Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Still infected after SAS MBAM RKILL etc.


  • This topic is locked This topic is locked
30 replies to this topic

#1 stolkin

stolkin

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 08 June 2010 - 07:04 AM

Summary: My son's computer is still infected even after I have tried to remove
it using: SAS (Super Anti-Spyware), MBAM (MalwareBytes Anti-malware),
RKILL, COMBOFIX, etc.

Systems summary: Windows XP SP3. Originally I was running Avira anti-virus
version 9, but in the middle of the counter attack I upgraded to version 10.
One thing that bothers me about Avitra is that I cannot seem to disable it
with uninstalling it. Several of the tools say to disable antivirus while
they scan. Also running windows Defender, and Updates are set to Automatic.

Symptoms: The original symptom was a slow computer. My son noticed a popup
from one of the fake antivirus programs. I found many thousand of porn files
under his content.ie5 folder. I began to counter attack using advice on
bleepingcomputer.com including running SAS (Super Anti-Spyware), MBAM
(MalwareBytes Anti-malware), RKILL, COMBOFIX, etc. They reported various
problems and I always chose to remove all the identified problems.

I never got GMER to successfully complete. At one point I saw that the GMER
screen had about 20 lines of output. The next time I looked at it the last
dozen lines were not there anymore and there was a popup saying "The scan was
stopped". But it was not stopped by me!

Two tools show there is still some infection. In the HijackThis.log I found
this line.

O23 - Service: QUKHGEJP - Unknown owner - C:\DOCUME~1\Steve\LOCALS~1\Temp\QUKHGEJP.exe (file missing)

I chose to delete it, and it went away, and the next hijackthis scan after a
reboot did not show anything like it. See complete log below.

But a later scan with OTL (Old Timer's Log) show that same random file name,
and a bunch more like it, in Win32 Services section, preceded by this:
"SRV - File not found [Disabled | Stopped] -- -- "

========== Win32 Services (All) ==========

SRV - File not found [Disabled | Stopped] -- -- (WCP)
SRV - File not found [Disabled | Stopped] -- -- (QUKHGEJP)
SRV - File not found [Disabled | Stopped] -- -- (LVLAPMFG)
SRV - File not found [Disabled | Stopped] -- -- (KFRVT)
SRV - File not found [Disabled | Stopped] -- -- (DZFZWBNS)
SRV - File not found [Disabled | Stopped] -- -- (CHZSLLKXG)

Because I turned on all the OTL features the log file size is too large to
upload all at once. I have uploaded the first part of it, in OTL_first_part.txt and the last oart in otl_last_part.txt
but there was not enough space for the middle part.

I ran rootrepeal.exe and have its log also.

I ran dds.scr and have its log also.

What is this infection?

How is it acquired?

How can it be removed?

Thanks, Steve Tolkin stolkin

P.S. I also downloaded sysclean.com and its pattern files yesterday, and started a scan. That is still running twelve hours later. When it completes I plan to delete everything it suggests, and then I can post its log.

Also, I have done most of my work in regular mode, not safe mode, but with the network cable unplugged. Should I be in safe mode?

Also I spent a fair amount of time doing disk defragmentation, because when i first started the system was incredibly slow. I suspected that might be due to tha pagefile.sys had over 600 fragments. I used pagedfrg.exe from Sysinternals (now Microsoft), defraggler, a trial from Paragon, and the built in defrag utility to eventually reduce this to 3 fragments. Also reduced the MFT from several hundred fragments to about 60.

Attached Files


Edited by stolkin, 08 June 2010 - 07:17 AM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:36 PM

Posted 11 June 2010 - 02:15 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 stolkin

stolkin
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 13 June 2010 - 09:49 AM

Dear schrauber, Thanks for replying. I have pasted the DDS log below. Unfortunately, as I said, I have never gotten GMER to complete successfully. I have the same problem as was described here http://www.bleepingcomputer.com/forums/lof...hp/t303360.html I ran GMER in safe mode with a random name for the exe. After it completed (this took more than 24 hours because I have a lot of files, and a lot of zip files with many files inside) I clicked on Save... but it then says: <q>C:\Documents and Settings\Steve\My Documents is not accessible. Insufficient system resources exist to complete the requested service.</q> After that I pressed Enter a few times and got to a new screen, but then neither the keyboard nor the mouse worked, not even ctrl+alt+delete. So I had to reboot. The fact that GMER have never succeeded is one of the symptoms that makes me think I am still infected. I have zipped the attach.txt into attach_2010-06-12.zip and pasted DDS.txt here:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Steve at 12:38:08.64 on Sat 06/12/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1407 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://offers.intermute.com/spysub/wSONYSSEx60331/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mWinlogon: UIHost=c:\windows\system32\logonui.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [SecurDisc] c:\program files\nero\nero 7\incd\NBHGui.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [HKCU] c:\windows\system32\cmd.exe /c start "hkcu updates" /min "c:\program files\current profile updates\hkcu.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\8fvptwxi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://library.minlib.net/patroninfo~S1/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npigl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 FGXSCSI;FGXSCSI;c:\windows\system32\drivers\fgxscsi.sys [2008-11-21 71680]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2010-6-4 40560]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-1 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-1 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-1 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-1-1 60936]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S0 gudoqdmq;gudoqdmq;c:\windows\system32\drivers\rdugatnw.sys --> c:\windows\system32\drivers\rdugatnw.sys [?]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\steve\locals~1\temp\sas_selfextract\sasdifsv.sys --> c:\docume~1\steve\locals~1\temp\sas_selfextract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\steve\locals~1\temp\sas_selfextract\saskutil.sys --> c:\docume~1\steve\locals~1\temp\sas_selfextract\SASKUTIL.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\kartrider\gameguard\dump_wmimmc.sys --> c:\nexon\kartrider\gameguard\dump_wmimmc.sys [?]
S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [2010-6-6 52736]
S3 SASENUM;SASENUM;\??\c:\docume~1\steve\locals~1\temp\sas_selfextract\sasenum.sys --> c:\docume~1\steve\locals~1\temp\sas_selfextract\SASENUM.SYS [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]
S4 CHZSLLKXG;CHZSLLKXG;c:\docume~1\alexto~1\locals~1\temp\chzsllkxg.exe --> c:\docume~1\alexto~1\locals~1\temp\CHZSLLKXG.exe [?]
S4 DZFZWBNS;DZFZWBNS;c:\docume~1\ben\locals~1\temp\dzfzwbns.exe --> c:\docume~1\ben\locals~1\temp\DZFZWBNS.exe [?]
S4 KFRVT;KFRVT;c:\docume~1\ben\locals~1\temp\kfrvt.exe --> c:\docume~1\ben\locals~1\temp\KFRVT.exe [?]
S4 LVLAPMFG;LVLAPMFG;c:\docume~1\alexto~1\locals~1\temp\lvlapmfg.exe --> c:\docume~1\alexto~1\locals~1\temp\LVLAPMFG.exe [?]
S4 QUKHGEJP;QUKHGEJP;c:\docume~1\steve\locals~1\temp\qukhgejp.exe --> c:\docume~1\steve\locals~1\temp\QUKHGEJP.exe [?]
S4 WCP;WCP;c:\docume~1\ben\locals~1\temp\wcp.exe --> c:\docume~1\ben\locals~1\temp\WCP.exe [?]

