Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Something


  • This topic is locked This topic is locked
19 replies to this topic

#1 sausage

sausage

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville Colorado
  • Local time:04:56 PM

Posted 01 October 2010 - 07:35 PM

So it's been happening for a while now, everytime I go to a site, my browser reroutes to a random site with just an IP for an address. AVG pops up with a "THREAT BLOCKED" menu, and I have to go back and reload the page.

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:35:08 PM, on 10/1/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\Intel\IntelDH\IntelŽ Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\CCP\EVE\bin\ExeFile.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Dev-Cpp\devcpp.exe
C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Christopher Locke\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070108
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070108
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {78EF59AD-E444-A210-2D5D-84C1F5CE5633} - (no file)
O2 - BHO: (no name) - {84FC3CE6-3AA6-4BFD-A2AF-92C26D0DEF93} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Rmn plugin - {ABADC07C-9990-405a-AA24-2C209B50AE79} - svchstb.dll (file missing)
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [gStart] C:\Garmin\gStart.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.spyguardpro.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://mail.kellyglasscorp.com/Remote/msrdp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5942E307-7D6E-405F-82E4-B08DF1E88B3B}: NameServer = 85.255.116.170,85.255.112.213
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\PR16.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: IntelŽ Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\IntelŽ Quick Resume Technology Drivers\Elservice.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IntelŽ Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

--
End of file - 14957 bytes

Oh, an example of the address of the sites it reroutes to is : 77.78.201.15/index.php?0X=R51JZG6I41Q26DC685KHG&9dQ1t=BWN76N403CW19J974JY65O45T850L&9sO=0Z&0C8sv=Y8DS1ZS00C86484K&R05a=G3l7c2xlewdKf0gBT3crBw&O7ekT=00qPG9ZJ0RXU2ddLy5eVDMmM18kUU0tBQdqcQQB&Lq=NKWctN&vxz9=hwAA9ICQZzZwwJemhzBD1RQiU%3D&kM=ooClNWLzwCVn5WA&lg18a=2wMV1N%2BUFVhAHBnAWk2Vg&0753=DF61]

Edited by sausage, 01 October 2010 - 07:45 PM.

If I'm posting, I probably have something horribly wrong with my computer, there's no obvious explanation for it, that's just the way it is.

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:56 PM

Posted 07 October 2010 - 07:42 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


And

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
Posted Image
m0le is a proud member of UNITE

#3 sausage

sausage
  • Topic Starter

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville Colorado
  • Local time:04:56 PM

Posted 09 October 2010 - 05:46 PM


DDS (Ver_10-10-05.01) - NTFSx86
Run by Christopher Locke at 18:51:47.08 on Thu 10/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1060 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Steam\steam.exe
C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Christopher Locke\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070108
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {78EF59AD-E444-A210-2D5D-84C1F5CE5633} - No File
BHO: {84FC3CE6-3AA6-4BFD-A2AF-92C26D0DEF93} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Rmn plugin: {abadc07c-9990-405a-aa24-2c209b50ae79} - svchstb.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\documents and settings\christopher locke\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [gStart] c:\garmin\gStart.exe
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
StartupFolder: c:\docume~1\christ~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: turbotax.com
Trusted Zone: antimalwareguard.com
Trusted Zone: antispyexpert.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: virusremover2008.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} - hxxps://mail.kellyglasscorp.com/Remote/msrdp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: {5942E307-7D6E-405F-82E4-B08DF1E88B3B} = 85.255.116.170,85.255.112.213
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
AppInit_DLLs: c:\windows\system32\PR16.DLL
LSA: Authentication Packages = msv1_0 nwprovau c:\windows\system32\ljJYqpmL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\christ~1\applic~1\mozilla\firefox\profiles\v7d9pgch.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\christopher locke\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-28 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-28 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-28 243024]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2010-2-24 185472]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-10 308136]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 athena;athena;c:\windows\system32\drivers\athena.sys [2007-1-8 107392]
R3 SbieDrv;SbieDrv;c:\program files\sandboxie\SbieDrv.sys [2010-8-9 123112]
S1 ndistapii;ndistapii;c:\windows\system32\drivers\ndistapii.sys --> c:\windows\system32\drivers\ndistapii.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-13 135664]
S3 physX32;physX32;c:\windows\system32\drivers\physX32.sys [2008-7-20 120320]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-12-1 34384]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [2010-4-23 17792]
S4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-11-11 25832]

=============== Created Last 30 ================

2010-10-06 23:07:17 -------- d-----r- C:\Sandbox
2010-10-06 23:06:36 -------- d-----w- c:\program files\Sandboxie
2010-10-02 00:27:51 -------- d-----w- c:\program files\Trend Micro
2010-09-22 23:20:23 -------- d-----w- c:\docume~1\christ~1\locals~1\applic~1\storage

==================== Find3M ====================

2010-08-10 03:25:47 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-07-15 15:44:07 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2007-01-18 00:16:42 12505592 ----a-w- c:\program files\ead-installer.exe
2006-01-22 19:27:34 7708672 ----a-w- c:\program files\Hero Editor.exe
2004-03-09 06:00:00 224016 -c--a-w- c:\program files\TABCTL32.OCX
2004-03-09 06:00:00 212240 -c--a-w- c:\program files\RICHTX32.OCX
2004-03-09 06:00:00 152848 -c--a-w- c:\program files\COMDLG32.OCX
2004-03-09 06:00:00 1081616 -c--a-w- c:\program files\MSCOMCTL.OCX
2004-02-23 06:00:00 73216 ----a-w- c:\program files\ST6UNST.EXE
2004-02-23 06:00:00 249856 ----a-w- c:\program files\SETUP1.EXE
2004-02-23 06:00:00 1386496 ----a-w- c:\program files\MSVBVM60.DLL
2004-02-23 06:00:00 119808 ----a-w- c:\program files\MSSTDFMT.DLL
2000-07-15 06:00:00 101888 ----a-w- c:\program files\VB6STKIT.DLL
2000-04-12 06:00:00 598288 ----a-w- c:\program files\OLEAUT32.DLL
1999-06-03 06:00:00 17920 -c--a-w- c:\program files\STDOLE2.TLB
1999-03-08 06:00:00 164112 ----a-w- c:\program files\OLEPRO32.DLL
1999-03-08 06:00:00 147728 ----a-w- c:\program files\ASYCFILT.DLL
1998-05-31 06:00:00 22288 ----a-w- c:\program files\COMCAT.DLL
1998-05-07 06:00:00 174352 ----a-w- c:\program files\RICHED32.DLL

============= FINISH: 18:53:36.65 ===============

My computer freezes when GMER finishes it's scan, even in safe mode so I don't have that log. I'm gonna run it again overnight tonight (since it takes like 7 hours) and if it works, i'll edit the post.

