Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS plus Rootkit infection?? Not sure how to remove it/them


  • This topic is locked This topic is locked
11 replies to this topic

#1 paradux

paradux

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 21 September 2011 - 05:53 AM

Help! I am (or rather was) running Malwarebytes Pro, but now it it inaccessible, are TDSS killer and the SuperAntiSpyware program I just downloaded and began running. How do I tell what I have and how to get rid of it?

Thanks in advance.

--Liz

Hi,

My computer started behaving strangely when MalwareBytes repeatedly indicated that it was blocking access to malicious sites. The next time I booted up MalwareBytes would not start at all, nor would TDSS killer. The pop-ups began to occur, and eventually I needed to forcibly shut down the laptop and restart. This latter mode of operation has been continuing after executing any kind of diagnostic tests.

Rkill finds nothing (but itself), Malwarebytes is inaccessible, and TDSS Killer is inaccessible. I can't even rename the executable files.

DDS attach file is attached, as is as much of the GMER log as I can capture before it dies (named ark3.txt). When it first died it just disappeared, then on my fourth attempt it gave me the blue screen stopping windows with an error in the ntsf.sys file. It craps out just after it produces a couple of lines more on the log than shown in ark3 - they appear and disappear too rapidly for me to read them.

Any help would be greatly appreciated.

Thanks
--Liz (paradux)

Now I'm reading in some other threads not to attach files but to paste in line - so here's what I have.

First, DeFogger:
defogger_disable by jpshortstuff (23.02.10.1)
Log created at 08:14 on 21/09/2011 (Liz)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

Next, DDS log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Liz at 8:15:31 on 2011-09-21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.494.102 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\848558210:2097638605.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://headlines.verizon.com/headlines/portals/headlines.portal
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uURLSearchHooks: NetAssistant: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\netassistant\NetAssistant.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: NetAssistant: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\netassistant\NetAssistant.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [\\LIZDESKTOP\EPSON Stylus CX5800F Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiala.exe /p40 "\\lizdesktop\EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
mRun: [CanonSolutionMenuEx] c:\program files\canon\solution menu ex\CNSEMAIN.EXE /logon
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: mswsock.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {64D01C7F-810D-446E-A07E-16C764235644} - hxxp://zone.msn.com/bingame/amad/default/atomaders.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/luxr/default/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 71.250.0.12 71.242.0.12
TCP: Interfaces\{2C2C405C-18F7-429A-BF01-DC27B6451835} : DhcpNameServer = 71.250.0.12 71.242.0.12
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: fayebuzu.dll c:\windows\system32\vegibeya.dll
SSODL: hokuwuyow - {1ae0b852-5e04-4500-a0ac-e8e842ebbdff} - c:\windows\system32\dudumese.dll
SSODL: golavifur - {2b5b3b53-5006-4a4c-9124-d62fc31b19e5} - c:\windows\system32\miyahewe.dll
SSODL: fawotefus - {20643429-ce6b-4515-b087-1d1d087ac0e8} - c:\windows\system32\vegibeya.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: jugezatag: {1ae0b852-5e04-4500-a0ac-e8e842ebbdff} - c:\windows\system32\dudumese.dll
STS: jugezatag: {2b5b3b53-5006-4a4c-9124-d62fc31b19e5} - c:\windows\system32\miyahewe.dll
STS: tokatiluy: {20643429-ce6b-4515-b087-1d1d087ac0e8} - c:\windows\system32\vegibeya.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-19 366152]
R2 WDHLLKNL;WDHLLKNL;c:\windows\system32\drivers\wdhllknl.sys [2005-3-17 4864]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2005-3-17 9817]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-10 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-3-17 117760]
S3 COAX;COAX;c:\windows\system32\drivers\coax.sys [2005-3-17 18144]
S3 klmd23;klmd23;c:\windows\system32\drivers\klmd.sys [2011-9-20 52432]
S3 RMBS;RMBS;c:\windows\system32\drivers\RMBS.SYS [2005-3-17 18208]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-21 10:11:18 -------- d-----w- c:\documents and settings\liz\application data\SUPERAntiSpyware.com
2011-09-21 10:10:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-21 10:10:42 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-09-20 23:41:50 52432 ----a-w- c:\windows\system32\drivers\klmd.sys
2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-15 21:18:34 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
.
============= FINISH: 8:17:11.56 ===============

Per the instructions in attach.txt I am not attaching it at this point.