=============== Created Last 30 ================

2010-06-06 22:00:56 52736 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2010-06-05 01:25:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Paragon
2010-06-05 01:24:16 0 d-----w- c:\docume~1\alluse~1\applic~1\explauncher
2010-06-05 01:24:03 0 d-----w- c:\docume~1\alluse~1\applic~1\launcher
2010-06-05 01:20:24 40560 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2010-06-05 01:19:47 0 d-----w- c:\program files\Paragon Software
2010-06-05 00:28:05 0 d-----w- c:\program files\Speccy
2010-06-04 23:42:30 0 d-----w- c:\program files\Defraggler
2010-06-04 23:21:45 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2010-06-04 23:14:51 0 d-----w- C:\apps
2010-06-04 00:13:14 0 d-----w- c:\docume~1\steve\applic~1\SUPERAntiSpyware.com
2010-06-04 00:13:14 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-03 10:49:42 0 d-----w- c:\windows\system32\NtmsData
2010-06-03 10:40:52 215920 ----a-w- c:\windows\system32\muweb.dll
2010-06-03 04:23:49 0 d-sha-r- C:\cmdcons
2010-06-03 04:15:25 77312 ----a-w- c:\windows\MBR.exe
2010-06-03 04:15:25 256512 ----a-w- c:\windows\PEV.exe
2010-06-03 03:44:08 0 ----a-w- c:\windows\system32\FWZ
2010-06-03 03:42:46 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-03 03:06:25 0 d-----w- c:\docume~1\steve\applic~1\Avira
2010-06-03 02:54:38 14413275 ----a-w- c:\windows\system32\AGAAT
2010-06-03 02:13:22 0 d-----w- c:\docume~1\steve\applic~1\Malwarebytes
2010-06-03 02:08:25 388608 ----a-w- C:\HijackThis.exe
2010-06-02 20:29:23 767952 ----a-w- c:\windows\BDTSupport.dll0631.old
2010-06-02 20:29:23 149456 ----a-w- c:\windows\SGDetectionTool.dll0631.old
2010-06-02 20:29:22 1640400 ----a-w- c:\windows\PCTBDCore.dll0623.old
2010-06-02 20:28:53 0 d-----w- c:\program files\Spyware Doctor
2010-05-31 22:34:00 0 ----a-w- c:\windows\system32\GPAWTU
2010-05-31 22:25:56 0 ----a-w- c:\windows\system32\QSUAP
2010-05-29 15:11:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-29 15:11:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-29 15:11:29 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-27 01:55:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-14 05:08:33 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-05-14 05:08:17 600680 ----a-w- c:\windows\system32\nvuninst.exe
2010-05-14 05:08:15 0 d-----w- c:\program files\NVIDIA Corporation
2010-05-14 05:06:20 9046 ----a-w- c:\windows\system32\nvinfo.pb
2010-05-14 05:06:19 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-05-14 05:06:17 2646632 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-05-14 05:06:17 2030184 ----a-w- c:\windows\system32\nvcuvid.dll
2010-05-14 05:06:16 4075520 ----a-w- c:\windows\system32\nvcuda.dll
2010-05-14 05:06:16 2183470 ----a-w- c:\windows\system32\nvdata.bin
2010-05-14 05:06:16 11647592 ----a-w- c:\windows\system32\nvcompiler.dll
2010-05-14 05:06:16 1097728 ----a-w- c:\windows\system32\nvapi.dll
2010-05-14 05:06:01 0 d-----w- C:\NVIDIA
2010-05-14 05:01:25 0 d-----w- c:\program files\SystemRequirementsLab

==================== Find3M ====================

2010-06-12 16:34:42 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-06-12 16:34:39 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 17:20:39 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20:34 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20:32 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-03 23:23:18 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 23:23:16 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 23:23:16 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 23:23:16 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 23:23:16 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 23:22:54 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-04-03 22:55:31 6432128 ----a-w- c:\windows\system32\nv4_disp.dll
2010-04-03 22:55:31 600680 ----a-w- c:\windows\system32\nvudisp.exe
2010-04-03 22:55:31 227944 ----a-w- c:\windows\system32\nvcodins.dll
2010-04-03 22:55:31 227944 ----a-w- c:\windows\system32\nvcod.dll
2010-04-03 22:55:31 14757888 ----a-w- c:\windows\system32\nvoglnt.dll
2006-06-06 21:36:40 3001 ----a-r- c:\program files\GammaBrosInfo.txt
2000-04-10 15:02:58 3355 ----a-w- c:\program files\Readme.txt
2000-04-05 23:32:28 379 ----a-w- c:\program files\Setup.inf
1999-11-27 08:47:22 196368 ----a-w- c:\program files\dsetup32.dll
1999-09-08 11:51:16 40208 ----a-w- c:\program files\dsetup.dll
2008-06-26 07:32:45 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062620080627\index.dat

============= FINISH: 12:38:55.90 ===============






Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:36 PM

Posted 14 June 2010 - 02:57 PM

Hello, stolkin
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 4-5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.





Please go here and have a look how you can disable your security software.

Download Combofix from any of the links below but rename it to before saving it to your desktop.

Link 1
Link 2



--------------------------------------------------------------------

Double click on the renamed Combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 stolkin

stolkin
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 14 June 2010 - 06:03 PM

I downloaded combofix,exe from link1 and renamed it to schrauber.exe and saved it to my desktop and ran it. It (or something) stopped the taskmgr window that had been running. It said something about trying to create a restore point. (I already had the recovery console installed.) I see on the screen Completed Stage_1 through Completed Stage_5. Unfortunately then it, or a subprocess, crashed! Is that a problem? There is a pop up box that says in the title bar: PEV.exe application error
and in the body: The instruction at "0x0050005c" referenced memory at "0x0050005c". The memory could not be "read".
Howveer to my surprise the main code kept running and I now see it is up to Completed Stage_50. Then the popup error box about PEV was taken down, and it now says "Preparing Log Report. Do not run any programs until ComboFix has finished". When its report file is ready I will add that.


#6 stolkin

stolkin
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 14 June 2010 - 06:19 PM

The file it created was just named log.txt not combofix.txt. i have pasted it here:


ComboFix 10-06-14.02 - Steve 06/14/2010 18:53:17.2.2 - x86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1731 [GMT -4:00]
Running from: c:\documents and settings\Steve\Desktop\schrauber.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-05-14 to 2010-06-14 )))))))))))))))))))))))))))))))
.

