio.sys
0xBADD0000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB9E82000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB9D01000 \SystemRoot\System32\Drivers\HTTP.sys
0xB9C82000 \SystemRoot\system32\DRIVERS\srv.sys
0xB95F8000 \??\K:\Programs\SASKUTIL.SYS
0xF7920000 \??\K:\Programs\SASDIFSV.SYS
0xB5A89000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
0x10000000 \Program Files\Alcohol Soft\Alcohol 120\Alcoholx.dll

Processes (total 48):
0 System Idle Process
4 System
732 C:\WINDOWS\system32\smss.exe
820 csrss.exe
844 C:\WINDOWS\system32\winlogon.exe
888 C:\WINDOWS\system32\services.exe
900 C:\WINDOWS\system32\lsass.exe
1060 C:\WINDOWS\system32\svchost.exe
1120 svchost.exe
1212 C:\Program Files\Sandboxie\SbieSvc.exe
1232 C:\WINDOWS\system32\svchost.exe
1304 C:\WINDOWS\system32\svchost.exe
1404 C:\Program Files\AVG\AVG9\avgchsvx.exe
1412 C:\Program Files\AVG\AVG9\avgrsx.exe
1520 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1536 svchost.exe
1708 svchost.exe
2020 C:\WINDOWS\explorer.exe
212 C:\WINDOWS\system32\spoolsv.exe
320 C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
564 C:\Program Files\ZuneLauncher.exe
572 C:\Program Files\PowerISO\PWRISOVM.EXE
584 C:\PROGRA~1\AVG\AVG9\avgtray.exe
596 C:\WINDOWS\system32\ctfmon.exe
748 C:\Program Files\Sandboxie\SbieCtrl.exe
760 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
784 K:\Programs\SUPERAntiSpyware.exe
1176 svchost.exe
1224 C:\WINDOWS\arservice.exe
1324 C:\Program Files\AVG\AVG9\avgwdsvc.exe
1532 C:\WINDOWS\ehome\ehrecvr.exe
1768 C:\WINDOWS\ehome\ehSched.exe
2140 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2168 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2388 C:\WINDOWS\system32\nvsvc32.exe
2448 C:\Program Files\AVG\AVG9\avgnsx.exe
2588 svchost.exe
2764 C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
2900 C:\WINDOWS\system32\svchost.exe
2980 C:\WINDOWS\system32\ZuneBusEnum.exe
3084 mcrdsvc.exe
3496 C:\WINDOWS\system32\dllhost.exe
3648 alg.exe
224 C:\WINDOWS\system32\svchost.exe
3708 K:\Programs\firefox.exe
308 K:\Programs\plugin-container.exe
2324 C:\Program Files\Zune.exe
1440 C:\Documents and Settings\Compaq_Administrator\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000038`2bf5a600 (FAT32)
\\.\K: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD2500JS-60NCB1, Rev: 10.02E02
PhysicalDrive1 Model Number: FANTOMWD10EAVS-00D7B1, Rev: 2.10

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 3FA1BAC1D7FD18071BE2B53E6001CD7DFE278CEB
931 GB \\.\PhysicalDrive1 RE: Unknown MBR code
SHA1: 7B673ACE7D764F99598D604CA48490D0A72DF547


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

_________________________________________________________________________________________________

The redirect seems to be gone, hopefuly it wont come back. Thanks! Also, I didnt do the combofix yet, just the MBR Check
 
Good news, but we need to keep checking.

You seem to have MBR issue and I still need Combofix log.
 
Hey there

Sorry I didnt post this right away but I was gone over the weekend. Anyway, here's the ComoboFix report:
----------------------------------------------------------------------------------------------------------------------------------------------------

ComboFix 11-01-17.05 - Compaq_Administrator 01/18/2011 10:38:43.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.599 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Administrator\My Documents\Downloads\ComboFix.exe
FW: Norton Internet Worm Protection *Disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Compaq_Administrator\Application Data\chrtmp
c:\program files\background.jpg
c:\windows\Install
c:\windows\install\server.exe
D:\Autorun.inf
K:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-12-18 to 2011-01-18 )))))))))))))))))))))))))))))))
.