Finally, what I can capture of GMER - it craps out a couple of lines after the end (this ended when I stopped the scan at the point I recognized it was about to fail.
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-21 10:51:18
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Liz\LOCALS~1\Temp\kxlyapob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IoFreeIrp + 1CB 804E8765 7 Bytes CALL 855ADC95
init C:\WINDOWS\system32\drivers\tifm.sys entry point in "init" section [0xF7052B00]
.text netbt.sys!k_izygskfOGQHDbou_bv_v EDC04000 75 Bytes [89, 01, 81, 7D, 10, 16, 00, ...]
.text netbt.sys!k_izygskfOGQHDbou_bv_v EDC0404C 105 Bytes [00, 8B, 47, 18, 8B, 70, 0C, ...]
.text netbt.sys!k_izygskfOGQHDbou_bv_v EDC040B6 9 Bytes [0F, 84, 33, D2, 00, 00, F6, ...]
.text netbt.sys!k_izygskfOGQHDbou_bv_v EDC040C0 4 Bytes [0F, 84, 29, D2]
.text netbt.sys!k_izygskfOGQHDbou_bv_v EDC040C5 83 Bytes [00, 8B, 48, 0C, 83, 40, 18, ...]
.text ...
.text netbt.sys!YH_MP_DIph_x_OVTIKOS + EC EDC042A1 5 Bytes [75, 08, 8B, 46, 0C] {JNZ 0xa; MOV EAX, [ESI+0xc]}
.text netbt.sys!YH_MP_DIph_x_OVTIKOS + F2 EDC042A7 18 Bytes [F8, 01, 8D, 4E, 5C, 0F, 8E, ...]
.text netbt.sys!YH_MP_DIph_x_OVTIKOS + 105 EDC042BA 177 Bytes [C1, ED, 5E, 5D, C2, 0C, 00, ...]
.text netbt.sys!YegyuBJPB_dvKY_K_BXM_JJ__S_DNY_HMG_c_gk_QPpib + 4 EDC0436C 222 Bytes JMP EDC042E0 \SystemRoot\system32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation)
.text netbt.sys!YegyuBJPB_dvKY_K_BXM_JJ__S_DNY_HMG_c_gk_QPpib + E3 EDC0444B 630 Bytes [C8, 00, 00, FF, 75, 0C, 57, ...]
.text netbt.sys!WLU_GRFC_ejrg_qpf_ + 19D EDC046C2 190 Bytes [FF, FF, C9, C2, 18, 00, 90, ...]
.text netbt.sys!KBIRROny__sTQ_HYM_xg_l_txCIKFKv + AB EDC04781 169 Bytes [8D, 45, A4, 50, 8B, 45, B8, ...]
.text netbt.sys!KBIRROny__sTQ_HYM_xg_l_txCIKFKv + 155 EDC0482B 188 Bytes [88, 45, D7, 8B, 85, 7C, FF, ...]
.text netbt.sys!HESD_BCENbgq_pi_zkabkuwahki__mllcra_cHEddgmex_ptoeS + 4E EDC048E8 371 Bytes CALL EDC046CD \SystemRoot\system32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation)
.text netbt.sys!ccAWMI_vfU_TYN____Fon__jnJMO__jndmnz__T_U + 9 EDC04A5C 31 Bytes [14, FF, 75, 10, 53, FF, 75, ...]
.text netbt.sys!ccAWMI_vfU_TYN____Fon__jnJMO__jndmnz__T_U + 29 EDC04A7C 7 Bytes [8B, CF, FF, 15, 90, E0, C1]
.text netbt.sys!ccAWMI_vfU_TYN____Fon__jnJMO__jndmnz__T_U + 31 EDC04A84 225 Bytes [8B, 75, 08, 33, DB, 3B, F3, ...]
.text netbt.sys!ccAWMI_vfU_TYN____Fon__jnJMO__jndmnz__T_U + 113 EDC04B66 27 Bytes [FF, 15, 90, E0, C1, ED, 8A, ...]
.text netbt.sys!ccAWMI_vfU_TYN____Fon__jnJMO__jndmnz__T_U + 12F EDC04B82 425 Bytes [00, 8B, 10, 89, 15, 58, E8, ...]
.text netbt.sys!p_wnrjvlnir_QjedW_CRG_IY_DQuwq__ + 11D EDC04D2C 972 Bytes [00, EB, AD, 56, 53, E8, 46, ...]
.text netbt.sys!UAVjjqqveq_a_wgj_qctpdxbz_m_vw_ccQqiyWA_NSxqzpqH + 172 EDC050F9 94 Bytes [03, 00, 00, 83, 7D, 1C, 10, ...]
.text netbt.sys!IQJTQAM_K_K_DJA_FB + 15 EDC05158 4 Bytes [0D, 00, E4, C1]