2010-06-06 22:00 . 2010-06-06 22:08 52736 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2010-06-05 01:25 . 2010-06-05 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Paragon
2010-06-05 01:24 . 2010-06-05 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\explauncher
2010-06-05 01:24 . 2010-06-05 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\launcher
2010-06-05 01:20 . 2010-01-15 16:54 40560 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2010-06-05 01:19 . 2010-06-05 01:19 -------- d-----w- c:\program files\Paragon Software
2010-06-05 00:32 . 2010-06-05 00:32 -------- d-----w- c:\program files\Recuva
2010-06-05 00:28 . 2010-06-05 00:28 -------- d-----w- c:\program files\Speccy
2010-06-04 23:42 . 2010-06-04 23:42 -------- d-----w- c:\program files\Defraggler
2010-06-04 23:21 . 2010-06-05 16:10 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2010-06-04 23:14 . 2010-06-13 23:37 -------- d-----w- C:\apps
2010-06-04 04:22 . 2010-06-04 04:22 -------- d-----w- c:\documents and settings\Ben\Application Data\SUPERAntiSpyware.com
2010-06-04 03:57 . 2010-06-04 03:57 -------- d-----w- c:\documents and settings\Ben\Application Data\Avira
2010-06-04 01:09 . 2010-06-04 01:09 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\Threat Expert
2010-06-04 00:13 . 2010-06-04 00:13 -------- d-----w- c:\documents and settings\Steve\Application Data\SUPERAntiSpyware.com
2010-06-04 00:13 . 2010-06-04 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-03 10:49 . 2010-06-06 13:48 -------- d-----w- c:\windows\system32\NtmsData
2010-06-03 10:40 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-06-03 03:42 . 2010-06-03 03:42 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-03 03:37 . 2010-06-05 15:59 -------- d-----w- c:\documents and settings\Steve\Application Data\Skype
2010-06-03 03:06 . 2010-06-03 03:06 -------- d-----w- c:\documents and settings\Steve\Application Data\Avira
2010-06-03 02:13 . 2010-06-03 02:13 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2010-06-03 02:08 . 2010-05-31 22:08 388608 ----a-w- C:\HijackThis.exe
2010-06-02 20:28 . 2010-06-04 01:45 -------- d-----w- c:\program files\Spyware Doctor
2010-06-02 14:57 . 2010-06-06 02:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-29 15:11 . 2010-05-29 15:11 -------- d-----w- c:\documents and settings\Ben\Application Data\Malwarebytes
2010-05-29 15:11 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-29 15:11 . 2010-05-29 15:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-29 15:11 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-27 01:55 . 2010-05-27 01:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-26 02:28 . 2010-05-29 15:24 -------- d-----w- c:\documents and settings\Ben\Local Settings\Application Data\nqfcrqavn
2010-05-16 23:34 . 2010-05-26 02:36 -------- d-----w- c:\documents and settings\Ben\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-13 13:43 . 2009-12-25 18:31 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-06-12 16:34 . 2009-12-25 18:33 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-06-11 00:32 . 2008-06-03 18:29 -------- d-----w- c:\program files\Games
2010-06-11 00:29 . 2008-09-12 21:26 -------- d-----w- c:\program files\BAD_Bonjour
2010-06-06 14:25 . 2006-01-22 15:37 55840 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-05 16:07 . 2008-08-16 20:31 -------- d-----w- c:\program files\PeerGuardian2
2010-06-05 16:05 . 2008-03-24 22:12 -------- d-----w- c:\program files\DSP-worx
2010-06-05 16:04 . 2005-04-26 02:59 -------- d-----w- c:\program files\Sony
2010-06-05 15:58 . 2005-04-26 02:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 11:12 . 2008-08-16 23:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 02:38 . 2009-10-09 02:20 -------- d-----w- c:\documents and settings\Ben\Application Data\Dropbox
2010-06-04 01:45 . 2006-03-14 04:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-04 01:43 . 2009-04-20 05:23 -------- d-----w- c:\program files\CCleaner
2010-06-04 01:40 . 2006-03-14 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-04 01:40 . 2006-01-14 01:45 -------- d-----w- c:\program files\SpywareBlaster
2010-06-03 03:43 . 2005-04-26 02:58 -------- d-----w- c:\program files\Common Files\Java
2010-06-03 03:37 . 2009-12-25 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-06-03 03:35 . 2006-01-14 17:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-03 03:21 . 2005-12-07 04:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-03 03:20 . 2005-12-07 04:03 -------- d-----w- c:\program files\Symantec
2010-06-03 03:20 . 2005-12-07 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-31 14:31 . 2008-06-05 02:38 -------- d-----w- c:\program files\Rainmeter
2010-05-31 14:29 . 2006-01-20 00:12 -------- d-----w- c:\program files\Canon
2010-05-31 14:28 . 2006-10-01 20:37 -------- d-----w- c:\program files\Apple Software Update
2010-05-14 05:15 . 2010-05-14 05:08 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-14 05:08 . 2010-05-14 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-05-14 05:01 . 2010-05-14 05:01 -------- d-----w- c:\program files\SystemRequirementsLab
2010-05-14 05:01 . 2010-05-14 05:01 -------- d-----w- c:\documents and settings\Ben\Application Data\SystemRequirementsLab
2010-05-12 15:21 . 2009-10-03 06:05 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 17:20 . 2005-04-26 02:17 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2005-04-26 02:17 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2005-04-26 02:16 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2005-04-26 02:17 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 20:26 . 2005-04-26 23:33 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-20 05:30 . 2005-04-26 02:16 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-03 23:23 . 2010-04-03 23:23 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 23:23 . 2010-04-03 23:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 23:23 . 2010-04-03 23:23 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 23:23 . 2010-04-03 23:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 23:23 . 2010-04-03 23:23 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 23:22 . 2010-04-03 23:22 81920 ----a-w- c:\windows\system32\nvwddi.dll
2006-06-06 21:36 . 2006-06-06 21:36 3001 ----a-r- c:\program files\GammaBrosInfo.txt
2000-04-10 15:02 . 2007-09-20 20:56 3355 ----a-w- c:\program files\Readme.txt
2000-04-05 23:32 . 2007-09-20 20:56 379 ----a-w- c:\program files\Setup.inf
1999-11-27 08:47 . 2007-09-20 20:56 196368 ----a-w- c:\program files\dsetup32.dll
1999-09-08 11:51 . 2007-09-20 20:56 40208 ----a-w- c:\program files\dsetup.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKCU"="Start HKCU Updates" [X]
"Logitech Utility"="Logi_MwX.Exe" [2004-10-18 19968]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Alex Tolkin^Start Menu^Programs^Startup^Robin Hood Update.lnk]
path=c:\documents and settings\Alex Tolkin\Start Menu\Programs\Startup\Robin Hood Update.lnk
backup=c:\windows\pss\Robin Hood Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=c:\windows\pss\Personal Coach.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-04-12 08:10 65536 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2005-04-07 01:53 2805248 ----a-w- c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-03-23 04:05 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 17:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-08-13 00:45 61952 ----a-w- c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2005-03-09 17:29 139264 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LgWDskTp]
2004-10-27 17:37 65536 ----a-w- c:\program files\Wireless Desktop\LgWDskTp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2004-10-18 22:05 19968 ----a-w- c:\windows\Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
2005-11-06 02:25 101064 ----a-w- c:\program files\Microsoft Location Finder\LocationFinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-04-03 23:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
2007-09-02 17:58 495616 ----a-w- c:\program files\RocketDock\RocketDock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-04-07 01:57 90112 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2005-01-25 03:58 81920 ----a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-07-14 05:30 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-20 04:08 28672 ----a-w- c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
2005-01-14 20:43 151552 ----a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 23:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sony\\VAIO Media 4.0\\Vc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*:Disabled:Bittorrent
"6882:TCP"= 6882:TCP:*:Disabled:Bit2
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 FGXSCSI;FGXSCSI;c:\windows\system32\drivers\fgxscsi.sys [11/21/2008 6:45 PM 71680]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [6/4/2010 9:20 PM 40560]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S0 gudoqdmq;gudoqdmq;c:\windows\system32\drivers\rdugatnw.sys --> c:\windows\system32\drivers\rdugatnw.sys [?]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/1/2010 4:36 PM 135336]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\KartRider\GameGuard\dump_wmimmc.sys --> c:\nexon\KartRider\GameGuard\dump_wmimmc.sys [?]
S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [6/6/2010 6:00 PM 52736]
S3 SASENUM;SASENUM;\??\c:\docume~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S4 CHZSLLKXG;CHZSLLKXG;c:\docume~1\ALEXTO~1\LOCALS~1\Temp\CHZSLLKXG.exe --> c:\docume~1\ALEXTO~1\LOCALS~1\Temp\CHZSLLKXG.exe [?]
S4 DZFZWBNS;DZFZWBNS;c:\docume~1\Ben\LOCALS~1\Temp\DZFZWBNS.exe --> c:\docume~1\Ben\LOCALS~1\Temp\DZFZWBNS.exe [?]
S4 KFRVT;KFRVT;c:\docume~1\Ben\LOCALS~1\Temp\KFRVT.exe --> c:\docume~1\Ben\LOCALS~1\Temp\KFRVT.exe [?]
S4 LVLAPMFG;LVLAPMFG;c:\docume~1\ALEXTO~1\LOCALS~1\Temp\LVLAPMFG.exe --> c:\docume~1\ALEXTO~1\LOCALS~1\Temp\LVLAPMFG.exe [?]
S4 QUKHGEJP;QUKHGEJP;c:\docume~1\Steve\LOCALS~1\Temp\QUKHGEJP.exe --> c:\docume~1\Steve\LOCALS~1\Temp\QUKHGEJP.exe [?]
S4 WCP;WCP;c:\docume~1\Ben\LOCALS~1\Temp\WCP.exe --> c:\docume~1\Ben\LOCALS~1\Temp\WCP.exe [?]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD23
*Deregistered* - klmd23