If I'm posting, I probably have something horribly wrong with my computer, there's no obvious explanation for it, that's just the way it is.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:56 PM

Posted 09 October 2010 - 06:21 PM

No, don't do that. If Gmer will not run let's, instead, see what we've got here.
  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


And


Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 sausage

sausage
  • Topic Starter

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville Colorado
  • Local time:04:56 PM

Posted 09 October 2010 - 11:49 PM

2010/10/09 18:27:49.0560 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/09 18:27:49.0560 ================================================================================
2010/10/09 18:27:49.0560 SystemInfo:
2010/10/09 18:27:49.0560
2010/10/09 18:27:49.0560 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/09 18:27:49.0560 Product type: Workstation
2010/10/09 18:27:49.0560 ComputerName: MAINFRAME
2010/10/09 18:27:49.0560 UserName: Christopher Locke
2010/10/09 18:27:49.0560 Windows directory: C:\WINDOWS
2010/10/09 18:27:49.0560 System windows directory: C:\WINDOWS
2010/10/09 18:27:49.0560 Processor architecture: Intel x86
2010/10/09 18:27:49.0560 Number of processors: 2
2010/10/09 18:27:49.0560 Page size: 0x1000
2010/10/09 18:27:49.0560 Boot type: Normal boot
2010/10/09 18:27:49.0560 ================================================================================
2010/10/09 18:27:49.0716 Initialize success
2010/10/09 18:28:03.0935 ================================================================================
2010/10/09 18:28:03.0935 Scan started
2010/10/09 18:28:03.0935 Mode: Manual;
2010/10/09 18:28:03.0935 ================================================================================
2010/10/09 18:28:04.0279 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/10/09 18:28:04.0404 acedrv11 (e6f53d6c0dea3d375362265e175ca638) C:\WINDOWS\system32\drivers\acedrv11.sys
2010/10/09 18:28:04.0451 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/09 18:28:04.0497 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/09 18:28:04.0544 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/10/09 18:28:04.0576 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/09 18:28:04.0607 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/09 18:28:04.0654 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/10/09 18:28:04.0685 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/10/09 18:28:04.0716 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/10/09 18:28:04.0794 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/10/09 18:28:04.0872 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/10/09 18:28:04.0904 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/10/09 18:28:04.0935 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/10/09 18:28:04.0951 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/10/09 18:28:04.0966 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/10/09 18:28:04.0997 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/10/09 18:28:04.0997 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/10/09 18:28:05.0060 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/10/09 18:28:05.0107 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2010/10/09 18:28:05.0138 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/09 18:28:05.0201 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/09 18:28:05.0263 athena (22910f4def0ac92b90d89884fa6407eb) C:\WINDOWS\system32\DRIVERS\athena.sys
2010/10/09 18:28:05.0310 atksgt (f0d933b42cd0594048e4d5200ae9e417) C:\WINDOWS\system32\DRIVERS\atksgt.sys
2010/10/09 18:28:05.0341 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/09 18:28:05.0357 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/09 18:28:05.0419 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys
2010/10/09 18:28:05.0466 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2010/10/09 18:28:05.0513 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\System32\Drivers\avgtdix.sys
2010/10/09 18:28:05.0544 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/09 18:28:05.0576 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/10/09 18:28:05.0591 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/09 18:28:05.0607 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/10/09 18:28:05.0622 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/09 18:28:05.0654 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/09 18:28:05.0669 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/09 18:28:05.0701 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/10/09 18:28:05.0732 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/10/09 18:28:05.0794 ctac32k (8a9c65ce4fe6e8cb24ce06ba28d951a0) C:\WINDOWS\system32\drivers\ctac32k.sys
2010/10/09 18:28:05.0826 ctaud2k (47236971dfb3e03690b98e41665d0924) C:\WINDOWS\system32\drivers\ctaud2k.sys
2010/10/09 18:28:05.0872 ctdvda2k (5a0eeb00b02fc78605aa9d3590b24978) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2010/10/09 18:28:05.0904 ctprxy2k (2381cf056c15271f6b8dab50ff82cf3a) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2010/10/09 18:28:05.0919 ctsfm2k (da1c530de86c85a701138b30fb145af3) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2010/10/09 18:28:05.0951 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/10/09 18:28:05.0997 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/10/09 18:28:06.0044 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/09 18:28:06.0122 DLABOIOM (e2d0de31442390c35e3163c87cb6a9eb) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2010/10/09 18:28:06.0154 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2010/10/09 18:28:06.0169 DLADResN (83545593e297f50a8e2524b4c071a153) C:\WINDOWS\system32\DLA\DLADResN.SYS
2010/10/09 18:28:06.0185 DLAIFS_M (96e01d901cdc98c7817155cc057001bf) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2010/10/09 18:28:06.0201 DLAOPIOM (0a60a39cc5e767980a31ca5d7238dfa9) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2010/10/09 18:28:06.0216 DLAPoolM (9fe2b72558fc808357f427fd83314375) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2010/10/09 18:28:06.0216 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2010/10/09 18:28:06.0232 DLAUDFAM (f08e1dafac457893399e03430a6a1397) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2010/10/09 18:28:06.0247 DLAUDF_M (e7d105ed1e694449d444a9933df8e060) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2010/10/09 18:28:06.0279 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/09 18:28:06.0326 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/09 18:28:06.0341 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/09 18:28:06.0388 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/09 18:28:06.0435 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/10/09 18:28:06.0451 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/09 18:28:06.0482 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2010/10/09 18:28:06.0482 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2010/10/09 18:28:06.0607 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/10/09 18:28:06.0654 e1express (00192f0c612591d585594e9467e6ca8b) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2010/10/09 18:28:06.0716 ELacpi (0923aec043f5d355b4ef0c2b29a362de) C:\WINDOWS\system32\DRIVERS\ELacpi.sys
2010/10/09 18:28:06.0763 ELhid (cbd71e7772f92bfb85ccc302b2deefba) C:\WINDOWS\System32\Drivers\Elhid.sys
2010/10/09 18:28:06.0794 ELkbd (ac75b576c45d144e146fd1f0576a1f53) C:\WINDOWS\System32\Drivers\Elkbd.sys
2010/10/09 18:28:06.0810 ELmon (483cce5e40137d4e437f4def55c80007) C:\WINDOWS\System32\Drivers\Elmon.sys
2010/10/09 18:28:06.0841 ELmou (8e88cafeac0812bf2d15beeedfcce8bd) C:\WINDOWS\System32\Drivers\Elmou.sys
2010/10/09 18:28:06.0904 emupia (661cf27263f3e0b553be050a42d357db) C:\WINDOWS\system32\drivers\emupia2k.sys
2010/10/09 18:28:06.0966 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/09 18:28:06.0982 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/09 18:28:07.0013 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/09 18:28:07.0044 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/09 18:28:07.0091 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/09 18:28:07.0138 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/09 18:28:07.0169 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/09 18:28:07.0169 Suspicious service (Hidden): gaopdxserv.sys
2010/10/09 18:28:07.0201 gaopdxserv.sys (8251db826979e6a68b92f8d6aae0de39) C:\WINDOWS\system32\drivers\gaopdxtoymeabe.sys
2010/10/09 18:28:07.0201 Suspicious file (Hidden): C:\WINDOWS\system32\drivers\gaopdxtoymeabe.sys. md5: 8251db826979e6a68b92f8d6aae0de39
2010/10/09 18:28:07.0201 gaopdxserv.sys - detected Rootkit.Win32.TDSS.tdl2 (0)
2010/10/09 18:28:07.0247 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/10/09 18:28:07.0404 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/09 18:28:07.0435 grmnusb (cd007d03a9284bfe67d49c01213132bf) C:\WINDOWS\system32\drivers\grmnusb.sys
2010/10/09 18:28:07.0513 ha20x2k (e9d519905fd5b7b0269793f95c5ff630) C:\WINDOWS\system32\drivers\ha20x2k.sys
2010/10/09 18:28:07.0576 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/09 18:28:07.0591 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/10/09 18:28:07.0622 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/09 18:28:07.0747 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/10/09 18:28:07.0763 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/10/09 18:28:07.0794 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/09 18:28:07.0857 iaStor (019cf5f31c67030841233c545a0e217a) C:\WINDOWS\system32\drivers\iaStor.sys
2010/10/09 18:28:07.0888 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/09 18:28:07.0919 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/10/09 18:28:07.0982 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/09 18:28:07.0997 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/09 18:28:08.0060 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/09 18:28:08.0091 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/09 18:28:08.0122 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/09 18:28:08.0169 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/09 18:28:08.0201 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/09 18:28:08.0232 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/09 18:28:08.0263 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/09 18:28:08.0294 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/09 18:28:08.0326 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/09 18:28:08.0372 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/09 18:28:08.0404 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/09 18:28:08.0466 lirsgt (f8a7212d0864ef5e9185fb95e6623f4d) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
