Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Backdoor Tdss 565 infected nvata.sys


  • This topic is locked This topic is locked
3 replies to this topic

#1 evilbobster

evilbobster

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 24 April 2010 - 07:44 AM

Greetings,

I Booted up my computer this morning and upon opening my first browser (ie 7) i was redirected on my first google search. Obvious redirections are usually related to spyware or malware. Due to these known problems i started my scans with the tools i have and none seem to have picked up anything at all. Problem being unsolved i further conducted researches online to find other sources of soultions. i have read a few forums on this website however, none has provided a pin point soultion. I must however add that my computer knowledge is limited so perhaps i was not conducting the right actions specially when it comes to virus/trojans/malware. During my researches on bleeping computers i have however been able to determine 2 things.

A. When i run Drweb It comes up with: C:\windows\system32\svchost.exe:952 being infected and has been labeled eradicated.

B. i have used TDSS killer which tells me that C:\windows\system32\drivers\nvata.sys has been infected.

Below are my log files:

Based on these parameters (which i got from bleeping computer forum):

netsvcs
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5
%SYSTEMDRIVE%\nvatabus.sys /s /md5
%SYSTEMDRIVE%\viamraid.sys /s /md5
%SYSTEMDRIVE%\nvata.sys /s /md5
CREATERESTOREPOINT

This is my OTL report:

**********************************************************************************************

OTL logfile created on: 24/04/2010 10:24:20 PM - Run 1
OTL by OldTimer - Version 3.2.2.0 Folder = C:\Documents and Settings\Admin\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 77.00% Memory free
9.00 Gb Paging File | 9.00 Gb Available in Paging File | 93.00% Paging File free
Paging file location(s): [Binary data over 100 bytes]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48.83 Gb Total Space | 30.54 Gb Free Space | 62.56% Space Free | Partition Type: NTFS
Drive D: | 465.76 Gb Total Space | 308.70 Gb Free Space | 66.28% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 186.31 Gb Total Space | 45.46 Gb Free Space | 24.40% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 249.26 Gb Total Space | 135.22 Gb Free Space | 54.25% Space Free | Partition Type: NTFS

Computer Name: BOBBY
Current User Name: Admin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/04/24 18:08:05 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
PRC - [2009/07/19 13:48:59 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/07/19 13:48:42 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2009/07/19 09:25:44 | 000,219,952 | ---- | M] () -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2009/02/06 17:07:48 | 000,027,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Contacts\wlcomm.exe
PRC - [2008/02/20 11:08:46 | 000,472,320 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PRC - [2008/02/20 11:06:58 | 001,443,072 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PRC - [2007/07/18 10:08:45 | 002,094,352 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
PRC - [2007/07/18 09:30:03 | 001,687,824 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
PRC - [2007/07/18 09:29:34 | 000,479,504 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDCountdown.exe
PRC - [2007/07/18 09:29:24 | 000,278,288 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
PRC - [2007/06/13 20:23:08 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/05 08:13:54 | 000,240,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PRC - [2006/12/18 21:34:36 | 000,868,352 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2003/08/06 13:24:20 | 012,037,688 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE


========== Modules (SafeList) ==========

MOD - [2010/04/24 18:08:05 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
MOD - [2006/08/26 01:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2008/02/20 11:14:52 | 000,019,200 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv)
SRV - [2008/02/20 11:08:46 | 000,472,320 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn)
SRV - [2007/01/05 08:13:54 | 000,240,408 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2001/08/23 22:00:00 | 000,003,584 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\System32\regedt32.exe -- (NOD32FiXTemDono)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/17 11:15:58 | 000,066,632 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/02/11 09:18:28 | 000,093,056 | ---- | M] () [Kernel | On_Demand | Stopped] -- I:\sXe Injected\ddsxei.sys -- (ddsxeiservice)
DRV - [2009/07/15 04:54:00 | 007,741,664 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/02/20 11:11:16 | 000,033,800 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\epfwtdir.sys -- (epfwtdir)
DRV - [2008/02/20 11:02:22 | 000,029,704 | ---- | M] (ESET) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\easdrv.sys -- (easdrv)
DRV - [2008/02/20 11:01:30 | 000,039,944 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\eamon.sys -- (eamon)
DRV - [2007/12/17 17:14:06 | 000,012,400 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AsIO.sys -- (AsIO)
DRV - [2007/06/29 14:47:34 | 000,034,304 | ---- | M] (AMD, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AmdLLD.sys -- (AmdLLD)
DRV - [2007/01/16 09:09:06 | 000,293,888 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2006/12/06 09:39:13 | 001,964,064 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\VX3000.sys -- (VX3000)
DRV - [2006/08/21 18:24:28 | 000,105,344 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\nvata.sys -- (nvata)
DRV - [2006/03/17 17:18:58 | 000,392,960 | ---- | M] (Sensaura) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
DRV - [2004/10/27 15:21:36 | 000,138,240 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Hdaudbus.sys -- (HDAudBus)
DRV - [2004/08/13 10:56:20 | 000,005,810 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/08/03 23:07:56 | 000,059,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2004/08/03 22:31:34 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139) Realtek RTL8139(A/B/C)
DRV - [2002/09/16 17:14:32 | 000,004,228 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\PQNTDRV.sys -- (PQNTDrv)
DRV - [2001/08/23 22:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.google.com/toolbar/ie7/done.html
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.google.com/toolbar/ie7/done.html
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1343024091-413027322-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKU\S-1-5-21-1343024091-413027322-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/07/19 13:49:03 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2010/04/24 14:57:13 | 000,000,789 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-1343024091-413027322-839522115-1003\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe (AMD)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [Launch LCDMon] C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe (Logitech Inc.)
O4 - HKLM..\Run: [Launch LGDCore] C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe (Logitech Inc.)
O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe ()
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [VX3000] C:\WINDOWS\vVX3000.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1343024091-413027322-839522115-1003..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1343024091-413027322-839522115-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1343024091-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1343024091-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1343024091-413027322-839522115-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/...can8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/18 20:14:48 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1343024091-413027322-839522115-1003\...exe [@ = exefile] -- Reg Error: Key error. File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/07/19 05:41:34 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17465059307421696)