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 21:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-14 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://offers.intermute.com/spysub/wSONYSSEx60331/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\8fvptwxi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://library.minlib.net/patroninfo~S1/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-DirectVobSub - c:\program files\DirectVobSub\uninstall.exe
AddRemove-IL Download Manager - c:\program files\Image-Line\Downloader\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-14 18:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Std\7.0\DefaultPreset]
@DACL=(02 0000)
@SACL=
@="c:\\Program Files\\Adobe\\Premiere Standard\\Settings\\DV - NTSC\\Standard 48kHz.prpreset"

[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Std\7.0\Help]
@DACL=(02 0000)
@SACL=
"AdobeMediaEncoder"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_0_0_0.html"
"Contents"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_0_0_0.html"
"ExportToDVD"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_13_2_0.html"
"HowToUse"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\0_0_0_0.html"
"Keyboard"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_4_15_0.html"
"Search"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\search.html"
"Support"="http://www.adobe.com/support/products/premiere.html"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1500)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-06-14 19:06:21
ComboFix-quarantined-files.txt 2010-06-14 23:06

Pre-Run: 138,117,693,440 bytes free
Post-Run: 138,361,462,784 bytes free

- - End Of File - - DE54A1F7493B60DEA3F69F2D18206578

Edited by stolkin, 14 June 2010 - 08:34 PM.


#7 stolkin

stolkin
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 14 June 2010 - 08:37 PM

I made bold some lines in the ComboFix log that look suspicious. These also showed up in the OTL log (which I attached to the original post). One reason I am suspicious is that earlier I ran CCleaner and other tools that should have deleted everything from the Temp folder. What are these? are they part of the problem?

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:36 PM

Posted 16 June 2010 - 11:21 AM

The bolded lines have to go smile.gif

But first, did you run the scan in safe mode? Aren't you able to run it in normal mode?
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 stolkin

stolkin
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 16 June 2010 - 06:45 PM

I did run that scan in safe mode. Do you want me to also run it in normal mode? Nothing to lose -- so I'll start that running now. What exactly do you mean by the bolded lines have to go? I assume there is a way to remove those things. How? And what are they? And what is this malware? And why did GMER.exe fail when I tried to save the log file?

When I ran combofix in ordinary (not safe) mode it says:
Title bar: Version_10-06-02.02
Body: Current date is 2010-06-16. ComboFix has expired
Click 'yes' to Run in REDUCED FUNCTIONALITY mode.
Click 'no' to exit.

What should I do?
OK I tried running in REDUCED FUNCTIONALITY mode -- but it seemed to do nothing.

Edited by stolkin, 16 June 2010 - 07:29 PM.


#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:36 PM

Posted 19 June 2010 - 06:57 AM

I will take out the malware lines, but first please delete Combofix from the desktop, download a fresh one and run it in normal mode, post back with the logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 stolkin

stolkin
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 19 June 2010 - 10:01 AM

I downloaded a new combofix this morning June 19. In normal mode it ran for a while and then in a full size DOS box said:
Invalid System Disk
Replace the disk, and then press any key

When I pressed any key it repeated the above message.


#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:36 PM

Posted 19 June 2010 - 02:13 PM

Ok, please do this:

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 stolkin

stolkin
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 19 June 2010 - 05:21 PM

When I went to run tdsskiller the system started up with a box saing combofix was running and not to run anything else. It ran for a few minutes and then produced a log which I have pasted below. Because this was after a reboot of some kind antivirus (Avira) was turned back on.