2010/10/09 18:28:08.0529 mcdbus (af61a1c34e2d3f7543f9ccfc323170b8) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
2010/10/09 18:28:08.0576 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2010/10/09 18:28:08.0622 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/09 18:28:08.0654 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/09 18:28:08.0732 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/09 18:28:08.0747 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/09 18:28:08.0826 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/09 18:28:08.0857 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/10/09 18:28:08.0904 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/09 18:28:08.0966 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/09 18:28:09.0076 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/09 18:28:09.0091 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/09 18:28:09.0122 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/09 18:28:09.0138 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/09 18:28:09.0169 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/09 18:28:09.0201 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/09 18:28:09.0247 NAL (1e59aaed42a5e3a5ed86ec403f9c0776) C:\WINDOWS\system32\Drivers\iqvw32.sys
2010/10/09 18:28:09.0279 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/09 18:28:09.0326 ndiscm (b797ee2ef919c95561dee78b72b33e5b) C:\WINDOWS\system32\DRIVERS\NetMotCM.sys
2010/10/09 18:28:09.0357 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/09 18:28:09.0388 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/09 18:28:09.0419 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/09 18:28:09.0451 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/09 18:28:09.0482 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/09 18:28:09.0497 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/09 18:28:09.0576 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/09 18:28:09.0607 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/09 18:28:09.0669 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/09 18:28:10.0076 nv (cb0ce8de9f66a297cd86eb98921b8e58) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/10/09 18:28:10.0326 NVR0Dev (a2189fc364062aa336e3fc934e46e147) C:\WINDOWS\nvoclock.sys
2010/10/09 18:28:11.0091 NVR0FLASHDev (d429e370a8581b80a3eaadfd88ce867b) C:\WINDOWS\nvflash.sys
2010/10/09 18:28:11.0201 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/09 18:28:11.0216 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/09 18:28:11.0247 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2010/10/09 18:28:11.0279 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2010/10/09 18:28:11.0294 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2010/10/09 18:28:11.0341 NWRDR (36b9b950e3d2e100970a48d8bad86740) C:\WINDOWS\system32\DRIVERS\nwrdr.sys
2010/10/09 18:28:11.0388 ossrv (99f877a7bb6feb5af1184eafe937c208) C:\WINDOWS\system32\drivers\ctoss2k.sys
2010/10/09 18:28:11.0419 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/09 18:28:11.0451 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/09 18:28:11.0497 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/09 18:28:11.0513 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/09 18:28:11.0576 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/09 18:28:11.0638 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/09 18:28:11.0716 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/10/09 18:28:11.0763 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/10/09 18:28:11.0826 physX32 (4e34a8bdab879ce6a2b5f88b98ebf451) C:\WINDOWS\system32\DRIVERS\physX32.sys
2010/10/09 18:28:11.0935 PnkBstrK (a32ef1b47f239fc91dbf5c02feaf573d) C:\WINDOWS\system32\drivers\PnkBstrK.sys
2010/10/09 18:28:11.0997 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/09 18:28:12.0076 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/09 18:28:12.0122 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/09 18:28:12.0216 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/10/09 18:28:12.0232 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/10/09 18:28:12.0247 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/10/09 18:28:12.0263 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/10/09 18:28:12.0279 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/10/09 18:28:12.0294 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/09 18:28:12.0341 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/09 18:28:12.0372 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/09 18:28:12.0404 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/09 18:28:12.0451 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/09 18:28:12.0482 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/09 18:28:12.0513 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/09 18:28:12.0560 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/09 18:28:12.0591 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/09 18:28:12.0716 SbieDrv (9842b0829f6a19b7cd9f4d423c534735) C:\Program Files\Sandboxie\SbieDrv.sys
2010/10/09 18:28:12.0763 SCREAMINGBDRIVER (a643d6df1b7546256b11fb5d6b5d1375) C:\WINDOWS\system32\drivers\ScreamingBAudio.sys
2010/10/09 18:28:12.0810 SDDMI2 (8edd7b9e4a4b4c16e2dab9188caa861b) C:\WINDOWS\system32\DDMI2.sys
2010/10/09 18:28:12.0888 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/09 18:28:12.0904 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/09 18:28:13.0029 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/09 18:28:13.0107 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/09 18:28:13.0185 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/10/09 18:28:13.0216 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/10/09 18:28:13.0247 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/09 18:28:13.0310 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\System32\Drivers\sptd.sys
2010/10/09 18:28:13.0357 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/09 18:28:13.0404 Srv (4f8a43adef66f135564085a9dca96a26) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/09 18:28:13.0451 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/09 18:28:13.0466 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/09 18:28:13.0513 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/10/09 18:28:13.0576 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/10/09 18:28:13.0607 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/10/09 18:28:13.0622 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/10/09 18:28:13.0669 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/09 18:28:13.0716 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/09 18:28:13.0732 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/09 18:28:13.0763 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/09 18:28:13.0794 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/09 18:28:13.0826 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/10/09 18:28:13.0904 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/09 18:28:13.0904 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/10/09 18:28:13.0982 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/09 18:28:14.0076 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/10/09 18:28:14.0107 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/10/09 18:28:14.0138 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/09 18:28:14.0169 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/09 18:28:14.0185 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/09 18:28:14.0216 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/09 18:28:14.0247 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/09 18:28:14.0294 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/09 18:28:14.0341 VCSVADHWSer (b2abab4ca46bad182e27763dc19c780f) C:\WINDOWS\system32\DRIVERS\vcsvad.sys
2010/10/09 18:28:14.0372 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/09 18:28:14.0404 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/10/09 18:28:14.0451 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/10/09 18:28:14.0466 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/09 18:28:14.0529 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/09 18:28:14.0576 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/09 18:28:14.0638 WpdUsb (bbaeaca1ffa3c86361cf0998474f6c3a) C:\WINDOWS\system32\Drivers\wpdusb.sys
2010/10/09 18:28:14.0685 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/10/09 18:28:14.0747 ================================================================================
2010/10/09 18:28:14.0747 Scan finished
2010/10/09 18:28:14.0747 ================================================================================
2010/10/09 18:28:14.0747 Detected object count: 1
2010/10/09 18:28:40.0076 C:\WINDOWS\system32\drivers\gaopdxtoymeabe.sys - will be deleted after reboot
2010/10/09 18:28:40.0076 C:\WINDOWS\system32\gaopdxnpvpcdot.dll - will be deleted after reboot
2010/10/09 18:28:40.0107 HKLM\SYSTEM\controlset001\services\gaopdxserv.sys - will be deleted after reboot
2010/10/09 18:28:40.0122 HKLM\SYSTEM\ControlSet002\services\gaopdxserv.sys - will be deleted after reboot
2010/10/09 18:28:40.0122 HKLM\SYSTEM\ControlSet003\services\gaopdxserv.sys - will be deleted after reboot
2010/10/09 18:28:40.0122 HKLM\SYSTEM\ControlSet004\services\gaopdxserv.sys - will be deleted after reboot
2010/10/09 18:28:40.0122 HKLM\SYSTEM\ControlSet005\services\gaopdxserv.sys - will be deleted after reboot
2010/10/09 18:28:40.0122 C:\WINDOWS\system32\drivers\gaopdxtoymeabe.sys - will be deleted after reboot
2010/10/09 18:28:40.0122 Rootkit.Win32.TDSS.tdl2(gaopdxserv.sys) - User select action: Delete
2010/10/09 18:28:57.0263 Deinitialize success