.text netbt.sys!IQJTQAM_K_K_DJA_FB + 1A EDC0515D 15 Bytes [89, 45, E4, 8B, 45, 10, 89, ...] {MOV [EBP-0x1c], EAX; MOV EAX, [EBP+0x10]; MOV [EBP-0x18], EAX; MOV EAX, [EBP+0x14]; MOV [EBP-0x14], EAX}
.text netbt.sys!IQJTQAM_K_K_DJA_FB + 2A EDC0516D 6 Bytes [B7, 89, 12, 01, 00, 00] {MOV BH, 0x89; ADC AL, [ECX]; ADD [EAX], AL}
.text netbt.sys!IQJTQAM_K_K_DJA_FB + 31 EDC05174 160 Bytes [47, 28, 03, 47, 20, 83, C1, ...]
.text netbt.sys!IQJTQAM_K_K_DJA_FB + D2 EDC05215 234 Bytes [8B, 46, 34, FF, 76, 18, 8B, ...]
.text netbt.sys!wmivgjiJANiO__KLvuwTBYM_gjctbwr__vycf_p_vrl___vcyxWAY + A EDC05300 284 Bytes [2C, 33, D2, 3B, C2, 0F, 85, ...]
.text netbt.sys!wmivgjiJANiO__KLvuwTBYM_gjctbwr__vycf_p_vrl___vcyxWAY + 127 EDC0541D 179 Bytes [62, 00, 00, 8B, 7E, 1C, 85, ...]
.text netbt.sys!vxSQhiuODWQNRMOG_Tbsf_ap__yxnTWU_KJIY_AXLP_ij + 20 EDC054D1 24 Bytes [85, C0, 89, 03, 0F, 85, 30, ...]
.text netbt.sys!vxSQhiuODWQNRMOG_Tbsf_ap__yxnTWU_KJIY_AXLP_ij + 39 EDC054EA 22 Bytes [75, 18, 6A, 01, 6A, 0B, 51, ...]
.text netbt.sys!vxSQhiuODWQNRMOG_Tbsf_ap__yxnTWU_KJIY_AXLP_ij + 50 EDC05501 8 Bytes [15, 80, E0, C1, ED, 83, 7D, ...]
.text netbt.sys!vxSQhiuODWQNRMOG_Tbsf_ap__yxnTWU_KJIY_AXLP_ij + 59 EDC0550A 149 Bytes [74, 0D, 6A, 00, 68, 01, 00, ...]
.text netbt.sys!vxSQhiuODWQNRMOG_Tbsf_ap__yxnTWU_KJIY_AXLP_ij + EF EDC055A0 212 Bytes [90, 90, 90, 90, 8B, FF, 55, ...]
.text ...
.text netbt.sys!i_girvtZllk_F_BOM_ctc_bqwcibr_vrtv + 19 EDC062A8 5 Bytes [0C, 3B, C3, 0F, 85]
.text netbt.sys!i_girvtZllk_F_BOM_ctc_bqwcibr_vrtv + 1F EDC062AE 44 Bytes [1F, 00, 00, 33, C9, 8D, 87, ...]
.text netbt.sys!i_girvtZllk_F_BOM_ctc_bqwcibr_vrtv + 4C EDC062DB 776 Bytes [40, F0, 0F, C1, 07, 80, 7D, ...]
.text netbt.sys!UEFMkspm_fVTUunvwsMZPCziwzkT_G_FX_ + 198 EDC065E4 24 Bytes [42, 01, 0C, 89, 42, 14, 8B, ...]
.text netbt.sys!RH____K__zZT__CSa_g_njc_pTZ__EUHSafyOPTUZfkhs_BVll__ + 2 EDC065FD 51 Bytes [C8, FF, 15, F0, E0, C1, ED, ...]
.text netbt.sys!RH____K__zZT__CSa_g_njc_pTZ__EUHSafyOPTUZfkhs_BVll__ + 36 EDC06631 258 Bytes [4D, E0, B8, 00, 00, 00, C0, ...]
.text netbt.sys!RH____K__zZT__CSa_g_njc_pTZ__EUHSafyOPTUZfkhs_BVll__ + 139 EDC06734 17 Bytes [7D, FC, 00, 0F, B7, 46, 1C, ...] {JGE 0xfffffffffffffffe; ADD [EDI], CL; MOV BH, 0x46; SBB AL, 0x89; INC EBP; FADD ST, ST(7); INC ESI; PUSH EAX; CMC ; JNP 0xffffffffffffffd1; IN EAX, DX}
.text netbt.sys!RH____K__zZT__CSa_g_njc_pTZ__EUHSafyOPTUZfkhs_BVll__ + 14B EDC06746 244 Bytes [85, 9C, 8B, 00, 00, 8B, 4D, ...]
.text netbt.sys!r__uvepHU_NB__Wbzu_ex__H_GWHKI_C + 88 EDC0683B 119 Bytes [0F, 84, 86, E3, 00, 00, 3B, ...]
.text netbt.sys!r__uvepHU_NB__Wbzu_ex__H_GWHKI_C + 100 EDC068B3 138 Bytes [39, 4E, 38, 89, 55, EC, 75, ...]
.text netbt.sys!r__uvepHU_NB__Wbzu_ex__H_GWHKI_C + 18B EDC0693E 56 Bytes [ED, 56, 88, 45, 0B, E8, F7, ...]
.text netbt.sys!KVZLbZEJFYOBPMW_fq_s_v_qvzr__zfs__zAG_PUMTSELPO_X_WR_H + F EDC06977 7 Bytes JMP EDC14D97 \SystemRoot\system32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation)