Also, when I folllowed you instrucutions exactly about running tdsskiller, it did not seem to work. Perhaps tdsskiller started but when I looked using ctrl+alt+del it was not in the list of processes. also when you said -| (dash pipe) did you really mean > (greater than sign)? Also is the -v for verbose?
What I did was go to a DOS box, cd to my desktop folder, and then typed in
tdsskiller -v > c:\tdsskiller19.txt

As I am entering this Tdsskiller is still running, about 10 minutes later. I'll enter that log when it finishes. I am running in normal mode with antivirus turned OFF.

DAMN! I did not type in the full path to combofix -- so it is runnign a slightly older ones in my c:\apps folder. But I do not want to start running the latest version until tdsskiller finishes.

Here is the combofix log (from a slightly old combofix.exe renamed to schrauber.exe):

ComboFix 10-06-18.03 - Steve 06/19/2010 10:37:03.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1469 [GMT -4:00]
Running from: c:\apps\schrauber.exe
Command switches used :: schrauber.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-19 to 2010-06-19 )))))))))))))))))))))))))))))))
.

2010-06-06 22:00 . 2010-06-06 22:08 52736 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2010-06-05 01:25 . 2010-06-05 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Paragon
2010-06-05 01:24 . 2010-06-05 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\explauncher
2010-06-05 01:24 . 2010-06-05 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\launcher
2010-06-05 01:20 . 2010-01-15 16:54 40560 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2010-06-05 01:19 . 2010-06-05 01:19 -------- d-----w- c:\program files\Paragon Software
2010-06-05 00:32 . 2010-06-05 00:32 -------- d-----w- c:\program files\Recuva
2010-06-05 00:28 . 2010-06-05 00:28 -------- d-----w- c:\program files\Speccy
2010-06-04 23:42 . 2010-06-04 23:42 -------- d-----w- c:\program files\Defraggler
2010-06-04 23:21 . 2010-06-05 16:10 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2010-06-04 23:14 . 2010-06-19 14:33 -------- d-----w- C:\apps
2010-06-04 04:22 . 2010-06-04 04:22 -------- d-----w- c:\documents and settings\Ben\Application Data\SUPERAntiSpyware.com
2010-06-04 03:57 . 2010-06-04 03:57 -------- d-----w- c:\documents and settings\Ben\Application Data\Avira
2010-06-04 02:42 . 2010-06-04 02:42 61440 ----a-w- c:\documents and settings\Ben\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3f58e758-n\decora-sse.dll
2010-06-04 02:42 . 2010-06-04 02:42 503808 ----a-w- c:\documents and settings\Ben\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17ef3596-n\msvcp71.dll
2010-06-04 02:42 . 2010-06-04 02:42 499712 ----a-w- c:\documents and settings\Ben\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17ef3596-n\jmc.dll
2010-06-04 02:42 . 2010-06-04 02:42 348160 ----a-w- c:\documents and settings\Ben\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17ef3596-n\msvcr71.dll
2010-06-04 02:42 . 2010-06-04 02:42 12800 ----a-w- c:\documents and settings\Ben\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3f58e758-n\decora-d3d.dll
2010-06-04 01:09 . 2010-06-04 01:09 -------- d-----w- c:\documents and settings\Steve\Local Settings\Application Data\Threat Expert
2010-06-04 00:13 . 2010-06-04 00:13 -------- d-----w- c:\documents and settings\Steve\Application Data\SUPERAntiSpyware.com
2010-06-04 00:13 . 2010-06-04 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-03 10:49 . 2010-06-06 13:48 -------- d-----w- c:\windows\system32\NtmsData
2010-06-03 10:40 . 2009-08-06 23:23 215920 ----a-w- c:\windows\system32\muweb.dll
2010-06-03 03:42 . 2010-06-03 03:42 61440 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1a7bfa83-n\decora-sse.dll
2010-06-03 03:42 . 2010-06-03 03:42 503808 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17f52f90-n\msvcp71.dll
2010-06-03 03:42 . 2010-06-03 03:42 499712 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17f52f90-n\jmc.dll
2010-06-03 03:42 . 2010-06-03 03:42 348160 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-17f52f90-n\msvcr71.dll
2010-06-03 03:42 . 2010-06-03 03:42 12800 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-1a7bfa83-n\decora-d3d.dll
2010-06-03 03:42 . 2010-06-03 03:42 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-03 03:39 . 2010-06-03 03:39 79488 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-06-03 03:39 . 2010-06-03 03:39 152576 ----a-w- c:\documents and settings\Steve\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-06-03 03:37 . 2010-06-05 15:59 -------- d-----w- c:\documents and settings\Steve\Application Data\Skype
2010-06-03 03:06 . 2010-06-03 03:06 -------- d-----w- c:\documents and settings\Steve\Application Data\Avira
2010-06-03 02:13 . 2010-06-03 02:13 -------- d-----w- c:\documents and settings\Steve\Application Data\Malwarebytes
2010-06-03 02:08 . 2010-05-31 22:08 388608 ----a-w- C:\HijackThis.exe
2010-06-02 20:28 . 2010-06-04 01:45 -------- d-----w- c:\program files\Spyware Doctor
2010-06-02 14:57 . 2010-06-06 02:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-29 15:49 . 2010-05-29 15:49 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2010-05-29 15:11 . 2010-05-29 15:11 -------- d-----w- c:\documents and settings\Ben\Application Data\Malwarebytes
2010-05-29 15:11 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-29 15:11 . 2010-05-29 15:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-29 15:11 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-27 01:55 . 2010-05-27 01:57 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-26 02:28 . 2010-05-29 15:24 -------- d-----w- c:\documents and settings\Ben\Local Settings\Application Data\nqfcrqavn