========== Files/Folders - Created Within 90 Days ==========

[2010/04/24 21:48:50 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/04/24 21:05:45 | 000,178,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\Admin\Desktop\TDSSKiller.exe
[2010/04/24 18:54:12 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/04/24 18:11:36 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/24 18:11:36 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/24 18:11:36 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/24 18:11:36 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/24 18:11:13 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/24 18:07:48 | 000,562,176 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
[2010/04/24 16:48:48 | 069,919,368 | ---- | C] ( ) -- C:\Documents and Settings\Admin\Desktop\setup_9.0.0.722_24.04.2010_09-15.exe
[2010/04/24 15:38:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Desktop\GooredFix Backups
[2010/04/24 15:37:16 | 000,070,858 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Admin\Desktop\GooredFix.exe
[2010/04/24 15:23:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Desktop\SysProt
[2010/04/24 14:46:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\DoctorWeb
[2010/04/24 13:43:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\BDOSCAN8
[2010/04/24 13:06:16 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/24 13:01:33 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/24 09:48:43 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2010/04/24 09:42:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/24 09:42:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Application Data\SUPERAntiSpyware.com
[2010/04/24 09:42:00 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/23 20:06:37 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/23 20:06:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2010/04/23 17:50:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/23 17:50:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/21 17:35:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\My Documents\StarCraft II Beta
[2010/04/21 17:35:16 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Blizzard Entertainment
[2010/04/21 17:35:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Blizzard Entertainment
[2010/04/21 17:35:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Blizzard
[2010/04/20 21:59:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Local Settings\Application Data\Blizzard Entertainment
[2010/04/18 13:26:50 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Admin\Recent
[2010/04/09 21:55:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/03/31 19:36:52 | 000,139,264 | ---- | C] (Blizzard Entertainment) -- C:\WINDOWS\War3Unin.exe
[2010/03/18 17:58:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Application Data\vlc
[2010/03/18 17:58:14 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2010/03/14 17:40:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2010/03/14 09:08:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2010/03/14 09:07:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/03/14 09:05:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\My Documents\Downloads
[2010/02/27 12:49:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Local Settings\Application Data\Temp
[2010/02/12 19:25:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\My Documents\200 Naruto wallpaper Great collection
[2010/02/05 19:29:08 | 000,000,000 | ---D | C] -- C:\Program Files\Maxis
[2010/01/31 14:27:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2010/01/31 10:43:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google