2011-01-16 02:06 . 2011-01-16 02:08 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\.minecraft
2011-01-16 01:00 . 2011-01-16 01:00 -------- d-----w- c:\program files\7-Zip
2011-01-14 21:08 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2011-01-14 21:08 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2011-01-14 21:02 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2011-01-14 20:59 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2011-01-14 20:58 . 2010-11-06 00:26 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2011-01-14 20:57 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2011-01-14 20:37 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe
2011-01-13 16:59 . 2011-01-13 16:59 -------- d-----w- c:\program files\Trend Micro
2011-01-09 02:04 . 2011-01-09 02:04 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\SUPERAntiSpyware.com
2011-01-09 02:04 . 2011-01-09 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-01-05 17:06 . 2011-01-05 17:06 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\AskToolbar
2011-01-05 00:37 . 2011-01-05 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2011-01-03 18:35 . 2011-01-03 18:35 -------- d-----w- c:\documents and settings\Compaq_Administrator\Application Data\Malwarebytes
2011-01-03 18:35 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-03 18:35 . 2011-01-03 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-03 18:35 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-14 17:20 . 2005-06-30 00:03 175104 ----a-w- c:\windows\system32\drivers\ftsata2.sys
2010-11-18 18:12 . 2004-08-10 04:00 81920 ------w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-10 04:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-10 04:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-10 04:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-10 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-10 04:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-10 04:00 40960 ------w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-10 04:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-10 04:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-01-07 18:42 . 2010-01-07 18:42 912192 ----a-w- c:\program files\ZuneDBApi.dll
2010-01-07 18:42 . 2010-01-07 18:42 554816 ----a-w- c:\program files\UIXcontrols.dll
2010-01-07 18:42 . 2010-01-07 18:42 1521472 ----a-w- c:\program files\UIX.dll
2010-01-07 18:42 . 2010-01-07 18:42 1304384 ----a-w- c:\program files\ZuneShell.dll
2010-01-07 18:42 . 2010-01-07 18:42 644928 ----a-w- c:\program files\UIX.renderapi.dll
2010-01-07 18:38 . 2010-01-07 18:38 87792 ----a-w- c:\program files\ZuneTaskbar.dll
2010-01-07 18:38 . 2010-01-07 18:38 320224 ----a-w- c:\program files\ZuneSrcWrp.dll
2010-01-07 18:38 . 2010-01-07 18:38 134384 ----a-w- c:\program files\ZuneZMDB.Library.dll
2010-01-07 18:38 . 2010-01-07 18:38 133872 ----a-w- c:\program files\ZuneZMDB.ZuneHD.dll
2010-01-07 18:38 . 2010-01-07 18:38 129264 ----a-w- c:\program files\ZuneZMDB.Classic.dll
2010-01-07 18:38 . 2010-01-07 18:38 747248 ----a-w- c:\program files\ZuneService.dll
2010-01-07 18:38 . 2010-01-07 18:38 61664 ----a-w- c:\program files\ZuneShellExt.dll
2010-01-07 18:38 . 2010-01-07 18:38 609504 ----a-w- c:\program files\ZuneSH.dll
2010-01-07 18:38 . 2010-01-07 18:38 410336 ----a-w- c:\program files\ZuneSP.dll
2010-01-07 18:38 . 2010-01-07 18:38 381168 ----a-w- c:\program files\ZuneSE.dll
2010-01-07 18:38 . 2010-01-07 18:38 17632 ----a-w- c:\program files\ZuneShare.exe
2010-01-07 18:38 . 2010-01-07 18:38 1674992 ----a-w- c:\program files\ZuneSetup.exe
2010-01-07 18:38 . 2010-01-07 18:38 16674032 ----a-w- c:\program files\ZuneShellResources.dll
2010-01-07 18:38 . 2010-01-07 18:38 1454832 ----a-w- c:\program files\ZuneResources.dll
2010-01-07 18:38 . 2010-01-07 18:38 142560 ----a-w- c:\program files\ZuneSA.dll
2010-01-07 18:38 . 2010-01-07 18:38 682736 ----a-w- c:\program files\ZuneQP.dll
2010-01-07 18:38 . 2010-01-07 18:38 626928 ----a-w- c:\program files\ZUNEMP4SDECD.dll
2010-01-07 18:38 . 2010-01-07 18:38 57584 ----a-w- c:\program files\ZuneDXVA2.dll
2010-01-07 18:38 . 2010-01-07 18:38 46304 ----a-w- c:\program files\ZuneConfig.exe
2010-01-07 18:38 . 2010-01-07 18:38 19696 ----a-w- c:\program files\ZunePS.dll
2010-01-07 18:38 . 2010-01-07 18:38 121056 ----a-w- c:\program files\ZuneEffects.dll
2010-01-07 18:38 . 2010-01-07 18:38 945904 ----a-w- c:\program files\ZuneMarketplaceResources.dll
2010-01-07 18:38 . 2010-01-07 18:38 842480 ----a-w- c:\program files\ZuneMde.dll
2010-01-07 18:38 . 2010-01-07 18:38 6790384 ----a-w- c:\program files\ZuneNativeLib.dll
2010-01-07 18:38 . 2010-01-07 18:38 5950704 ----a-w- c:\program files\ZuneNss.exe
2010-01-07 18:38 . 2010-01-07 18:38 50416 ----a-w- c:\program files\ZuneCfg.dll
2010-01-07 18:38 . 2010-01-07 18:38 38624 ----a-w- c:\program files\ZuneEnc.exe
2010-01-07 18:38 . 2010-01-07 18:38 30960 ----a-w- c:\program files\UIXsup.dll
2010-01-07 18:38 . 2010-01-07 18:38 297200 ----a-w- c:\program files\ZuneEvr.dll
2010-01-07 18:38 . 2010-01-07 18:38 272112 ----a-w- c:\program files\ZuneNssci.dll
2010-01-07 18:38 . 2010-01-07 18:38 209120 ----a-w- c:\program files\Zune.exe
2010-01-07 18:38 . 2010-01-07 18:38 181984 ----a-w- c:\program files\ZuneHost.exe
2010-01-07 18:38 . 2010-01-07 18:38 173808 ----a-w- c:\program files\ZuneDB.dll
2010-01-07 18:38 . 2010-01-07 18:38 1692384 ----a-w- c:\program files\ZuneEncEng.dll
2010-01-07 18:38 . 2010-01-07 18:38 158448 ----a-w- c:\program files\ZuneLauncher.exe
2010-01-07 18:38 . 2010-01-07 18:38 1342192 ----a-w- c:\program files\UIXrender.dll
2010-01-07 18:38 . 2010-01-07 18:38 120048 ----a-w- c:\program files\ZunePresenter.dll
2010-01-07 18:38 . 2010-01-07 18:38 116448 ----a-w- c:\program files\ZuneAACDec.dll
2010-01-07 18:38 . 2010-01-07 18:38 1053936 ----a-w- c:\program files\ZuneH264Dec.dll
2010-01-07 18:38 . 2010-01-07 18:38 1025264 ----a-w- c:\program files\ZuneCore.dll
2010-01-07 18:24 . 2010-01-07 18:24 232448 ----a-w- c:\program files\l3codecp.acm
2007-08-27 19:56 . 2007-08-27 19:56 1089440 ----a-w- c:\program files\msidcrl40.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-10-11 21:12 1244040 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-10-11 1244040]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-10-11 1244040]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe" [2009-11-15 33120]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2010-07-04 398568]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-01-25 7311360]
"Zune Launcher"="c:\program files\ZuneLauncher.exe" [2010-01-07 158448]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-11-09 180224]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - k:\programs\Microsoft Office Cracked\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "k:\programs\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- k:\programs\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
2005-08-03 06:19 77312 ------w- c:\windows\arpwrmsg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
2006-03-16 09:12 1077248 ----a-w- c:\program files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
2006-03-16 09:11 61440 ----a-w- c:\program files\DISC\DISCUpdMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
2006-04-03 00:07 389120 ----a-w- c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-30 04:01 67584 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 13:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2006-02-16 05:34 249856 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-01-25 02:15 7311360 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-01-25 02:15 1519616 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-07-23 05:14 237568 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-03-08 11:54 16010240 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"k:\\Programs\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=
"k:\\Programs\\THQ\\Dawn of War\\W40kWA.exe"=
"k:\\Programs\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"=
"k:\\Programs\\Steam\\SteamApps\\crippin_blood\\day of defeat source\\hl2.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\Desktop\\?\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"k:\\Programs\\Steam\\Steam.exe"=
"k:\\Programs\\Steam\\SteamApps\\crippin_blood\\counter-strike source\\hl2.exe"=
"c:\\Documents and Settings\\Compaq_Administrator\\Desktop\\Minecraft.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:https
"21:TCP"= 21:TCP:FTP