================================================================================

And the MBR log:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000045dc

Kernel Drivers (total 143):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xB85A8000 \WINDOWS\system32\KDCOM.DLL
0xB84B8000 \WINDOWS\system32\BOOTVID.dll
0xB7F79000 ACPI.sys
0xB85AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB7F68000 pci.sys
0xB80A8000 isapnp.sys
0xB80B8000 MountMgr.sys
0xB7F49000 ftdisk.sys
0xB85AC000 dmload.sys
0xB7F23000 dmio.sys
0xB8328000 PartMgr.sys
0xB80C8000 VolSnap.sys
0xB7E6C000 iaStor.sys
0xB80D8000 disk.sys
0xB80E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB7E4C000 fltmgr.sys
0xB7E3A000 sr.sys
0xB7E24000 DRVMCDB.SYS
0xB7E0D000 KSecDD.sys
0xB7D80000 Ntfs.sys
0xB7D53000 NDIS.sys
0xB7D39000 Mup.sys
0xB7651000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB6ADF000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB6ACB000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB8368000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB6AA7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xB8370000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB6A8C000 \SystemRoot\system32\DRIVERS\athena.sys
0xB6A20000 \SystemRoot\system32\drivers\ctaud2k.sys
0xB69FC000 \SystemRoot\system32\drivers\portcls.sys
0xB8228000 \SystemRoot\system32\drivers\drmk.sys
0xB69D9000 \SystemRoot\system32\drivers\ks.sys
0xB69A7000 \SystemRoot\system32\drivers\ctoss2k.sys
0xB8378000 \SystemRoot\system32\drivers\ctprxy2k.sys
0xB8238000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB8248000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB8258000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8380000 \SystemRoot\system32\DRIVERS\ELacpi.sys
0xB87AF000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB8268000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB8584000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB6990000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB8278000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB8288000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB8388000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB697F000 \SystemRoot\system32\DRIVERS\psched.sys
0xB8298000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB8390000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8398000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB694F000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB82A8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xB83A0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB83A8000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB6932000 \SystemRoot\system32\DRIVERS\mcdbus.sys
0xB691A000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0xB8634000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB68BC000 \SystemRoot\system32\DRIVERS\update.sys
0xB85A0000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB25AC000 \SystemRoot\system32\drivers\ha20x2k.sys
0xB257F000 \SystemRoot\system32\drivers\emupia2k.sys
0xB2558000 \SystemRoot\system32\drivers\ctsfm2k.sys
0xB24BC000 \SystemRoot\system32\drivers\ctac32k.sys
0xB7691000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAFE8E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB85B6000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB1A81000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xB85B8000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xB85BA000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xABFC7000 \SystemRoot\System32\Drivers\Null.SYS
0xB85BC000 \SystemRoot\System32\Drivers\Beep.SYS
0xB8360000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
0xB165E000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB1656000 \SystemRoot\System32\drivers\vga.sys
0xB85BE000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xB85C0000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB164E000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB1646000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB1A75000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAACCC000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAAC73000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAAC39000 \SystemRoot\System32\Drivers\avgtdix.sys
0xAAAB8000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAFE0E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB85C8000 \SystemRoot\system32\drivers\grmnusb.sys
0xABED7000 \SystemRoot\system32\drivers\GRMNGEN.SYS
0xAE61B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xAFDFE000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAE617000 \??\C:\WINDOWS\System32\Drivers\Elhid.sys
0xAAA11000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA9E5000 \SystemRoot\System32\drivers\afd.sys
0xB76D1000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAA9BA000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAA94A000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB76E1000 \SystemRoot\System32\Drivers\Fips.SYS
0xB85CA000 \??\C:\WINDOWS\System32\Drivers\Elmou.sys
0xB85CC000 \??\C:\WINDOWS\System32\Drivers\Elmon.sys
0xB85CE000 \??\C:\WINDOWS\System32\Drivers\Elkbd.sys
0xABEBF000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xAA916000 \SystemRoot\System32\Drivers\avgldx86.sys
0xABF4A000 \SystemRoot\system32\DRIVERS\NetMotCM.sys
0xAAC14000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xAAD0F000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAACFF000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x9EF28000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xAFE4E000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9EE71000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xAAD1B000 \SystemRoot\System32\drivers\Dxapi.sys
0xB8338000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xA6AC7000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA9563000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0x9FDC1000 \SystemRoot\System32\DLA\DLADResN.SYS
0x9EBFA000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xA3F6B000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xA217F000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xB8460000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0x9EBE2000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0x9EBCC000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0x9EBAC000 \??\C:\Program Files\Sandboxie\SbieDrv.sys
0x9EB96000 \SystemRoot\system32\DRIVERS\nwlnkipx.sys
0xB82E8000 \SystemRoot\system32\DRIVERS\nwlnknb.sys
0x9F0FE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB81E8000 \SystemRoot\system32\DRIVERS\nwlnkspx.sys
0x9EA7E000 \SystemRoot\system32\DRIVERS\nwrdr.sys
0x9EA2A000 \??\C:\WINDOWS\system32\drivers\acedrv11.sys
0xB85EA000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0x9E9E7000 \SystemRoot\system32\DRIVERS\atksgt.sys
0x9E92E000 \SystemRoot\System32\Drivers\HTTP.sys
0xB8468000 \SystemRoot\system32\DRIVERS\lirsgt.sys
0x9E7C4000 \SystemRoot\system32\DRIVERS\srv.sys
0xAA68A000 \??\C:\WINDOWS\nvflash.sys
0xAA6F3000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xA9923000 \??\C:\WINDOWS\nvoclock.sys
0x9E1E7000 \SystemRoot\system32\drivers\wdmaud.sys
0x9E50C000 \SystemRoot\system32\drivers\sysaudio.sys
0x9D364000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 69):
0 System Idle Process
4 System
612 C:\WINDOWS\system32\smss.exe
684 csrss.exe
716 C:\WINDOWS\system32\winlogon.exe
760 C:\WINDOWS\system32\services.exe
772 C:\WINDOWS\system32\lsass.exe
980 C:\WINDOWS\system32\nvsvc32.exe
1016 C:\WINDOWS\system32\svchost.exe
1064 svchost.exe
1160 C:\Program Files\Sandboxie\SbieSvc.exe
1180 C:\WINDOWS\system32\svchost.exe
1372 svchost.exe
1416 C:\Program Files\AVG\AVG9\avgchsvx.exe
1476 C:\Program Files\AVG\AVG9\avgrsx.exe
1512 svchost.exe
1720 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1804 C:\WINDOWS\system32\spoolsv.exe
244 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
280 C:\Program Files\AVG\AVG9\avgwdsvc.exe
292 C:\Program Files\Bonjour\mDNSResponder.exe
328 C:\WINDOWS\system32\CTSVCCDA.EXE
448 C:\WINDOWS\ehome\ehrecvr.exe
472 C:\WINDOWS\ehome\ehSched.exe
1108 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
1588 C:\Program Files\AVG\AVG9\avgnsx.exe
1592 C:\Program Files\Java\jre6\bin\jqs.exe
2100 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2216 C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
2336 C:\WINDOWS\system32\PnkBstrA.exe
2444 C:\WINDOWS\system32\PnkBstrB.exe
2488 C:\Program Files\Dell Support Center\bin\sprtsvc.exe
2748 svchost.exe
2888 wdfmgr.exe
2920 C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
2956 mcrdsvc.exe
3032 C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe
3272 C:\WINDOWS\system32\dllhost.exe
3616 alg.exe
2572 C:\WINDOWS\system32\rundll32.exe
3544 C:\WINDOWS\explorer.exe
2428 C:\WINDOWS\system32\wuauclt.exe
2792 C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
2272 C:\Program Files\Dell Support Center\bin\sprtcmd.exe
1236 C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1460 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2192 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
1368 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
2140 C:\PROGRA~1\AVG\AVG9\avgtray.exe
384 C:\WINDOWS\system32\rundll32.exe
2312 C:\Program Files\iTunes\iTunesHelper.exe
2400 C:\WINDOWS\system32\ctfmon.exe
3532 C:\Program Files\DNA\btdna.exe
204 C:\Program Files\Steam\Steam.exe
2856 C:\Program Files\Skype\Phone\Skype.exe
4084 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3956 C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
2500 C:\WINDOWS\system32\CTXFISPI.EXE
1444 C:\Program Files\OpenOffice.org 3\program\soffice.exe
1140 C:\Program Files\OpenOffice.org 3\program\soffice.bin
3904 C:\Program Files\iPod\bin\iPodService.exe
1668 C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe
1272 C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2344 C:\Program Files\Skype\Plugin Manager\skypePM.exe
2300 C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1008 C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2596 C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2392 C:\Documents and Settings\Christopher Locke\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1560 C:\Documents and Settings\Christopher Locke\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: ST3320633AS, Rev: 3.ADJ