========== Files - Modified Within 90 Days ==========

[2010/04/24 22:09:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/24 21:58:33 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/24 21:56:05 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/24 20:53:45 | 000,154,469 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\tdsskiller.zip
[2010/04/24 19:28:01 | 000,243,457 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/04/24 19:27:47 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/24 19:27:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/24 19:24:43 | 037,977,216 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\CureIt!.exe
[2010/04/24 19:07:09 | 000,026,376 | ---- | M] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/04/24 19:02:48 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Admin\Desktop\~$w Microsoft Word Document.doc
[2010/04/24 18:54:18 | 012,582,912 | ---- | M] () -- C:\Documents and Settings\Admin\NTUSER.DAT
[2010/04/24 18:54:18 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Admin\ntuser.ini
[2010/04/24 18:10:59 | 003,923,062 | R--- | M] () -- C:\Documents and Settings\Admin\Desktop\ComboFix.exe
[2010/04/24 18:08:05 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
[2010/04/24 18:03:26 | 000,126,912 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/04/24 16:48:52 | 069,919,368 | ---- | M] ( ) -- C:\Documents and Settings\Admin\Desktop\setup_9.0.0.722_24.04.2010_09-15.exe
[2010/04/24 16:35:32 | 000,030,720 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\New Microsoft Word Document.doc
[2010/04/24 15:38:25 | 000,070,858 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Admin\Desktop\GooredFix.exe
[2010/04/24 15:23:10 | 000,354,396 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\SysProt.zip
[2010/04/24 14:57:13 | 000,000,789 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/04/24 14:07:28 | 038,226,952 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\62nt746d.exe
[2010/04/24 13:06:21 | 000,000,298 | RHS- | M] () -- C:\boot.ini
[2010/04/24 09:42:03 | 000,000,780 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/24 08:13:28 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/04/23 22:13:55 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/04/23 22:13:53 | 000,133,632 | ---- | M] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/23 20:06:55 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\Spybot - Search & Destroy.lnk
[2010/04/23 17:45:21 | 000,006,124 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\Mi715R2
[2010/04/23 17:45:21 | 000,006,124 | -HS- | M] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\Mi715R2
[2010/04/23 17:25:18 | 004,267,968 | -H-- | M] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\IconCache.db
[2010/04/21 17:37:39 | 000,000,606 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\StarCraft II Beta.lnk
[2010/04/18 10:09:46 | 000,000,124 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2010/04/15 21:33:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/15 18:17:36 | 003,530,506 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\naruto_215.zip
[2010/04/09 22:32:19 | 000,000,151 | ---- | M] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2010/04/09 17:58:34 | 000,002,228 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/31 20:06:47 | 000,061,483 | ---- | M] () -- C:\WINDOWS\War3Unin.dat
[2010/03/31 19:56:27 | 000,000,609 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\Frozen Throne.lnk
[2010/03/31 19:56:24 | 000,002,829 | ---- | M] () -- C:\WINDOWS\War3Unin.pif
[2010/03/31 19:56:23 | 000,139,264 | ---- | M] (Blizzard Entertainment) -- C:\WINDOWS\War3Unin.exe
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/29 18:27:48 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/22 10:43:42 | 000,178,000 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\Admin\Desktop\TDSSKiller.exe
[2010/03/15 20:50:54 | 000,000,381 | ---- | M] () -- C:\WINDOWS\NJCOM.INI
[2010/03/15 17:54:53 | 000,000,009 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\Default.PLS
[2010/03/12 18:57:23 | 000,000,620 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\Counter-Strike 1.6.lnk
[2010/03/12 18:02:38 | 000,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/03/09 17:23:57 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/03/07 16:36:57 | 000,000,533 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\sXe Injected.lnk
[2010/02/24 19:27:05 | 000,354,372 | ---- | M] () -- C:\Documents and Settings\Admin\My Documents\How_to_Open_Ports_in_DSL-xxxT.pdf
[2010/02/06 08:45:45 | 000,000,534 | ---- | M] () -- C:\WINDOWS\eReg.dat