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-19 21:45 . 2009-12-25 18:33 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-06-19 21:45 . 2009-12-25 18:31 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-06-11 00:32 . 2008-06-03 18:29 -------- d-----w- c:\program files\Games
2010-06-11 00:29 . 2008-09-12 21:26 -------- d-----w- c:\program files\BAD_Bonjour
2010-06-06 14:25 . 2006-01-22 15:37 55840 ----a-w- c:\documents and settings\Steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-05 16:07 . 2008-08-16 20:31 -------- d-----w- c:\program files\PeerGuardian2
2010-06-05 16:05 . 2008-03-24 22:12 -------- d-----w- c:\program files\DSP-worx
2010-06-05 16:04 . 2005-04-26 02:59 -------- d-----w- c:\program files\Sony
2010-06-05 15:58 . 2005-04-26 02:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 11:12 . 2008-08-16 23:33 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-04 02:38 . 2009-10-09 02:20 -------- d-----w- c:\documents and settings\Ben\Application Data\Dropbox
2010-06-04 01:45 . 2006-03-14 04:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-04 01:43 . 2009-04-20 05:23 -------- d-----w- c:\program files\CCleaner
2010-06-04 01:40 . 2006-03-14 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-04 01:40 . 2006-01-14 01:45 -------- d-----w- c:\program files\SpywareBlaster
2010-06-03 03:43 . 2005-04-26 02:58 -------- d-----w- c:\program files\Common Files\Java
2010-06-03 03:37 . 2009-12-25 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-06-03 03:35 . 2006-01-14 17:11 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-06-03 03:21 . 2005-12-07 04:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-03 03:20 . 2005-12-07 04:03 -------- d-----w- c:\program files\Symantec
2010-06-03 03:20 . 2005-12-07 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-31 14:31 . 2008-06-05 02:38 -------- d-----w- c:\program files\Rainmeter
2010-05-31 14:29 . 2006-01-20 00:12 -------- d-----w- c:\program files\Canon
2010-05-31 14:28 . 2006-10-01 20:37 -------- d-----w- c:\program files\Apple Software Update
2010-05-26 02:36 . 2010-05-16 23:34 -------- d-----w- c:\documents and settings\Ben\Application Data\uTorrent
2010-05-14 05:15 . 2010-05-14 05:08 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-14 05:08 . 2010-05-14 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-05-14 05:01 . 2010-05-14 05:01 -------- d-----w- c:\program files\SystemRequirementsLab
2010-05-14 05:01 . 2010-05-14 05:01 -------- d-----w- c:\documents and settings\Ben\Application Data\SystemRequirementsLab
2010-05-14 05:01 . 2010-05-14 05:01 290816 ----a-w- c:\documents and settings\Ben\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-05-14 05:01 . 2010-05-14 05:01 290816 ----a-w- c:\documents and settings\Ben\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-05-14 05:01 . 2010-05-14 05:01 290816 ----a-w- c:\documents and settings\Ben\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-05-14 05:01 . 2010-05-14 05:01 290816 ----a-w- c:\documents and settings\Ben\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-05-12 15:21 . 2009-10-03 06:05 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 17:20 . 2005-04-26 02:17 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2005-04-26 02:17 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2005-04-26 02:16 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:22 . 2005-04-26 02:17 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 20:26 . 2005-04-26 23:33 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-20 05:30 . 2005-04-26 02:16 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-03 23:23 . 2010-04-03 23:23 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-04-03 23:23 . 2010-04-03 23:23 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-04-03 23:23 . 2010-04-03 23:23 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-04-03 23:23 . 2010-04-03 23:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-03 23:23 . 2010-04-03 23:23 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-04-03 23:22 . 2010-04-03 23:22 81920 ----a-w- c:\windows\system32\nvwddi.dll
2010-04-01 10:53 . 2010-03-21 18:55 152576 ----a-w- c:\documents and settings\Ben\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-04-01 10:53 . 2010-03-20 13:58 79488 ----a-w- c:\documents and settings\Ben\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2006-06-06 21:36 . 2006-06-06 21:36 3001 ----a-r- c:\program files\GammaBrosInfo.txt
2000-04-10 15:02 . 2007-09-20 20:56 3355 ----a-w- c:\program files\Readme.txt
2000-04-05 23:32 . 2007-09-20 20:56 379 ----a-w- c:\program files\Setup.inf
1999-11-27 08:47 . 2007-09-20 20:56 196368 ----a-w- c:\program files\dsetup32.dll
1999-09-08 11:51 . 2007-09-20 20:56 40208 ----a-w- c:\program files\dsetup.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKCU"="Start HKCU Updates" [X]
"Logitech Utility"="Logi_MwX.Exe" [2004-10-18 19968]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 1629480]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonui.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Alex Tolkin^Start Menu^Programs^Startup^Robin Hood Update.lnk]
path=c:\documents and settings\Alex Tolkin\Start Menu\Programs\Startup\Robin Hood Update.lnk
backup=c:\windows\pss\Robin Hood Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=c:\windows\pss\Personal Coach.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-04-12 08:10 65536 ----a-w- c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
2005-04-07 01:53 2805248 ----a-w- c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-03-23 04:05 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 17:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-08-13 00:45 61952 ----a-w- c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2005-03-09 17:29 139264 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LgWDskTp]
2004-10-27 17:37 65536 ----a-w- c:\program files\Wireless Desktop\LgWDskTp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2004-10-18 22:05 19968 ----a-w- c:\windows\Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Location Finder]
2005-11-06 02:25 101064 ----a-w- c:\program files\Microsoft Location Finder\LocationFinder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-04-03 23:23 13670504 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 20:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
2007-09-02 17:58 495616 ----a-w- c:\program files\RocketDock\RocketDock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-04-07 01:57 90112 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2005-01-25 03:58 81920 ----a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-07-14 05:30 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Recovery]
2003-04-20 04:08 28672 ----a-w- c:\windows\SONYSYS\VAIO Recovery\PartSeal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VAIO Update 2]
2005-01-14 20:43 151552 ----a-w- c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 23:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sony\\VAIO Media 4.0\\Vc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:*:Disabled:Bittorrent
"6882:TCP"= 6882:TCP:*:Disabled:Bit2
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 FGXSCSI;FGXSCSI;c:\windows\system32\drivers\fgxscsi.sys [11/21/2008 6:45 PM 71680]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [6/4/2010 9:20 PM 40560]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/1/2010 4:36 PM 135336]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S0 gudoqdmq;gudoqdmq;c:\windows\system32\drivers\rdugatnw.sys --> c:\windows\system32\drivers\rdugatnw.sys [?]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys --> c:\docume~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.sys [?]
S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\KartRider\GameGuard\dump_wmimmc.sys --> c:\nexon\KartRider\GameGuard\dump_wmimmc.sys [?]
S3 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [6/6/2010 6:00 PM 52736]
S3 SASENUM;SASENUM;\??\c:\docume~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS --> c:\docume~1\Steve\LOCALS~1\Temp\SAS_SelfExtract\SASENUM.SYS [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S4 CHZSLLKXG;CHZSLLKXG;c:\docume~1\ALEXTO~1\LOCALS~1\Temp\CHZSLLKXG.exe --> c:\docume~1\ALEXTO~1\LOCALS~1\Temp\CHZSLLKXG.exe [?]
S4 DZFZWBNS;DZFZWBNS;c:\docume~1\Ben\LOCALS~1\Temp\DZFZWBNS.exe --> c:\docume~1\Ben\LOCALS~1\Temp\DZFZWBNS.exe [?]
S4 KFRVT;KFRVT;c:\docume~1\Ben\LOCALS~1\Temp\KFRVT.exe --> c:\docume~1\Ben\LOCALS~1\Temp\KFRVT.exe [?]
S4 LVLAPMFG;LVLAPMFG;c:\docume~1\ALEXTO~1\LOCALS~1\Temp\LVLAPMFG.exe --> c:\docume~1\ALEXTO~1\LOCALS~1\Temp\LVLAPMFG.exe [?]
S4 QUKHGEJP;QUKHGEJP;c:\docume~1\Steve\LOCALS~1\Temp\QUKHGEJP.exe --> c:\docume~1\Steve\LOCALS~1\Temp\QUKHGEJP.exe [?]
S4 WCP;WCP;c:\docume~1\Ben\LOCALS~1\Temp\WCP.exe --> c:\docume~1\Ben\LOCALS~1\Temp\WCP.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-23 21:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-06-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://offers.intermute.com/spysub/wSONYSSEx60331/
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Steve\Application Data\Mozilla\Firefox\Profiles\8fvptwxi.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://library.minlib.net/patroninfo~S1/
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npigl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-19 17:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Std\7.0\DefaultPreset]
@DACL=(02 0000)
@SACL=
@="c:\\Program Files\\Adobe\\Premiere Standard\\Settings\\DV - NTSC\\Standard 48kHz.prpreset"