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Dell MBR code detected
SHA1: 57BDF501CE769EF2720C705B6C71C893DA31574E


Done!

==================================================================================

I must add the after rebooting after the scan, my computer completed the CHKDSK that I told it to do a year and a half ago, but was unable to complete due to my hard drive being "RAW" instead of "NTFS" so if nothing else is fixed from this. I thank you, I can now defrag for the first time in forever smile.gif

If I'm posting, I probably have something horribly wrong with my computer, there's no obvious explanation for it, that's just the way it is.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:56 PM

Posted 10 October 2010 - 03:28 AM

TDSS has been in the system for some time. The killer has removed it but we must make sure that it's completely gone.

Please now run Combofix

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 sausage

sausage
  • Topic Starter

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville Colorado
  • Local time:04:56 PM

Posted 10 October 2010 - 10:03 AM

ComboFix 10-10-09.06 - Christopher Locke 10/10/2010 9:01.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1234 [GMT -6:00]
Running from: c:\documents and settings\Christopher Locke\Desktop\comfix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Christopher Locke\GoToAssistDownloadHelper.exe
C:\Install.exe
C:\resycled
c:\windows\system32\gi3
c:\windows\system32\giv
c:\windows\system32\IN
c:\windows\system32\LmpqYJjl.ini
c:\windows\system32\LmpqYJjl.ini2
c:\windows\system32\op8
c:\windows\system32\TEC
c:\windows\system32\vi
c:\windows\system32\WORK.DAT
c:\windows\system32\wupd.dat
c:\windows\Tasks\xlmrosnd.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gaopdxserv.sys
-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2010-09-10 to 2010-10-10 )))))))))))))))))))))))))))))))
.

2070-11-29 00:02 . 2006-11-22 02:48 203576 -c----w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2010-10-10 08:18 . 2010-10-10 08:18 -------- d-----w- c:\windows\system32\MpEngineStore
2010-10-10 08:06 . 2010-10-10 08:06 -------- d-----w- c:\windows\ie8updates
2010-10-10 04:18 . 2010-06-24 12:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-10-10 04:18 . 2010-06-24 12:21 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-10-10 04:18 . 2010-06-24 12:21 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-10-10 00:47 . 2010-10-10 00:47 -------- d-----w- C:\found.000
2010-10-09 03:53 . 2010-10-09 04:49 -------- d-----w- c:\program files\Garena
2010-10-06 23:07 . 2010-10-06 23:07 -------- d-----r- C:\Sandbox
2010-10-06 23:06 . 2010-10-06 23:06 -------- d-----w- c:\program files\Sandboxie
2010-10-02 00:27 . 2010-10-02 00:27 -------- d-----w- c:\program files\Trend Micro
2010-09-22 23:20 . 2010-09-22 23:20 -------- d-----w- c:\documents and settings\Christopher Locke\Local Settings\Application Data\storage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]
"Steam"="c:\program files\steam\steam.exe" [2010-08-27 1242448]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-09-02 13351304]
"Google Update"="c:\documents and settings\Christopher Locke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-31 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-13 39408]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [N/A]
"gStart"="c:\garmin\gStart.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]
"nwiz"="nwiz.exe" [N/A]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [N/A]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 25600]

c:\documents and settings\Christopher Locke\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 15:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-10-21 03:02 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Christopher Locke^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Christopher Locke\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Christopher Locke^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Christopher Locke\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobemedia.exe]
c:\windows\system32\adobemedia.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2005-11-08 18:30 16384 ----a-w- c:\windows\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-03-02 10:00 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CyberDefender Registry Cleaner]
c:\program files\CyberDefender\Registry Cleaner\CDregclean.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-08-31 00:13 133104 ----atw- c:\documents and settings\Christopher Locke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2010-08-09 10:03 389352 ----a-w- c:\program files\Sandboxie\SbieCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"AOL ACS"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"DAUpdaterSvc"=3 (0x3)
"BITS"=3 (0x3)
"avg8wd"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\steamapps\\acckkkk\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\Archive.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Documents and Settings\\Christopher Locke\\My Documents\\My Games\\utorrent.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_10\\jre\\bin\\java.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\eatnglow\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\games\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\games\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pollux Gamelabs\\Lost Empire - Immortals\\LostEmpire.exe"=
"c:\\Program Files\\SEGA\\Alpha Protocol\\Binaries\\APGame.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's Splinter Cell Conviction\\src\\system\\conviction_game.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's Splinter Cell Conviction\\src\\system\\gu.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"56380:TCP"= 56380:TCP:Pando Media Booster
"56380:UDP"= 56380:UDP:Pando Media Booster
"57602:TCP"= 57602:TCP:Pando Media Booster
"57602:UDP"= 57602:UDP:Pando Media Booster