========== Files Created - No Company Name ==========

[2010/04/24 20:53:41 | 000,154,469 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\tdsskiller.zip
[2010/04/24 19:23:43 | 037,977,216 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\CureIt!.exe
[2010/04/24 19:02:48 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Admin\Desktop\~$w Microsoft Word Document.doc
[2010/04/24 18:11:36 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/24 18:11:36 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/24 18:11:36 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/24 18:10:11 | 003,923,062 | R--- | C] () -- C:\Documents and Settings\Admin\Desktop\ComboFix.exe
[2010/04/24 16:27:58 | 038,226,952 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\62nt746d.exe
[2010/04/24 15:23:07 | 000,354,396 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\SysProt.zip
[2010/04/24 13:06:21 | 000,000,228 | ---- | C] () -- C:\Boot.bak
[2010/04/24 13:06:17 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/24 13:04:41 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/24 13:04:41 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/24 09:46:00 | 000,030,720 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\New Microsoft Word Document.doc
[2010/04/24 09:42:03 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/04/23 20:06:55 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\Spybot - Search & Destroy.lnk
[2010/04/23 17:44:20 | 000,006,124 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\Mi715R2
[2010/04/23 17:44:20 | 000,006,124 | -HS- | C] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\Mi715R2
[2010/04/21 17:35:16 | 000,000,606 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\StarCraft II Beta.lnk
[2010/04/18 11:18:14 | 003,530,506 | ---- | C] () -- C:\Documents and Settings\Admin\My Documents\naruto_215.zip
[2010/03/31 19:56:27 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\Frozen Throne.lnk
[2010/03/31 19:36:53 | 000,061,483 | ---- | C] () -- C:\WINDOWS\War3Unin.dat
[2010/03/31 19:36:53 | 000,002,829 | ---- | C] () -- C:\WINDOWS\War3Unin.pif
[2010/03/29 18:02:18 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/03/12 18:56:33 | 000,000,620 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\Counter-Strike 1.6.lnk
[2010/03/09 17:23:57 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/03/07 16:36:57 | 000,000,533 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\sXe Injected.lnk
[2010/02/24 19:27:05 | 000,354,372 | ---- | C] () -- C:\Documents and Settings\Admin\My Documents\How_to_Open_Ports_in_DSL-xxxT.pdf
[2010/02/05 19:29:14 | 000,000,534 | ---- | C] () -- C:\WINDOWS\eReg.dat
[2010/01/31 10:43:06 | 000,000,886 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/01/31 10:43:06 | 000,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/01/30 08:22:42 | 000,000,009 | ---- | C] () -- C:\Documents and Settings\Admin\My Documents\Default.PLS
[2009/07/21 22:03:34 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2009/07/19 21:53:29 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/07/19 16:31:40 | 000,015,498 | ---- | C] () -- C:\WINDOWS\VX3000.ini
[2009/07/19 16:02:56 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/07/19 15:11:39 | 000,000,381 | ---- | C] () -- C:\WINDOWS\NJCOM.INI
[2009/07/19 14:38:32 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2009/07/19 14:38:32 | 000,012,400 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2009/07/19 14:38:23 | 000,005,810 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/07/19 14:22:03 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/07/19 14:22:03 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/07/19 14:03:36 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/07/19 13:49:29 | 000,000,124 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2009/07/18 21:54:16 | 001,285,632 | ---- | C] () -- C:\WINDOWS\System32\SMMedia.dll
[2009/01/05 15:44:10 | 000,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/02/20 11:11:16 | 000,033,800 | ---- | C] () -- C:\WINDOWS\System32\drivers\epfwtdir.sys
[2007/12/12 08:34:56 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/12/12 08:33:14 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2007/12/12 08:33:14 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2007/12/12 08:32:28 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[1996/04/04 05:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2009/07/19 13:59:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Electronic Arts
[2009/07/25 09:40:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\ImgBurn
[2009/07/27 20:05:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\KSCraft
[2009/08/18 19:58:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\pokerth
[2009/07/19 15:21:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Recorder
[2010/04/24 22:25:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\uTorrent
[2009/12/12 17:59:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\ViGlance
[2009/12/12 17:59:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\ViSplore
[2009/12/12 17:59:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\ViStart
[2009/07/19 15:16:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESET
[2009/07/19 20:26:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/04/14 04:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/08/29 03:50:10 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp1.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2002/08/29 03:50:10 | 010,158,890 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp1.cab:atapi.sys
[2004/08/04 01:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2002/08/29 01:27:50 | 000,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2008/04/14 04:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\atapi.sys
[2001/08/23 22:00:00 | 000,086,656 | ---- | M] (Microsoft Corporation) MD5=A64013E98426E1877CB653685C5C0009 -- C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/14 10:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2004/08/04 00:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\system32\eventlog.dll
[2002/08/29 03:40:52 | 000,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/14 10:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netlogon.dll
[2002/08/29 03:41:08 | 000,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2009/02/07 04:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/07 04:46:09 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2004/08/04 00:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: NVATA.SYS >
[2006/08/21 18:24:28 | 000,105,344 | ---- | M] (NVIDIA Corporation) MD5=4D6C6B46B3EDF6F2E219A86B61D104AE -- C:\WINDOWS\system32\drivers\nvata.sys

< MD5 for: SCECLI.DLL >
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2004/08/04 00:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\system32\scecli.dll
[2002/08/29 03:41:12 | 000,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/14 10:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\scecli.dll

< %systemroot%\*. /mp /s >

========== Alternate Data Streams ==========

@Alternate Data Stream - 138 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
< End of report >

********************************************************************************************

This is the TDSS killer log file:

22:22:05:578 0860 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
22:22:05:578 0860 ================================================================================
22:22:05:578 0860 SystemInfo:

22:22:05:578 0860 OS Version: 5.1.2600 ServicePack: 2.0
22:22:05:578 0860 Product type: Workstation
22:22:05:578 0860 ComputerName: BOBBY
22:22:05:578 0860 UserName: Admin
22:22:05:578 0860 Windows directory: C:\WINDOWS
22:22:05:578 0860 Processor architecture: Intel x86
22:22:05:578 0860 Number of processors: 2
22:22:05:578 0860 Page size: 0x1000
22:22:05:593 0860 Boot type: Normal boot
22:22:05:593 0860 ================================================================================
22:22:05:593 0860 UnloadDriverW: NtUnloadDriver error 2
22:22:05:593 0860 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
22:22:05:750 0860 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
22:22:05:750 0860 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:22:05:750 0860 wfopen_ex: Trying to KLMD file open
22:22:05:750 0860 wfopen_ex: File opened ok (Flags 2)
22:22:05:750 0860 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
22:22:05:750 0860 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
22:22:05:750 0860 wfopen_ex: Trying to KLMD file open
22:22:05:750 0860 wfopen_ex: File opened ok (Flags 2)
22:22:05:750 0860 Initialize success
22:22:05:750 0860
22:22:05:750 0860 Scanning Services ...
22:22:05:796 0860 Raw services enum returned 329 services
22:22:05:796 0860
22:22:05:796 0860 Scanning Kernel memory ...
22:22:05:796 0860 Devices to scan: 7
22:22:05:796 0860
22:22:05:796 0860 Driver Name: Disk
22:22:05:796 0860 IRP_MJ_CREATE : F5C4EC30
22:22:05:796 0860 IRP_MJ_CREATE_NAMED_PIPE : E0BC2476
22:22:05:796 0860 IRP_MJ_CLOSE : F5C4EC30
22:22:05:796 0860 IRP_MJ_READ : F5C48D9B
22:22:05:796 0860 IRP_MJ_WRITE : F5C48D9B
22:22:05:796 0860 IRP_MJ_QUERY_INFORMATION : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_INFORMATION : E0BC2476
22:22:05:796 0860 IRP_MJ_QUERY_EA : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_EA : E0BC2476
22:22:05:796 0860 IRP_MJ_FLUSH_BUFFERS : F5C49366
22:22:05:796 0860 IRP_MJ_QUERY_VOLUME_INFORMATION : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_VOLUME_INFORMATION : E0BC2476
22:22:05:796 0860 IRP_MJ_DIRECTORY_CONTROL : E0BC2476
22:22:05:796 0860 IRP_MJ_FILE_SYSTEM_CONTROL : E0BC2476
22:22:05:796 0860 IRP_MJ_DEVICE_CONTROL : F5C4944D
22:22:05:796 0860 IRP_MJ_INTERNAL_DEVICE_CONTROL : F5C4CFC3
22:22:05:796 0860 IRP_MJ_SHUTDOWN : F5C49366
22:22:05:796 0860 IRP_MJ_LOCK_CONTROL : E0BC2476
22:22:05:796 0860 IRP_MJ_CLEANUP : E0BC2476
22:22:05:796 0860 IRP_MJ_CREATE_MAILSLOT : E0BC2476
22:22:05:796 0860 IRP_MJ_QUERY_SECURITY : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_SECURITY : E0BC2476
22:22:05:796 0860 IRP_MJ_POWER : F5C4AEF3
22:22:05:796 0860 IRP_MJ_SYSTEM_CONTROL : F5C4FA24
22:22:05:796 0860 IRP_MJ_DEVICE_CHANGE : E0BC2476
22:22:05:796 0860 IRP_MJ_QUERY_QUOTA : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_QUOTA : E0BC2476
22:22:05:796 0860 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:22:05:796 0860
22:22:05:796 0860 Driver Name: Disk
22:22:05:796 0860 IRP_MJ_CREATE : F5C4EC30
22:22:05:796 0860 IRP_MJ_CREATE_NAMED_PIPE : E0BC2476
22:22:05:796 0860 IRP_MJ_CLOSE : F5C4EC30
22:22:05:796 0860 IRP_MJ_READ : F5C48D9B
22:22:05:796 0860 IRP_MJ_WRITE : F5C48D9B
22:22:05:796 0860 IRP_MJ_QUERY_INFORMATION : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_INFORMATION : E0BC2476
22:22:05:796 0860 IRP_MJ_QUERY_EA : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_EA : E0BC2476
22:22:05:796 0860 IRP_MJ_FLUSH_BUFFERS : F5C49366
22:22:05:796 0860 IRP_MJ_QUERY_VOLUME_INFORMATION : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_VOLUME_INFORMATION : E0BC2476
22:22:05:796 0860 IRP_MJ_DIRECTORY_CONTROL : E0BC2476