.text netbt.sys!KVZLbZEJFYOBPMW_fq_s_v_qvzr__zfs__zAG_PUMTSELPO_X_WR_H + 17 EDC0697F 59 Bytes [F8, FF, FF, 83, F8, 06, 7E, ...]
.text netbt.sys!KVZLbZEJFYOBPMW_fq_s_v_qvzr__zfs__zAG_PUMTSELPO_X_WR_H + 53 EDC069BB 275 Bytes [EB, D3, B8, 08, 00, 00, C0, ...]
.text netbt.sys!KVZLbZEJFYOBPMW_fq_s_v_qvzr__zfs__zAG_PUMTSELPO_X_WR_H + 167 EDC06ACF 116 Bytes [07, 33, C9, 83, C0, 38, 87, ...]
.text netbt.sys!KVZLbZEJFYOBPMW_fq_s_v_qvzr__zfs__zAG_PUMTSELPO_X_WR_H + 1DC EDC06B44 5 Bytes [00, 00, 05, E0, 00]
.text ...
.text netbt.sys!k_izygskfOGQHDbou_bv_v + 64 EDC0781F 225 Bytes [BC, 00, 00, 00, 01, 0F, 84, ...]
.text netbt.sys!k_izygskfOGQHDbou_bv_v + 146 EDC07901 104 Bytes [00, 00, 8B, 40, 30, 89, 45, ...]
.text netbt.sys!k_izygskfOGQHDbou_bv_v + 1AF EDC0796A 15 Bytes CALL EDC080D8 \SystemRoot\system32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation)
.text netbt.sys!k_izygskfOGQHDbou_bv_v + 1BF EDC0797A 20 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text netbt.sys!k_izygskfOGQHDbou_bv_v + 1D4 EDC0798F 199 Bytes [56, 0F, 84, 39, 0A, 00, 00, ...]
.text C:\WINDOWS\system32\DRIVERS\netbt.sys section is writeable [0xEDC04000, 0x3A84, 0xE8000020]
? C:\WINDOWS\system32\DRIVERS\netbt.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[448] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0197000A
.text C:\WINDOWS\System32\svchost.exe[448] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0198000A
.text C:\WINDOWS\System32\svchost.exe[448] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0190000C
.text C:\Program Files\Internet Explorer\iexplore.exe[768] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0309000A
.text C:\Program Files\Internet Explorer\iexplore.exe[768] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 030A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[768] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0308000C
.text C:\Program Files\Internet Explorer\iexplore.exe[768] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[768] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[768] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[768] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[768] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2546A6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[768] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[768] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[768] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[768] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[768] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[768] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[768] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[768] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB98 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[768] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E569F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2636] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