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/28/2009 4:34 PM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/28/2009 4:34 PM 243024]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2/24/2010 4:22 AM 185472]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/10/2010 11:40 AM 308136]
R3 athena;athena;c:\windows\system32\drivers\athena.sys [1/8/2007 1:38 PM 107392]
S0 klmdb;klmdb;c:\windows\system32\drivers\klmdb.sys --> c:\windows\system32\drivers\klmdb.sys [?]
S1 ndistapii;ndistapii;c:\windows\system32\drivers\ndistapii.sys --> c:\windows\system32\drivers\ndistapii.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/13/2010 3:55 PM 135664]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\plugins\UI\safedrv.sys --> c:\program files\Garena\plugins\UI\safedrv.sys [?]
S3 physX32;physX32;c:\windows\system32\drivers\physX32.sys [7/20/2008 7:34 PM 120320]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [12/1/2009 3:49 PM 34384]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [4/23/2010 4:35 PM 17792]
S4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/11/2009 3:27 PM 25832]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/7/2008 12:30 PM 721904]
.
Contents of the 'Scheduled Tasks' folder

2010-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 21:55]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 21:55]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-70804000-3990817088-1190474238-1006Core.job
- c:\documents and settings\Christopher Locke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-31 00:13]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-70804000-3990817088-1190474238-1006UA.job
- c:\documents and settings\Christopher Locke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-31 00:13]

2010-10-10 c:\windows\Tasks\MyDefrag v4.3.1 Daily.job
- c:\program files\MyDefrag v4.3.1\Scripts\AutomaticDaily.MyD [2010-05-28 18:03]

2010-10-01 c:\windows\Tasks\MyDefrag v4.3.1 Monthly.job
- c:\program files\MyDefrag v4.3.1\Scripts\AutomaticMonthly.MyD [2010-05-28 18:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: turbotax.com
Trusted Zone: antispyexpert.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: virusremover2008.com
FF - ProfilePath - c:\documents and settings\Christopher Locke\Application Data\Mozilla\Firefox\Profiles\v7d9pgch.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Christopher Locke\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{78EF59AD-E444-A210-2D5D-84C1F5CE5633} - (no file)
BHO-{84FC3CE6-3AA6-4BFD-A2AF-92C26D0DEF93} - (no file)
Toolbar-SITEguard - (no file)
AddRemove-8461-7759-5462-8226 - c:\program files\Vuze\uninstall.exe
AddRemove-McAfee Uninstall Utility - c:\progra~1\McAfee.com\Shared\mcappins.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-70804000-3990817088-1190474238-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e9,4f,ae,87,96,8e,72,8e,b6,7a,58,0b,49,1d,80,6e,0a,9f,59,00,1d,02,3d,
88,f2,0b,e6,51,f2,e9,59,0b,be,18,ea,c5,e9,ea,17,28,e5,e9,7d,52,af,19,1e,16,\
"??"=hex:f7,9a,59,d1,3d,b0,9e,af,db,6c,e9,91,2f,c4,2a,36

[HKEY_USERS\S-1-5-21-70804000-3990817088-1190474238-1006\Software\SecuROM\License information*]
"datasecu"=hex:43,4d,61,42,9e,70,28,d6,3d,33,a7,4c,e9,9e,59,4a,81,c2,5e,41,27,
eb,ff,a1,4e,e6,b9,b6,43,42,eb,78,93,28,95,2d,b5,d9,fc,16,8a,8f,75,37,63,7c,\
"rkeysecu"=hex:d3,ce,4b,b7,3b,03,a2,10,54,8b,d0,71,b0,3f,9e,91
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3484)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
c:\program files\Skype\Phone\Skype.exe
c:\documents and settings\Christopher Locke\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-10-10 09:33:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-10 15:33

Pre-Run: 26,207,141,888 bytes free
Post-Run: 29,040,402,432 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=1 Sets=1,2,3,4,5
- - End Of File - - D12DB671CDE02B278B4BF03C20C97BAB

My computer seems clean, thanks :D

I'll let you know if I have other issues.

Edited by sausage, 10 October 2010 - 10:41 AM.

If I'm posting, I probably have something horribly wrong with my computer, there's no obvious explanation for it, that's just the way it is.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:56 PM

Posted 10 October 2010 - 04:24 PM

QUOTE
My computer seems clean, thanks :D

I'll let you know if I have other issues.



Combofix still has some things showing:

QUOTE
S0 klmdb;klmdb;c:\windows\system32\drivers\klmdb.sys --> c:\windows\system32\drivers\klmdb.sys [?]


klmdb is a bank info stealer. The driver has been stopped but it needs to go. Also, you will need to do some security on your PC.


Which of these did you put in the Trusted Zone yourself? I'm guessing only the first one.

QUOTE
Trusted Zone: turbotax.com
Trusted Zone: antispyexpert.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: virusremover2008.com


Hopefully, you haven't gone off thinking everything's okay. Please answer the question about the Trusted Zone entries.

Posted Image
m0le is a proud member of UNITE

#9 sausage

sausage
  • Topic Starter

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville Colorado
  • Local time:04:56 PM

Posted 10 October 2010 - 04:51 PM

ummmm, yeah, none of those trusted sites were by me except turbotax.

and what should I do about klmdb?
If I'm posting, I probably have something horribly wrong with my computer, there's no obvious explanation for it, that's just the way it is.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:56 PM

Posted 10 October 2010 - 05:04 PM

Glad you're still here smile.gif


Please rerun Combofix as below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

QUOTE
DDS::
Trusted Zone: antispyexpert.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: virusremover2008.com

File::
c:\windows\system32\drivers\klmdb.sys

Driver::
klmdb


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)




Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Posted Image
m0le is a proud member of UNITE

#11 sausage

sausage
  • Topic Starter

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville Colorado
  • Local time:04:56 PM

Posted 10 October 2010 - 05:49 PM

ComboFix 10-10-09.06 - Christopher Locke 10/10/2010 16:13:57.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1193 [GMT -6:00]
Running from: c:\documents and settings\Christopher Locke\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Christopher Locke\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\drivers\klmdb.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\CHRIST~1\LOCALS~1\Temp\swtlib-32\swt-gdip-win32-3650.dll
c:\docume~1\CHRIST~1\LOCALS~1\Temp\swtlib-32\swt-win32-3650.dll
c:\documents and settings\Christopher Locke\Local Settings\Temp\swtlib-32\swt-gdip-win32-3650.dll
c:\documents and settings\Christopher Locke\Local Settings\Temp\swtlib-32\swt-win32-3650.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_klmdb


((((((((((((((((((((((((( Files Created from 2010-09-10 to 2010-10-10 )))))))))))))))))))))))))))))))
.