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/17/2010 10:28 PM 691696]
S1 SASDIFSV;SASDIFSV;k:\programs\sasdifsv.sys [2/17/2010 1:25 PM 12872]
S1 SASKUTIL;SASKUTIL;k:\programs\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 16:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2011-01-18 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-10-11 21:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - k:\programs\MICROS~2\Office10\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\Compaq_Administrator\Application Data\Mozilla\Firefox\Profiles\3x3rarsk.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - k:\programs\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Ask Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe
Notify-avgrsstarter - (no file)
SafeBoot-klmdb.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-18 10:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
k:\programs\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-01-18 10:44:29
ComboFix-quarantined-files.txt 2011-01-18 15:44

Pre-Run: 158,281,789,440 bytes free
Post-Run: 158,351,314,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - A98F3F50837A9F7218D76EEDE17F2F9B
 
We need to double check your MBR.

Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 53b87386f68c4cb2306da5ba771dbe8b

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
 
Yeah, we need to fix it....

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)

  • Place a blank CD in your CD drive.
  • Double click on NTBR_CD.exe file and a folder of the same name will appear.
  • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
  • Follow the prompts to burn the CD.
  • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
  • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
  • Insert the newly created CD into your infected PC and reboot your computer.
  • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
  • Read the warning and then continue as prompted.
  • You first need to select your keyboard layout - press Enter for English.
  • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
  • On the following screen enter 5 to select Install Standard MBR code.
  • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
  • When asked to confirm please do so.
  • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
  • Eject the disc and then press ctrl+alt+del to reboot the PC.
Once rebooted, run MBRCheck again and post its log.

**Important note to Dell users - fixing the MBR may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. If this is Dell computer, let me know before proceeding.
 
Status
Not open for further replies.

Similar threads

Daniel Sims
Thousands of websites infected to redirect users in Google Ads view-pumping scam
Replies
5
Views
628
Feng Lengshun
F
J
Inactive Admin rights are revoked
Replies
18
Views
2K
Broni
Broni
I
  • Locked
Inactive Virus or rootkit on Windows and Linux
Replies
9
Views
2K
Broni
Broni

Latest posts

Back