Please let me know if there's anything else I need to provide. Thanks

Merged topics then posts. ~ OB

Attached Files


Edited by Orange Blossom, 21 September 2011 - 12:40 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:28 AM

Posted 26 September 2011 - 05:55 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/419839 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 paradux

paradux
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 26 September 2011 - 11:14 AM

Hi,

As requested here are updated logs, although I don't think anything has changed. Thanks in advance for your help.

Current system behavior - Pop-ups appearing; MBAM can't open; can't reach antivirus web sites, and after about 15-20 minutes of use the system freezes. When I am able to get Task Manager up is shows svchost using most of CPU.

DDS from 9/26/11:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Liz at 11:25:28 on 2011-09-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.494.48 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\848558210:2097638605.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE
C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://headlines.verizon.com/headlines/portals/headlines.portal
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uURLSearchHooks: NetAssistant: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\netassistant\NetAssistant.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: NetAssistant: {e38fa08e-f56a-4169-abf5-5c71e3c153a1} - c:\program files\freeze.com\netassistant\NetAssistant.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [<NO NAME>]
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [\\LIZDESKTOP\EPSON Stylus CX5800F Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiala.exe /p40 "\\lizdesktop\EPSON Stylus CX5800F Series" /O6 "USB001" /M "Stylus CX5800F"
mRun: [CanonSolutionMenuEx] c:\program files\canon\solution menu ex\CNSEMAIN.EXE /logon
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: mswsock.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {64D01C7F-810D-446E-A07E-16C764235644} - hxxp://zone.msn.com/bingame/amad/default/atomaders.cab
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://zone.msn.com/bingame/luxr/default/mjolauncher.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab53083.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 71.250.0.12 71.242.0.12
TCP: Interfaces\{2C2C405C-18F7-429A-BF01-DC27B6451835} : DhcpNameServer = 71.250.0.12 71.242.0.12
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
AppInit_DLLs: fayebuzu.dll c:\windows\system32\vegibeya.dll
SSODL: hokuwuyow - {1ae0b852-5e04-4500-a0ac-e8e842ebbdff} - c:\windows\system32\dudumese.dll
SSODL: golavifur - {2b5b3b53-5006-4a4c-9124-d62fc31b19e5} - c:\windows\system32\miyahewe.dll
SSODL: fawotefus - {20643429-ce6b-4515-b087-1d1d087ac0e8} - c:\windows\system32\vegibeya.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: jugezatag: {1ae0b852-5e04-4500-a0ac-e8e842ebbdff} - c:\windows\system32\dudumese.dll
STS: jugezatag: {2b5b3b53-5006-4a4c-9124-d62fc31b19e5} - c:\windows\system32\miyahewe.dll
STS: tokatiluy: {20643429-ce6b-4515-b087-1d1d087ac0e8} - c:\windows\system32\vegibeya.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 WDHLLKNL;WDHLLKNL;c:\windows\system32\drivers\wdhllknl.sys [2005-3-17 4864]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2005-3-17 9817]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-10 22216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2005-3-17 117760]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-9-19 366152]
S3 COAX;COAX;c:\windows\system32\drivers\coax.sys [2005-3-17 18144]
S3 klmd23;klmd23;c:\windows\system32\drivers\klmd.sys [2011-9-20 52432]
S3 RMBS;RMBS;c:\windows\system32\drivers\RMBS.SYS [2005-3-17 18208]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-21 10:11:18 -------- d-----w- c:\documents and settings\liz\application data\SUPERAntiSpyware.com
2011-09-21 10:10:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-09-21 10:10:42 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-09-20 23:41:50 52432 ----a-w- c:\windows\system32\drivers\klmd.sys
2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
.
==================== Find3M ====================
.
2011-09-26 15:13:21 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-08-31 21:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
.
============= FINISH: 11:27:25.14 ===============