2070-11-29 00:02 . 2006-11-22 02:48 203576 -c----w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2010-10-10 14:57 . 2010-10-10 15:33 -------- d-----w- C:\comfix
2010-10-10 08:18 . 2010-10-10 08:18 -------- d-----w- c:\windows\system32\MpEngineStore
2010-10-10 08:06 . 2010-10-10 08:06 -------- d-----w- c:\windows\ie8updates
2010-10-10 04:18 . 2010-06-24 12:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-10-10 04:18 . 2010-06-24 12:21 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-10-10 04:18 . 2010-06-24 12:21 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-10-10 00:47 . 2010-10-10 00:47 -------- d-----w- C:\found.000
2010-10-09 03:53 . 2010-10-09 04:49 -------- d-----w- c:\program files\Garena
2010-10-06 23:07 . 2010-10-06 23:07 -------- d-----r- C:\Sandbox
2010-10-06 23:06 . 2010-10-06 23:06 -------- d-----w- c:\program files\Sandboxie
2010-10-02 00:27 . 2010-10-02 00:27 -------- d-----w- c:\program files\Trend Micro
2010-09-22 23:20 . 2010-09-22 23:20 -------- d-----w- c:\documents and settings\Christopher Locke\Local Settings\Application Data\storage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-10-07 323392]
"Steam"="c:\program files\steam\steam.exe" [2010-08-27 1242448]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-09-02 13351304]
"Google Update"="c:\documents and settings\Christopher Locke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-31 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-13 39408]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [N/A]
"gStart"="c:\garmin\gStart.exe" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-13 47392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]
"nwiz"="nwiz.exe" [N/A]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [N/A]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 25600]

c:\documents and settings\Christopher Locke\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 15:44 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-10-21 03:02 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKLM\~\startupfolder\C:^Documents and Settings^Christopher Locke^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Christopher Locke\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Christopher Locke^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Christopher Locke\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adobemedia.exe]
c:\windows\system32\adobemedia.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2005-11-08 18:30 16384 ----a-w- c:\windows\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2006-03-02 10:00 18944 ----a-w- c:\windows\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CyberDefender Registry Cleaner]
c:\program files\CyberDefender\Registry Cleaner\CDregclean.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-08-31 00:13 133104 ----atw- c:\documents and settings\Christopher Locke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SandboxieControl]
2010-08-09 10:03 389352 ----a-w- c:\program files\Sandboxie\SbieCtrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"AOL ACS"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"DAUpdaterSvc"=3 (0x3)
"BITS"=3 (0x3)
"avg8wd"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\steamapps\\acckkkk\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.6.6337-to-2.0.7.6383-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.7.6383-to-2.0.8.6403-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.8.6403-to-2.0.10.6448-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.10.6448-to-2.0.12.6546-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\Archive.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Documents and Settings\\Christopher Locke\\My Documents\\My Games\\utorrent.exe"=
"c:\\Program Files\\Java\\jdk1.6.0_10\\jre\\bin\\java.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\steamapps\\eatnglow\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4sp.exe"=
"c:\\games\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\games\\Mass Effect\\MassEffectLauncher.exe"=
"c:\\Program Files\\Mass Effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Program Files\\Mass Effect 2\\MassEffect2Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pollux Gamelabs\\Lost Empire - Immortals\\LostEmpire.exe"=
"c:\\Program Files\\SEGA\\Alpha Protocol\\Binaries\\APGame.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's Splinter Cell Conviction\\src\\system\\conviction_game.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's Splinter Cell Conviction\\src\\system\\gu.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"56380:TCP"= 56380:TCP:Pando Media Booster
"56380:UDP"= 56380:UDP:Pando Media Booster
"57602:TCP"= 57602:TCP:Pando Media Booster
"57602:UDP"= 57602:UDP:Pando Media Booster

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/28/2009 4:34 PM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/28/2009 4:34 PM 243024]
R2 acedrv11;acedrv11;c:\windows\system32\drivers\acedrv11.sys [2/24/2010 4:22 AM 185472]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/10/2010 11:40 AM 308136]
R3 athena;athena;c:\windows\system32\drivers\athena.sys [1/8/2007 1:38 PM 107392]
S1 ndistapii;ndistapii;c:\windows\system32\drivers\ndistapii.sys --> c:\windows\system32\drivers\ndistapii.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/13/2010 3:55 PM 135664]
S3 GGSAFERDriver;GGSAFER Driver;\??\c:\program files\Garena\plugins\UI\safedrv.sys --> c:\program files\Garena\plugins\UI\safedrv.sys [?]
S3 physX32;physX32;c:\windows\system32\drivers\physX32.sys [7/20/2008 7:34 PM 120320]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [12/1/2009 3:49 PM 34384]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\system32\drivers\vcsvad.sys [4/23/2010 4:35 PM 17792]
S4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/11/2009 3:27 PM 25832]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/7/2008 12:30 PM 721904]
.
Contents of the 'Scheduled Tasks' folder

2010-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 21:55]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 21:55]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-70804000-3990817088-1190474238-1006Core.job
- c:\documents and settings\Christopher Locke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-31 00:13]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-70804000-3990817088-1190474238-1006UA.job
- c:\documents and settings\Christopher Locke\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-31 00:13]

2010-10-10 c:\windows\Tasks\MyDefrag v4.3.1 Daily.job
- c:\program files\MyDefrag v4.3.1\Scripts\AutomaticDaily.MyD [2010-05-28 18:03]

2010-10-01 c:\windows\Tasks\MyDefrag v4.3.1 Monthly.job
- c:\program files\MyDefrag v4.3.1\Scripts\AutomaticMonthly.MyD [2010-05-28 18:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\Christopher Locke\Application Data\Mozilla\Firefox\Profiles\v7d9pgch.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-70804000-3990817088-1190474238-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e9,4f,ae,87,96,8e,72,8e,b6,7a,58,0b,49,1d,80,6e,0a,9f,59,00,1d,02,3d,
88,f2,0b,e6,51,f2,e9,59,0b,be,18,ea,c5,e9,ea,17,28,e5,e9,7d,52,af,19,1e,16,\
"??"=hex:f7,9a,59,d1,3d,b0,9e,af,db,6c,e9,91,2f,c4,2a,36

[HKEY_USERS\S-1-5-21-70804000-3990817088-1190474238-1006\Software\SecuROM\License information*]
"datasecu"=hex:43,4d,61,42,9e,70,28,d6,3d,33,a7,4c,e9,9e,59,4a,81,c2,5e,41,27,
eb,ff,a1,4e,e6,b9,b6,43,42,eb,78,93,28,95,2d,b5,d9,fc,16,8a,8f,75,37,63,7c,\
"rkeysecu"=hex:d3,ce,4b,b7,3b,03,a2,10,54,8b,d0,71,b0,3f,9e,91
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(856)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Sandboxie\SbieSvc.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\program files\Skype\Phone\Skype.exe
c:\documents and settings\Christopher Locke\Local Settings\Application Data\Google\Update\1.2.183.29\GoogleCrashHandler.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\iTunes\iTunes.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
c:\program files\Common Files\Apple\Apple Application Support\distnoted.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-10-10 16:47:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-10 22:47
ComboFix2.txt 2010-10-10 15:33

Pre-Run: 28,970,676,224 bytes free
Post-Run: 28,946,161,664 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=1 Sets=1,2,3,4,5
- - End Of File - - 31E26ECF0FC49B6122AE5E33A4400873

If I'm posting, I probably have something horribly wrong with my computer, there's no obvious explanation for it, that's just the way it is.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:56 PM

Posted 10 October 2010 - 07:38 PM

That's good. How's the PC running?