22:22:05:796 0860 IRP_MJ_FILE_SYSTEM_CONTROL : E0BC2476
22:22:05:796 0860 IRP_MJ_DEVICE_CONTROL : F5C4944D
22:22:05:796 0860 IRP_MJ_INTERNAL_DEVICE_CONTROL : F5C4CFC3
22:22:05:796 0860 IRP_MJ_SHUTDOWN : F5C49366
22:22:05:796 0860 IRP_MJ_LOCK_CONTROL : E0BC2476
22:22:05:796 0860 IRP_MJ_CLEANUP : E0BC2476
22:22:05:796 0860 IRP_MJ_CREATE_MAILSLOT : E0BC2476
22:22:05:796 0860 IRP_MJ_QUERY_SECURITY : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_SECURITY : E0BC2476
22:22:05:796 0860 IRP_MJ_POWER : F5C4AEF3
22:22:05:796 0860 IRP_MJ_SYSTEM_CONTROL : F5C4FA24
22:22:05:796 0860 IRP_MJ_DEVICE_CHANGE : E0BC2476
22:22:05:796 0860 IRP_MJ_QUERY_QUOTA : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_QUOTA : E0BC2476
22:22:05:796 0860 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:22:05:796 0860
22:22:05:796 0860 Driver Name: Disk
22:22:05:796 0860 IRP_MJ_CREATE : F5C4EC30
22:22:05:796 0860 IRP_MJ_CREATE_NAMED_PIPE : E0BC2476
22:22:05:796 0860 IRP_MJ_CLOSE : F5C4EC30
22:22:05:796 0860 IRP_MJ_READ : F5C48D9B
22:22:05:796 0860 IRP_MJ_WRITE : F5C48D9B
22:22:05:796 0860 IRP_MJ_QUERY_INFORMATION : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_INFORMATION : E0BC2476
22:22:05:796 0860 IRP_MJ_QUERY_EA : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_EA : E0BC2476
22:22:05:796 0860 IRP_MJ_FLUSH_BUFFERS : F5C49366
22:22:05:796 0860 IRP_MJ_QUERY_VOLUME_INFORMATION : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_VOLUME_INFORMATION : E0BC2476
22:22:05:796 0860 IRP_MJ_DIRECTORY_CONTROL : E0BC2476
22:22:05:796 0860 IRP_MJ_FILE_SYSTEM_CONTROL : E0BC2476
22:22:05:796 0860 IRP_MJ_DEVICE_CONTROL : F5C4944D
22:22:05:796 0860 IRP_MJ_INTERNAL_DEVICE_CONTROL : F5C4CFC3
22:22:05:796 0860 IRP_MJ_SHUTDOWN : F5C49366
22:22:05:796 0860 IRP_MJ_LOCK_CONTROL : E0BC2476
22:22:05:796 0860 IRP_MJ_CLEANUP : E0BC2476
22:22:05:796 0860 IRP_MJ_CREATE_MAILSLOT : E0BC2476
22:22:05:796 0860 IRP_MJ_QUERY_SECURITY : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_SECURITY : E0BC2476
22:22:05:796 0860 IRP_MJ_POWER : F5C4AEF3
22:22:05:796 0860 IRP_MJ_SYSTEM_CONTROL : F5C4FA24
22:22:05:796 0860 IRP_MJ_DEVICE_CHANGE : E0BC2476
22:22:05:796 0860 IRP_MJ_QUERY_QUOTA : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_QUOTA : E0BC2476
22:22:05:796 0860 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:22:05:796 0860
22:22:05:796 0860 Driver Name: Disk
22:22:05:796 0860 IRP_MJ_CREATE : F5C4EC30
22:22:05:796 0860 IRP_MJ_CREATE_NAMED_PIPE : E0BC2476
22:22:05:796 0860 IRP_MJ_CLOSE : F5C4EC30
22:22:05:796 0860 IRP_MJ_READ : F5C48D9B
22:22:05:796 0860 IRP_MJ_WRITE : F5C48D9B
22:22:05:796 0860 IRP_MJ_QUERY_INFORMATION : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_INFORMATION : E0BC2476
22:22:05:796 0860 IRP_MJ_QUERY_EA : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_EA : E0BC2476
22:22:05:796 0860 IRP_MJ_FLUSH_BUFFERS : F5C49366
22:22:05:796 0860 IRP_MJ_QUERY_VOLUME_INFORMATION : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_VOLUME_INFORMATION : E0BC2476
22:22:05:796 0860 IRP_MJ_DIRECTORY_CONTROL : E0BC2476
22:22:05:796 0860 IRP_MJ_FILE_SYSTEM_CONTROL : E0BC2476
22:22:05:796 0860 IRP_MJ_DEVICE_CONTROL : F5C4944D
22:22:05:796 0860 IRP_MJ_INTERNAL_DEVICE_CONTROL : F5C4CFC3
22:22:05:796 0860 IRP_MJ_SHUTDOWN : F5C49366
22:22:05:796 0860 IRP_MJ_LOCK_CONTROL : E0BC2476
22:22:05:796 0860 IRP_MJ_CLEANUP : E0BC2476
22:22:05:796 0860 IRP_MJ_CREATE_MAILSLOT : E0BC2476
22:22:05:796 0860 IRP_MJ_QUERY_SECURITY : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_SECURITY : E0BC2476
22:22:05:796 0860 IRP_MJ_POWER : F5C4AEF3
22:22:05:796 0860 IRP_MJ_SYSTEM_CONTROL : F5C4FA24