Next, GMER from 9/26 - I stopped the scan just before it craps out and destroys the txt file:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-26 12:05:01
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Liz\LOCALS~1\Temp\kxlyapob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IoFreeIrp + 1CB 804E8765 7 Bytes CALL 85724C95
init C:\WINDOWS\system32\drivers\tifm.sys entry point in "init" section [0xF6B69B00]
.text netbt.sys!k_izygskfOGQHDbou_bv_v EB4A2000 25 Bytes [89, 01, 81, 7D, 10, 16, 00, ...]
.text netbt.sys!k_izygskfOGQHDbou_bv_v EB4A201A 49 Bytes JMP EB4A1F4E \SystemRoot\system32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation)
.text netbt.sys!k_izygskfOGQHDbou_bv_v EB4A204C 105 Bytes [00, 8B, 47, 18, 8B, 70, 0C, ...]
.text netbt.sys!k_izygskfOGQHDbou_bv_v EB4A20B6 9 Bytes [0F, 84, 33, D2, 00, 00, F6, ...]
.text netbt.sys!k_izygskfOGQHDbou_bv_v EB4A20C0 4 Bytes [0F, 84, 29, D2]
.text ...
.text netbt.sys!YH_MP_DIph_x_OVTIKOS + EC EB4A22A1 5 Bytes [75, 08, 8B, 46, 0C] {JNZ 0xa; MOV EAX, [ESI+0xc]}
.text netbt.sys!YH_MP_DIph_x_OVTIKOS + F2 EB4A22A7 196 Bytes [F8, 01, 8D, 4E, 5C, 0F, 8E, ...]
.text netbt.sys!YegyuBJPB_dvKY_K_BXM_JJ__S_DNY_HMG_c_gk_QPpib + 4 EB4A236C 222 Bytes JMP EB4A22E0 \SystemRoot\system32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation)
.text netbt.sys!YegyuBJPB_dvKY_K_BXM_JJ__S_DNY_HMG_c_gk_QPpib + E3 EB4A244B 630 Bytes [C8, 00, 00, FF, 75, 0C, 57, ...]
.text netbt.sys!WLU_GRFC_ejrg_qpf_ + 19D EB4A26C2 190 Bytes [FF, FF, C9, C2, 18, 00, 90, ...]
.text netbt.sys!KBIRROny__sTQ_HYM_xg_l_txCIKFKv + AB EB4A2781 358 Bytes [8D, 45, A4, 50, 8B, 45, B8, ...]
.text netbt.sys!HESD_BCENbgq_pi_zkabkuwahki__mllcra_cHEddgmex_ptoeS + 4E EB4A28E8 371 Bytes CALL EB4A26CD \SystemRoot\system32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation)
.text netbt.sys!ccAWMI_vfU_TYN____Fon__jnJMO__jndmnz__T_U + 9 EB4A2A5C 31 Bytes [14, FF, 75, 10, 53, FF, 75, ...]
.text netbt.sys!ccAWMI_vfU_TYN____Fon__jnJMO__jndmnz__T_U + 29 EB4A2A7C 7 Bytes [8B, CF, FF, 15, 90, C0, 4B]
.text netbt.sys!ccAWMI_vfU_TYN____Fon__jnJMO__jndmnz__T_U + 31 EB4A2A84 225 Bytes [8B, 75, 08, 33, DB, 3B, F3, ...]
.text netbt.sys!ccAWMI_vfU_TYN____Fon__jnJMO__jndmnz__T_U + 113 EB4A2B66 27 Bytes [FF, 15, 90, C0, 4B, EB, 8A, ...]
.text netbt.sys!ccAWMI_vfU_TYN____Fon__jnJMO__jndmnz__T_U + 12F EB4A2B82 425 Bytes [00, 8B, 10, 89, 15, 58, C8, ...]
.text netbt.sys!p_wnrjvlnir_QjedW_CRG_IY_DQuwq__ + 11D EB4A2D2C 972 Bytes [00, EB, AD, 56, 53, E8, 46, ...]
.text netbt.sys!UAVjjqqveq_a_wgj_qctpdxbz_m_vw_ccQqiyWA_NSxqzpqH + 172 EB4A30F9 94 Bytes [03, 00, 00, 83, 7D, 1C, 10, ...]
.text netbt.sys!IQJTQAM_K_K_DJA_FB + 15 EB4A3158 4 Bytes [0D, 00, C4, 4B]
.text netbt.sys!IQJTQAM_K_K_DJA_FB + 1A EB4A315D 15 Bytes [89, 45, E4, 8B, 45, 10, 89, ...] {MOV [EBP-0x1c], EAX; MOV EAX, [EBP+0x10]; MOV [EBP-0x18], EAX; MOV EAX, [EBP+0x14]; MOV [EBP-0x14], EAX}
.text netbt.sys!IQJTQAM_K_K_DJA_FB + 2A EB4A316D 6 Bytes [B7, 89, 12, 01, 00, 00] {MOV BH, 0x89; ADC AL, [ECX]; ADD [EAX], AL}