We need to check for bits and pieces left over, please visit ESET
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Leave the top box checked and then check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:56 PM

Posted 14 October 2010 - 06:41 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#14 sausage

sausage
  • Topic Starter

  • Members
  • 388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Louisville Colorado
  • Local time:04:56 PM

Posted 14 October 2010 - 06:51 PM

Oh wow, whoops. I looked at this when I got home the day you posted, but had homework to do so I waited, totally forgot about it, i'll run right now and edit.

EDIT: woah.


C:\Documents and Settings\Christopher Locke\Application Data\Sun\Java\Deployment\cache\6.0\1\30502701-486fc453 multiple threats deleted - quarantined
C:\Documents and Settings\Christopher Locke\Application Data\Sun\Java\Deployment\cache\6.0\12\308c10c-76d81d34 multiple threats deleted - quarantined
C:\Documents and Settings\Christopher Locke\Application Data\Sun\Java\Deployment\cache\6.0\12\3e17490c-5b50a406 multiple threats deleted - quarantined
C:\Documents and Settings\Christopher Locke\Application Data\Sun\Java\Deployment\cache\6.0\17\6486e391-505b5c06 multiple threats deleted - quarantined
C:\Documents and Settings\Christopher Locke\Application Data\Sun\Java\Deployment\cache\6.0\18\6d69fa52-77394388 multiple threats deleted - quarantined
C:\Documents and Settings\Christopher Locke\Application Data\Sun\Java\Deployment\cache\6.0\25\7b7b6759-3d03baeb multiple threats deleted - quarantined
C:\Documents and Settings\Christopher Locke\Application Data\Sun\Java\Deployment\cache\6.0\29\6b2b9ddd-1a72bec5 multiple threats deleted - quarantined
C:\Documents and Settings\Christopher Locke\Application Data\Sun\Java\Deployment\cache\6.0\3\3727bc3-62456c22 multiple threats deleted - quarantined
C:\Documents and Settings\Christopher Locke\Application Data\Sun\Java\Deployment\cache\6.0\33\7dc36be1-67f42c9d multiple threats deleted - quarantined
C:\Documents and Settings\Christopher Locke\Application Data\Sun\Java\Deployment\cache\6.0\37\716041e5-3275d5fc multiple threats deleted - quarantined
C:\Documents and Settings\Christopher Locke\Application Data\Sun\Java\Deployment\cache\6.0\38\6bafd9a6-23b3d2a2 probably a variant of Win32/Agent.FPEXZHL trojan deleted - quarantined
C:\Documents and Settings\Christopher Locke\Application Data\Sun\Java\Deployment\cache\6.0\42\64200ea-2b3f6a0b multiple threats deleted - quarantined
C:\Documents and Settings\Christopher Locke\Application Data\Sun\Java\Deployment\cache\6.0\43\322170ab-4508770b multiple threats deleted - quarantined
C:\Documents and Settings\Christopher Locke\Application Data\Sun\Java\Deployment\cache\6.0\48\472eb3f0-4d737fd1 multiple threats deleted - quarantined
C:\Documents and Settings\Christopher Locke\Application Data\Sun\Java\Deployment\cache\6.0\61\481ee53d-47b7d969 probably a variant of Win32/Agent.HRYTTOE trojan deleted - quarantined
C:\Documents and Settings\Christopher Locke\Application Data\Sun\Java\Deployment\cache\6.0\62\581d0bbe-73548111 multiple threats deleted - quarantined
C:\Documents and Settings\Christopher Locke\My Documents\Azureus Downloads\Battlefield.Bad.Company.2-RELOADED.MOUSE-FIX\Battlefield.Bad.Company.2-RELOADED.MOUSE-FIX.rar a variant of Win32/Injector.BLY trojan deleted - quarantined
C:\Documents and Settings\Christopher Locke\My Documents\Azureus Downloads\Tom.Clancys.Splinter.Cell.Conviction-SKIDROW\sr-tcscc.iso a variant of Win32/Packed.VMProtect.AAA trojan deleted - quarantined
C:\Documents and Settings\Christopher Locke\My Documents\My Games\G-steam_v2.00_Final.exe probably a variant of Win32/Agent.LMLCMVZ trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\LmpqYJjl.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\Sandbox\Christopher_Locke\DefaultBox\drive\C\Program Files\Gamevance\gamevance32.exe a variant of Win32/Adware.Gamevance.AJ application cleaned by deleting - quarantined
C:\Sandbox\Christopher_Locke\DefaultBox\drive\C\Program Files\Gamevance\gamevancelib32.dll a variant of Win32/Adware.Gamevance.AJ application cleaned by deleting - quarantined
C:\Sandbox\Christopher_Locke\DefaultBox\drive\C\Program Files\Gamevance\gvtl.dll a variant of Win32/Adware.Gamevance.AL application cleaned by deleting - quarantined
C:\Sandbox\Christopher_Locke\DefaultBox\drive\C\Program Files\Gamevance\gvun.exe a variant of Win32/Adware.Gamevance.AJ application cleaned by deleting - quarantined
C:\Sandbox\Christopher_Locke\DefaultBox\user\current\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.dll a variant of Win32/Adware.Gamevance.AJ application cleaned by deleting - quarantined
C:\Sandbox\Christopher_Locke\DefaultBox\user\current\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_00064f a variant of Win32/Adware.Gamevance.AJ application cleaned by deleting - quarantined
C:\Sandbox\Christopher_Locke\DefaultBox\user\current\My Documents\Downloads\SetupGamevance.exe a variant of Win32/Adware.Gamevance.AJ application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1330\A0172587.exe a variant of Win32/Adware.Gamevance.AJ application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1330\A0172588.dll a variant of Win32/Adware.Gamevance.AJ application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1330\A0172589.dll a variant of Win32/Adware.Gamevance.AL application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1330\A0172590.exe a variant of Win32/Adware.Gamevance.AJ application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1330\A0172591.dll a variant of Win32/Adware.Gamevance.AJ application cleaned by deleting - quarantined
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1330\A0172592.exe a variant of Win32/Adware.Gamevance.AJ application cleaned by deleting - quarantined
C:\WINDOWS\system32\zmnrndganlhvo.exe Win32/Adware.GooochiBiz.AE.Gen application deleted - quarantined

Edited by sausage, 15 October 2010 - 07:45 AM.

If I'm posting, I probably have something horribly wrong with my computer, there's no obvious explanation for it, that's just the way it is.

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:56 PM

Posted 15 October 2010 - 07:03 PM

Yeah, it looks a lot worse than is it. The majority of the entries are Java cache or System Recovery folder entries and both are not a big issue.

The other entries are the infected files which you have been downloading from Azureus (according to the folder)

Please run Superantispyware which will mop up anything left over

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users