22:22:05:796 0860 IRP_MJ_DEVICE_CHANGE : E0BC2476
22:22:05:796 0860 IRP_MJ_QUERY_QUOTA : E0BC2476
22:22:05:796 0860 IRP_MJ_SET_QUOTA : E0BC2476
22:22:05:796 0860 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
22:22:05:796 0860
22:22:05:796 0860 Driver Name: nvata
22:22:05:796 0860 IRP_MJ_CREATE : F5A51894
22:22:05:796 0860 IRP_MJ_CREATE_NAMED_PIPE : F5A51874
22:22:05:796 0860 IRP_MJ_CLOSE : F5A51894
22:22:05:796 0860 IRP_MJ_READ : F5A51874
22:22:05:796 0860 IRP_MJ_WRITE : F5A51874
22:22:05:796 0860 IRP_MJ_QUERY_INFORMATION : F5A51874
22:22:05:796 0860 IRP_MJ_SET_INFORMATION : F5A51874
22:22:05:796 0860 IRP_MJ_QUERY_EA : F5A51874
22:22:05:796 0860 IRP_MJ_SET_EA : F5A51874
22:22:05:796 0860 IRP_MJ_FLUSH_BUFFERS : F5A51874
22:22:05:796 0860 IRP_MJ_QUERY_VOLUME_INFORMATION : F5A51874
22:22:05:796 0860 IRP_MJ_SET_VOLUME_INFORMATION : F5A51874
22:22:05:796 0860 IRP_MJ_DIRECTORY_CONTROL : F5A51874
22:22:05:796 0860 IRP_MJ_FILE_SYSTEM_CONTROL : F5A51874
22:22:05:796 0860 IRP_MJ_DEVICE_CONTROL : F5A518AE
22:22:05:796 0860 IRP_MJ_INTERNAL_DEVICE_CONTROL : F5A51D6E
22:22:05:796 0860 IRP_MJ_SHUTDOWN : F5A51874
22:22:05:796 0860 IRP_MJ_LOCK_CONTROL : F5A51874
22:22:05:796 0860 IRP_MJ_CLEANUP : F5A51874
22:22:05:796 0860 IRP_MJ_CREATE_MAILSLOT : F5A51874
22:22:05:796 0860 IRP_MJ_QUERY_SECURITY : F5A51874
22:22:05:796 0860 IRP_MJ_SET_SECURITY : F5A51874
22:22:05:796 0860 IRP_MJ_POWER : F5A51D0E
22:22:05:796 0860 IRP_MJ_SYSTEM_CONTROL : F5A51A9C
22:22:05:796 0860 IRP_MJ_DEVICE_CHANGE : F5A51874
22:22:05:796 0860 IRP_MJ_QUERY_QUOTA : F5A51874
22:22:05:796 0860 IRP_MJ_SET_QUOTA : F5A51874
22:22:05:828 0860 C:\WINDOWS\system32\DRIVERS\nvata.sys - Verdict: 1
22:22:05:828 0860
22:22:05:828 0860 Driver Name: nvata
22:22:05:828 0860 IRP_MJ_CREATE : FD1B1AC8
22:22:05:828 0860 IRP_MJ_CREATE_NAMED_PIPE : FD1B1AC8
22:22:05:828 0860 IRP_MJ_CLOSE : FD1B1AC8
22:22:05:828 0860 IRP_MJ_READ : FD1B1AC8
22:22:05:828 0860 IRP_MJ_WRITE : FD1B1AC8
22:22:05:828 0860 IRP_MJ_QUERY_INFORMATION : FD1B1AC8
22:22:05:828 0860 IRP_MJ_SET_INFORMATION : FD1B1AC8
22:22:05:828 0860 IRP_MJ_QUERY_EA : FD1B1AC8
22:22:05:828 0860 IRP_MJ_SET_EA : FD1B1AC8
22:22:05:828 0860 IRP_MJ_FLUSH_BUFFERS : FD1B1AC8
22:22:05:828 0860 IRP_MJ_QUERY_VOLUME_INFORMATION : FD1B1AC8
22:22:05:828 0860 IRP_MJ_SET_VOLUME_INFORMATION : FD1B1AC8
22:22:05:828 0860 IRP_MJ_DIRECTORY_CONTROL : FD1B1AC8
22:22:05:828 0860 IRP_MJ_FILE_SYSTEM_CONTROL : FD1B1AC8
22:22:05:828 0860 IRP_MJ_DEVICE_CONTROL : FD1B1AC8
22:22:05:828 0860 IRP_MJ_INTERNAL_DEVICE_CONTROL : FD1B1AC8
22:22:05:828 0860 IRP_MJ_SHUTDOWN : FD1B1AC8
22:22:05:828 0860 IRP_MJ_LOCK_CONTROL : FD1B1AC8
22:22:05:828 0860 IRP_MJ_CLEANUP : FD1B1AC8
22:22:05:828 0860 IRP_MJ_CREATE_MAILSLOT : FD1B1AC8
22:22:05:828 0860 IRP_MJ_QUERY_SECURITY : FD1B1AC8
22:22:05:828 0860 IRP_MJ_SET_SECURITY : FD1B1AC8
22:22:05:828 0860 IRP_MJ_POWER : FD1B1AC8
22:22:05:828 0860 IRP_MJ_SYSTEM_CONTROL : FD1B1AC8
22:22:05:828 0860 IRP_MJ_DEVICE_CHANGE : FD1B1AC8
22:22:05:828 0860 IRP_MJ_QUERY_QUOTA : FD1B1AC8
22:22:05:828 0860 IRP_MJ_SET_QUOTA : FD1B1AC8
22:22:05:828 0860 Driver "nvata" infected by TDSS rootkit!
22:22:05:828 0860 C:\WINDOWS\system32\DRIVERS\nvata.sys - Verdict: 1
22:22:05:828 0860 File "C:\WINDOWS\system32\DRIVERS\nvata.sys" infected by TDSS rootkit ... 22:22:05:828 0860 Processing driver file: C:\WINDOWS\system32\DRIVERS\nvata.sys
22:22:05:828 0860 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
22:22:05:843 0860 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
22:22:05:843 0860 !fdfb7
22:22:06:046 0860 !vfvi8
22:22:06:046 0860 !vdf6
22:22:06:046 0860 Backup copy not found, trying to cure infected file..