.text netbt.sys!IQJTQAM_K_K_DJA_FB + 31 EB4A3174 160 Bytes [47, 28, 03, 47, 20, 83, C1, ...]
.text netbt.sys!IQJTQAM_K_K_DJA_FB + D2 EB4A3215 519 Bytes [8B, 46, 34, FF, 76, 18, 8B, ...]
.text netbt.sys!wmivgjiJANiO__KLvuwTBYM_gjctbwr__vycf_p_vrl___vcyxWAY + 127 EB4A341D 179 Bytes [62, 00, 00, 8B, 7E, 1C, 85, ...]
.text netbt.sys!vxSQhiuODWQNRMOG_Tbsf_ap__yxnTWU_KJIY_AXLP_ij + 20 EB4A34D1 24 Bytes [85, C0, 89, 03, 0F, 85, 30, ...]
.text netbt.sys!vxSQhiuODWQNRMOG_Tbsf_ap__yxnTWU_KJIY_AXLP_ij + 39 EB4A34EA 22 Bytes [75, 18, 6A, 01, 6A, 0B, 51, ...]
.text netbt.sys!vxSQhiuODWQNRMOG_Tbsf_ap__yxnTWU_KJIY_AXLP_ij + 50 EB4A3501 8 Bytes [15, 80, C0, 4B, EB, 83, 7D, ...]
.text netbt.sys!vxSQhiuODWQNRMOG_Tbsf_ap__yxnTWU_KJIY_AXLP_ij + 59 EB4A350A 149 Bytes [74, 0D, 6A, 00, 68, 01, 00, ...]
.text netbt.sys!vxSQhiuODWQNRMOG_Tbsf_ap__yxnTWU_KJIY_AXLP_ij + EF EB4A35A0 212 Bytes [90, 90, 90, 90, 8B, FF, 55, ...]
.text ...
.text netbt.sys!i_girvtZllk_F_BOM_ctc_bqwcibr_vrtv + 19 EB4A42A8 50 Bytes [0C, 3B, C3, 0F, 85, C0, 1F, ...]
.text netbt.sys!i_girvtZllk_F_BOM_ctc_bqwcibr_vrtv + 4C EB4A42DB 776 Bytes [40, F0, 0F, C1, 07, 80, 7D, ...]
.text netbt.sys!UEFMkspm_fVTUunvwsMZPCziwzkT_G_FX_ + 198 EB4A45E4 24 Bytes [42, 01, 0C, 89, 42, 14, 8B, ...]
.text netbt.sys!RH____K__zZT__CSa_g_njc_pTZ__EUHSafyOPTUZfkhs_BVll__ + 2 EB4A45FD 51 Bytes [C8, FF, 15, F0, C0, 4B, EB, ...]
.text netbt.sys!RH____K__zZT__CSa_g_njc_pTZ__EUHSafyOPTUZfkhs_BVll__ + 36 EB4A4631 258 Bytes [4D, E0, B8, 00, 00, 00, C0, ...]
.text netbt.sys!RH____K__zZT__CSa_g_njc_pTZ__EUHSafyOPTUZfkhs_BVll__ + 139 EB4A4734 17 Bytes [7D, FC, 00, 0F, B7, 46, 1C, ...]
.text netbt.sys!RH____K__zZT__CSa_g_njc_pTZ__EUHSafyOPTUZfkhs_BVll__ + 14B EB4A4746 244 Bytes [85, 9C, 8B, 00, 00, 8B, 4D, ...]
.text netbt.sys!r__uvepHU_NB__Wbzu_ex__H_GWHKI_C + 88 EB4A483B 315 Bytes [0F, 84, 86, E3, 00, 00, 3B, ...]
.text netbt.sys!KVZLbZEJFYOBPMW_fq_s_v_qvzr__zfs__zAG_PUMTSELPO_X_WR_H + F EB4A4977 7 Bytes JMP EB4B2D97 \SystemRoot\system32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation)
.text netbt.sys!KVZLbZEJFYOBPMW_fq_s_v_qvzr__zfs__zAG_PUMTSELPO_X_WR_H + 17 EB4A497F 59 Bytes [F8, FF, FF, 83, F8, 06, 7E, ...]
.text netbt.sys!KVZLbZEJFYOBPMW_fq_s_v_qvzr__zfs__zAG_PUMTSELPO_X_WR_H + 53 EB4A49BB 275 Bytes [EB, D3, B8, 08, 00, 00, C0, ...]
.text netbt.sys!KVZLbZEJFYOBPMW_fq_s_v_qvzr__zfs__zAG_PUMTSELPO_X_WR_H + 167 EB4A4ACF 116 Bytes [07, 33, C9, 83, C0, 38, 87, ...]
.text netbt.sys!KVZLbZEJFYOBPMW_fq_s_v_qvzr__zfs__zAG_PUMTSELPO_X_WR_H + 1DC EB4A4B44 5 Bytes [00, 00, 05, E0, 00]
.text ...
.text netbt.sys!k_izygskfOGQHDbou_bv_v + 64 EB4A581F 225 Bytes [BC, 00, 00, 00, 01, 0F, 84, ...]
.text netbt.sys!k_izygskfOGQHDbou_bv_v + 146 EB4A5901 104 Bytes [00, 00, 8B, 40, 30, 89, 45, ...]
.text netbt.sys!k_izygskfOGQHDbou_bv_v + 1AF EB4A596A 15 Bytes CALL EB4A60D8 \SystemRoot\system32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation)
.text C:\WINDOWS\system32\DRIVERS\netbt.sys section is writeable [0xEB4A2000, 0x3A84, 0xE8000020]
? C:\WINDOWS\system32\DRIVERS\netbt.sys suspicious PE modification