[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Std\7.0\Help]
@DACL=(02 0000)
@SACL=
"AdobeMediaEncoder"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_0_0_0.html"
"Contents"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_0_0_0.html"
"ExportToDVD"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_13_2_0.html"
"HowToUse"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\0_0_0_0.html"
"Keyboard"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_4_15_0.html"
"Search"="c:\\Program Files\\Adobe\\Premiere Standard\\Help\\search.html"
"Support"="http://www.adobe.com/support/products/premiere.html"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5384)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
c:\program files\Sony\Sony TV Tuner Library\SMceMan.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\dllhost.exe
c:\program files\Sony\Sony TV Tuner Library\RM_SV.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\taskmgr.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2010-06-19 17:52:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-19 21:52
ComboFix2.txt 2010-06-14 23:06

Pre-Run: 138,401,222,656 bytes free
Post-Run: 138,391,617,536 bytes free

- - End Of File - - B0D99A04035FF3B52BB933DC1A56FC74



#14 stolkin

stolkin
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:36 AM

Posted 19 June 2010 - 06:26 PM

Here is the contents of c:TDSSKiller.2.3.2.0_13.06.2010_19.41.07_log.txt
(P.S. The only thing in c:\tdsskiller19.txt was "press any key to continue")

19:41:07:750 1600 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
19:41:07:750 1600 ================================================================================
19:41:07:750 1600 SystemInfo:

19:41:07:750 1600 OS Version: 5.1.2600 ServicePack: 3.0
19:41:07:750 1600 Product type: Workstation
19:41:07:750 1600 ComputerName: ALEX
19:41:07:750 1600 UserName: Steve
19:41:07:750 1600 Windows directory: C:\WINDOWS
19:41:07:750 1600 Processor architecture: Intel x86
19:41:07:750 1600 Number of processors: 2
19:41:07:750 1600 Page size: 0x1000
19:41:07:750 1600 Boot type: Safe boot
19:41:07:750 1600 ================================================================================
19:41:08:031 1600 Initialize success
19:41:08:031 1600
19:41:08:031 1600 Scanning Services ...
19:41:10:468 1600 Raw services enum returned 421 services
19:41:10:500 1600
19:41:10:500 1600 Scanning Drivers ...
19:41:10:734 1600 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:41:10:765 1600 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
19:41:10:843 1600 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:41:10:890 1600 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
19:41:11:015 1600 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
19:41:11:078 1600 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:41:11:109 1600 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:41:11:171 1600 ati2mtag (2fbdfec8cd60cec3d55e615865333033) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
19:41:11:281 1600 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:41:11:328 1600 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:41:11:390 1600 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
19:41:11:468 1600 avgntflt (a88d29d928ad2b830e87b53e3f9bc182) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
19:41:11:515 1600 avipbb (1289e9a5d9118a25a13c0009519088e3) C:\WINDOWS\system32\DRIVERS\avipbb.sys
19:41:11:562 1600 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:41:11:609 1600 BrPar (2fe6d5be0629f706197b30c0aa05de30) C:\WINDOWS\System32\drivers\BrPar.sys
19:41:11:656 1600 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:41:11:734 1600 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
19:41:11:796 1600 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:41:11:828 1600 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:41:11:859 1600 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:41:11:953 1600 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:41:12:031 1600 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:41:12:109 1600 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\system32\DRIVERS\DMICall.sys
19:41:12:156 1600 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:41:12:203 1600 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:41:12:250 1600 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:41:12:281 1600 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:41:12:328 1600 e1express (0849eacdc01487573add86f5e470806c) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
19:41:12:406 1600 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:41:12:453 1600 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
19:41:12:500 1600 fgdxbus (aae9dcb30da4136fe3241b3088a46009) C:\WINDOWS\system32\DRIVERS\fgdxbus.sys
19:41:12:531 1600 FGXSCSI (d821735ef92f1091c942c894303b8d1e) C:\WINDOWS\system32\DRIVERS\fgxscsi.sys
19:41:12:578 1600 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
19:41:12:656 1600 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:41:12:671 1600 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
19:41:12:718 1600 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:41:12:734 1600 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:41:12:765 1600 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:41:12:812 1600 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
19:41:12:875 1600 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:41:12:937 1600 HdAudAddService (9131ede087af04a7d80f7ebadc164254) C:\WINDOWS\system32\drivers\HdAudio.sys
19:41:12:984 1600 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
19:41:13:000 1600 HidIr (bb1a6fb7d35a91e599973fa74a619056) C:\WINDOWS\system32\DRIVERS\hidir.sys
19:41:13:078 1600 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:41:13:125 1600 hotcore3 (e15a62f27545db10a960ed01f012eb36) C:\WINDOWS\system32\DRIVERS\hotcore3.sys
19:41:13:156 1600 HSFHWAZL (dfadd76b2efdf49b81e5ebfa691d5131) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
19:41:13:203 1600 HSF_DP (a5997c70a8df5f4e5c60fff7429823e9) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
19:41:13:281 1600 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:41:13:359 1600 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:41:13:406 1600 iaStor (79ae2a97c120f282845d854d0f070ea9) C:\WINDOWS\system32\drivers\iaStor.sys
19:41:13:468 1600 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:41:13:515 1600 InCDfs (580a81790cd0a48d85da322267da7ac4) C:\WINDOWS\system32\drivers\InCDFs.sys
19:41:13:531 1600 InCDPass (aaa2789d2ce21b31be9406ba1ceb7285) C:\WINDOWS\system32\drivers\InCDPass.sys
19:41:13:546 1600 InCDrec (4d022577e9072b5d22e0a383a7806bbb) C:\WINDOWS\system32\drivers\InCDrec.sys
19:41:13:562 1600 incdrm (c258e57321a3c3737f4fa815fa69ee0b) C:\WINDOWS\system32\drivers\InCDRm.sys
19:41:13:656 1600 IntcAzAudAddService (44792ccbc7b41b42ec068c6416d17de1) C:\WINDOWS\system32\drivers\RtkHDAud.sys
19:41:13:765 1600 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:41:13:828 1600 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:41:13:843 1600 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:41:13:890 1600 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:41:13:906 1600 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:41:13:984 1600 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:41:14:031 1600 IrBus (b43b36b382aea10861f7c7a37f9d4ae2) C:\WINDOWS\system32\DRIVERS\IrBus.sys
19:41:14:046 1600 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:41:14:062 1600 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:41:14:093 1600 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:41:14:109 1600 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
19:41:14:187 1600 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
19:41:14:234 1600 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:41:14:281 1600 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:41:14:312 1600 L8042PR2 (ad799b46a3984d04194de6c151f10709) C:\WINDOWS\system32\Drivers\l8042pr2.sys
19:41:14:343 1600 LCcfltr (34a0797f517a90e7d454f15f5a727964) C:\WINDOWS\system32\Drivers\LCcFltr.Sys
19:41:14:421 1600 LHidFlt2 (360beca015f67deba9490e204849180e) C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys
19:41:14:437 1600 LHidUsb (3a60d180e820f13897973b7dad58118d) C:\WINDOWS\system32\Drivers\LHidUsb.Sys
19:41:14:453 1600 LMouFlt2 (d8af21830fcd3292617fb798a8538573) C:\WINDOWS\system32\Drivers\LMouFlt2.sys
19:41:14:468 1600 lvpopflt (9fb982de1c8dd769f8ed681dd878b12f) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
19:41:14:500 1600 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
19:41:14:531 1600 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\WINDOWS\system32\DRIVERS\lvrs.sys
19:41:14:750 1600 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
19:41:14:968 1600 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
19:41:15:000 1600 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
19:41:15:015 1600 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:41:15:062 1600 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:41:15:093 1600 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:41:15:171 1600 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:41:15:187 1600 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:41:15:203 1600 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:41:15:234 1600 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:41:15:281 1600 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:41:15:343 1600 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:41:15:406 1600 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:41:15:421 1600 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:41:15:453 1600 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:41:15:468 1600 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
19:41:15:484 1600 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
19:41:15:515 1600 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
19:41:15:531 1600 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:41:15:625 1600 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
19:41:15:640 1600 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:41:15:656 1600 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:41:15:687 1600 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:41:15:718 1600 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
19:41:15:750 1600 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:41:15:828 1600 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:41:15:843 1600 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
19:41:15:859 1600 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:41:15:921 1600 NPPTNT2 (9131fe60adfab595c8da53ad6a06aa31) C:\WINDOWS\system32\npptNT2.sys
19:41:16:203 1600 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:41:16:234 1600 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:41:16:515 1600 nv (30913cbf518396912e54c2c9f1dd0f09) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:41:16:812 1600 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:41:16:828 1600 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:41:16:859 1600 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
19:41:16:906 1600 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
19:41:16:921 1600 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:41:16:953 1600 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:41:17:015 1600 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:41:17:046 1600 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:41:17:062 1600 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:41:17:156 1600 pfc (6c1618a07b49e3873582b6449e744088) C:\WINDOWS\system32\drivers\pfc.sys
19:41:17:203 1600 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:41:17:218 1600 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:41:17:281 1600 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:41:17:312 1600 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:41:17:359 1600 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:41:17:375 1600 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:41:17:437 1600 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:41:17:453 1600 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:41:17:515 1600 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:41:17:531 1600 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:41:17:546 1600 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:41:17:609 1600 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
19:41:17:625 1600 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:41:17:671 1600 rk_remover-boot (1bdb2a8bce998ef9592d7f1ff6e76996) C:\WINDOWS\system32\drivers\rk_remover.sys
19:41:17:843 1600 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:41:17:890 1600 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
19:41:17:921 1600 sfdrv01 (00de597b81b381053cb5b21a7f20e365) C:\WINDOWS\system32\drivers\sfdrv01.sys
19:41:17:953 1600 sfhlp02 (64b9ab76f1b16eb059cb6cdd906c067a) C:\WINDOWS\system32\drivers\sfhlp02.sys
19:41:17:968 1600 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:41:18:000 1600 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
19:41:18:062 1600 smrt (27d6be8e961ab9df26ec5ce823b68b7f) C:\WINDOWS\system32\DRIVERS\smrt.sys
19:41:18:156 1600 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:41:18:171 1600 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:41:18:203 1600 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
19:41:18:265 1600 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
19:41:18:328 1600 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
19:41:18:343 1600 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:41:18:359 1600 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:41:18:421 1600 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:41:18:453 1600 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:41:18:546 1600 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:41:18:593 1600 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:41:18:625 1600 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:41:18:687 1600 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:41:18:718 1600 UimBus (de1b2980484aaf20a1dd8b743f96284b) C:\WINDOWS\system32\DRIVERS\UimBus.sys
19:41:18:750 1600 Uim_IM (e40d444bc1d1fbc2cadfbcc99551bae0) C:\WINDOWS\system32\Drivers\Uim_IM.sys
19:41:18:875 1600 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:41:18:906 1600 USBAAPL (df38374e12e73c25b37b6f8a9b8622ef) C:\WINDOWS\system32\Drivers\usbaapl.sys
19:41:18:937 1600 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
19:41:19:000 1600 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:41:19:062 1600 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:41:19:125 1600 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:41:19:156 1600 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:41:19:187 1600 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:41:19:265 1600 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:41:19:296 1600 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:41:19:343 1600 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
19:41:19:375 1600 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:41:19:453 1600 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:41:19:468 1600 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:41:19:515 1600 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:41:19:562 1600 winachsf (cdc87dc4d727a1c0c7cfaf82e58b0e7c) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
19:41:19:625 1600 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
19:41:19:687 1600 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
19:41:19:734 1600 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:41:19:750 1600 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:41:19:765 1600
19:41:19:765 1600 Completed
19:41:19:765 1600
19:41:19:765 1600 Results:
19:41:19:765 1600 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:41:19:765 1600 File objects infected / cured / cured on reboot: 0 / 0 / 0
19:41:19:765 1600
19:41:19:859 1600 KLMD(ARK) unloaded successfully


#15 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:36 PM

Posted 21 June 2010 - 01:30 PM

Hi smile.gif


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check
  • Click the button.
  • Accept any security warnings from your browser.
  • Check
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push
  • Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the button.
  • Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt




  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemdrive%\*.sys /90 /md5
  5. Push the Quick Scan button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users