22:22:06:046 0860 C:\WINDOWS\system32\DRIVERS\nvata.sys - Verdict: Cure failed (0)
22:22:06:046 0860 cure failed
22:22:06:046 0860
22:22:06:046 0860 Driver Name: atapi
22:22:06:046 0860 IRP_MJ_CREATE : F5A75572
22:22:06:046 0860 IRP_MJ_CREATE_NAMED_PIPE : E0BC2476
22:22:06:046 0860 IRP_MJ_CLOSE : F5A75572
22:22:06:046 0860 IRP_MJ_READ : E0BC2476
22:22:06:046 0860 IRP_MJ_WRITE : E0BC2476
22:22:06:046 0860 IRP_MJ_QUERY_INFORMATION : E0BC2476
22:22:06:046 0860 IRP_MJ_SET_INFORMATION : E0BC2476
22:22:06:046 0860 IRP_MJ_QUERY_EA : E0BC2476
22:22:06:046 0860 IRP_MJ_SET_EA : E0BC2476
22:22:06:046 0860 IRP_MJ_FLUSH_BUFFERS : E0BC2476
22:22:06:046 0860 IRP_MJ_QUERY_VOLUME_INFORMATION : E0BC2476
22:22:06:046 0860 IRP_MJ_SET_VOLUME_INFORMATION : E0BC2476
22:22:06:046 0860 IRP_MJ_DIRECTORY_CONTROL : E0BC2476
22:22:06:046 0860 IRP_MJ_FILE_SYSTEM_CONTROL : E0BC2476
22:22:06:046 0860 IRP_MJ_DEVICE_CONTROL : F5A75592
22:22:06:046 0860 IRP_MJ_INTERNAL_DEVICE_CONTROL : F5A717B4
22:22:06:046 0860 IRP_MJ_SHUTDOWN : E0BC2476
22:22:06:046 0860 IRP_MJ_LOCK_CONTROL : E0BC2476
22:22:06:046 0860 IRP_MJ_CLEANUP : E0BC2476
22:22:06:046 0860 IRP_MJ_CREATE_MAILSLOT : E0BC2476
22:22:06:046 0860 IRP_MJ_QUERY_SECURITY : E0BC2476
22:22:06:046 0860 IRP_MJ_SET_SECURITY : E0BC2476
22:22:06:046 0860 IRP_MJ_POWER : F5A755BC
22:22:06:046 0860 IRP_MJ_SYSTEM_CONTROL : F5A7C164
22:22:06:046 0860 IRP_MJ_DEVICE_CHANGE : E0BC2476
22:22:06:046 0860 IRP_MJ_QUERY_QUOTA : E0BC2476
22:22:06:046 0860 IRP_MJ_SET_QUOTA : E0BC2476
22:22:06:046 0860 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
22:22:06:046 0860
22:22:06:046 0860 Completed
22:22:06:046 0860
22:22:06:046 0860 Results:
22:22:06:046 0860 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
22:22:06:046 0860 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
22:22:06:046 0860 File objects infected / cured / cured on reboot: 1 / 0 / 0
22:22:06:046 0860
22:22:06:046 0860 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
22:22:06:046 0860 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
22:22:06:046 0860 KLMD(ARK) unloaded successfully

**********************************************************************************************************************************

To whom ever will be helping me out. Thank you for your time, it is much apprciated.

PLEASE NOTE: i live in Australia, the time when i posted this is 10:39pm. I apologies for the time difference and please understand if i don't respond promptly.

THANK YOU!!

BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:47 PM

Posted 29 April 2010 - 12:49 AM

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

  • ---

    Download GMER here by clicking download exe -button and then saving it your desktop:
    • Double-click .exe that you downloaded
    • Click rootkit-tab, uncheck files option and then click scan.
    • Don't check
      Show All
      box while scanning in progress!
    • When scanning is ready, click Copy.
    • This copies log to clipboard
    • Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


    #3 evilbobster

    evilbobster
    • Topic Starter

    • Members
    • 2 posts
    • OFFLINE
    •  
    • Local time:01:47 AM

    Posted 03 May 2010 - 05:21 AM

    Hi,

    My computer crashed and windows was reinstalled.

    Thanks for replying thou.

    #4 Blade81

    Blade81

      Bleepin' Rocker


    • Malware Response Team
    • 6,465 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Finland
    • Local time:06:47 PM

    Posted 03 May 2010 - 08:16 AM

    Ok. Thanks for letting us know. Shall close the topic now.

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users