BleepingComputer.com: Troj/TDL3Mem-B please help remove

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by masood at 0:17:18,48 on 01.04.2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1933 [GMT 2:00]
.
AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
AV: Malware Defense *Enabled/Outdated* {28e00e3b-806e-4533-925c-f4c3d79514b9}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\SFTC\Batch Queue Server\BatchQueueServer.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Phantombility\Phantom CD\pcdservice.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Sophos\AutoUpdate\almon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\TerraTec\Remote\TTTVRC.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MICROS~2\rapimgr.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\masood\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/home?AF=15627
uInternet Settings,ProxyOverride = local
uURLSearchHooks: softxpansion Toolbar: {09941640-d3fa-4943-8e5c-8f838e4b058b} - c:\program files\softxpansion\prxtbsof0.dll
mURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: softxpansion Toolbar: {09941640-d3fa-4943-8e5c-8f838e4b058b} - c:\program files\softxpansion\prxtbsof0.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CescrtHlpr Object: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.4.15.10\bh\BabylonToolbar.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: TerraTec Home Cinema: {ad6e6555-fb2c-47d4-8339-3e2965509877} - c:\progra~1\terratec\terrat~1\THCDES~1.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: softxpansion Toolbar: {09941640-d3fa-4943-8e5c-8f838e4b058b} - c:\program files\softxpansion\prxtbsof0.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.4.15.10\BabylonToolbarTlbr.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Remote Control Editor] "c:\program files\common files\terratec\remote\TTTVRC.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Twinub] rundll32.exe "c:\windows\sedfvgc.dll",Startup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Sophos AutoUpdate Monitor] c:\program files\sophos\autoupdate\almon.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [BabylonToolbar] "c:\program files\babylontoolbar\babylontoolbar\1.4.15.10\BabylonToolbarsrv.exe" /md I
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Hyiyukedomigivaj] rundll32.exe "c:\windows\ozuxoxotumud.dll",Startup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\masood\startm~1\programs\startup\autoru~1\logite~1.lnk - c:\program files\common files\logishrd\ereg\setpoint\eReg.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-f400-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
dPolicies-explorer: DisallowRun = 1 (0x1)
dPolicies-disallowrun: 1 = opera.exe
dPolicies-disallowrun: 2 = firefox.exe
dPolicies-disallowrun: 3 = chrome.exe
dPolicies-disallowrun: 4 = safari.exe
IE: Ausgewählte Verknüpfungen in Adobe PDF konvertieren - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Ausgewählte Verknüpfungen in vorhandene PDF-Datei konvertieren - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Auswahl in Adobe PDF konvertieren - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Auswahl in vorhandene PDF-Datei konvertieren - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - e:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: In Adobe PDF konvertieren - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: In vorhandene PDF-Datei konvertieren - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Verknüpfungsziel in Adobe PDF konvertieren - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Verknüpfungsziel in vorhandene PDF-Datei konvertieren - d:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - e:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~2\INetRepl.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: vrr.de\www
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6886.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://vexcast.com/download/vexcast.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\masood\applic~1\mozilla\firefox\profiles\hx8qjbn1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=15627
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://utils.babylon.com/abt/index.php?url=
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\masood\application data\mozilla\firefox\profiles\hx8qjbn1.default\extensions\turntoolviewer@turntool.com\plugins\nptnt.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {FA3C0C7D-3990-4AE7-A8C1-B68AA4230B58} - c:\documents and settings\masood\local settings\application data\{FA3C0C7D-3990-4AE7-A8C1-B68AA4230B58}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: TurnTool Viewer: turntoolviewer@turntool.com - %profile%\extensions\turntoolviewer@turntool.com
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 phmcd;phmcd;c:\windows\system32\drivers\phmcd.sys [2010-6-14 47056]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2009-7-15 153344]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2009-7-15 24064]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2008-7-30 277736]
R2 BatchQueueServer;BatchQueueServer;c:\program files\sftc\batch queue server\BatchQueueServer.exe [2010-2-25 212992]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-12-18 10384]
R2 pcdservice;pcdservice;c:\program files\phantombility\phantom cd\pcdservice.exe [2010-6-14 267600]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2010-10-27 163056]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2010-10-10 97520]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-10-27 230640]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\sophos\sophos anti-virus\web intelligence\swi_service.exe [2010-10-27 1541360]
R3 Cinergy_HT_PCI_MKII;Cinergy HT PCI (MKII) service;c:\windows\system32\drivers\Cinergy_HT_PCI_MKII.sys [2009-7-16 221184]
S2 gupdate1ca0cfcaa9cfd2c;Google Update Service (gupdate1ca0cfcaa9cfd2c);c:\program files\google\update\GoogleUpdate.exe [2009-7-25 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2010-10-10 23928]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-7-17 280344]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2010-5-11 90352]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-10-10 14976]
S4 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-5-7 92008]
.
=============== Created Last 30 ================
.
2011-03-20 17:45:58 0 ----a-w- c:\windows\Bhotiqaquzuw.bin
2011-03-20 17:45:56 -------- d-----w- c:\docume~1\masood\locals~1\applic~1\{FA3C0C7D-3990-4AE7-A8C1-B68AA4230B58}
2011-03-20 15:48:16 -------- d-----w- c:\docume~1\masood\applic~1\elsterformular
2011-03-20 15:45:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\elsterformular
2011-03-20 15:44:33 -------- d-----w- c:\program files\ElsterFormular
2011-03-08 20:44:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2011-03-08 20:44:30 -------- d-----w- c:\program files\McAfee Security Scan
.
==================== Find3M ====================
.
2011-03-19 10:21:47 0 -c--a-w- c:\windows\system32\ConduitEngine.tmp
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380011A rev.3.16 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A83C439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a8427d0]; MOV EAX, [0x8a84284c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A8F5AB8]
3 CLASSPNP[0xF7647FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x8A942518]
\Driver\atapi[0x8A903278] -> IRP_MJ_CREATE -> 0x8A83C439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST380011A_______________________________3.16____#4a3341564c363131202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A83C27F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 0:19:04,89 ===============

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

• Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  
  
• Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  
  
• If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  
  
• In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  
  
• Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  
  
• Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  
  
• I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
  Because of this, you must reply within three days failure to reply will result in the topic being closed!
  
  
• Please do not PM me directly for help. If you have any questions, post them in this topic.
  
  
• Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
  Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________


One or more of the identified infections is a backdoor trojan and password stealer.



I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
  
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
  
  
  
  
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
  
  
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
  
  
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
  
  
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

NEXT:



Running OTL

We need to create an OTL Report

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
  
  
• Save it to your desktop.
  
• Double click on the icon on your desktop.
  
• Click the "Scan All Users" checkbox.
  
• Push the button.
  
• Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized

NEXT:


Please provide an update on how things are running in your next reply.

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.