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[536] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E1000A
.text C:\WINDOWS\System32\svchost.exe[536] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E2000A
.text C:\WINDOWS\System32\svchost.exe[536] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E0000C
.text C:\Program Files\Internet Explorer\iexplore.exe[792] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[792] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[792] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[792] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[792] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[792] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[792] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[792] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[792] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0309000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 030A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0308000C
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2546A6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB98 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3748] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E569F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- EOF - GMER 1.0.15 ----

Finally, I ran a rootkit report (using RKUnhooker) a few days ago and got the following:

RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0xF7059000 C:\WINDOWS\system32\DRIVERS\w29n51.sys 3211264 bytes (Intel® Corporation, Intel® Wireless LAN Driver)
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2192768 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2192768 bytes
0x804D7000 RAW 2192768 bytes
0x804D7000 WMIxWDM 2192768 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF6E4F000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xBF05E000 C:\WINDOWS\System32\ialmdd5.DLL 765952 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xF73A1000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 684032 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xF6DA9000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 679936 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF74F9000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB552E000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6BD2000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB8C6B000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB52E1000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF119000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB4E68000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF6FA3000 C:\WINDOWS\system32\drivers\stac97.sys 266240 bytes (SigmaTel, Inc., SigmaTel Audio Driver (WDM))
0xF6D6C000 C:\WINDOWS\system32\DRIVERS\iwca.sys 249856 bytes (Intel Corporation, Intel Wireless Connection Agent)
0xF6F4E000 C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys 200704 bytes (Conexant Systems, Inc., HSFHWICH WDM driver)
0xF6CD0000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7670000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB53B1000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF74CC000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF7007000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 184320 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0xB4CFB000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB559E000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB560D000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF75FC000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB8C24000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF6F7F000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF7369000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF6FE4000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB55EB000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xB55C9000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0xF75C4000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7622000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xBF03F000 C:\WINDOWS\System32\ialmdev5.DLL 126976 bytes (Intel Corporation, Component GHAL Driver)
0xBF020000 C:\WINDOWS\System32\ialmdnt5.dll 126976 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF7641000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF6D00000 C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys 114688 bytes (Nortel Networks NA, Inc., Contivity VPN Client Adapter)
0xF74B2000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB54E7000 C:\WINDOWS\system32\dla\tfsnudf.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xB54CE000 C:\WINDOWS\system32\dla\tfsnudfa.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xF75E4000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB5516000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7586000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF6D55000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB5500000 C:\WINDOWS\system32\dla\tfsnifs.sys 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xF759D000 drvmcdb.sys 86016 bytes (Sonic Solutions, Device Driver)
0xB4DE9000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF7034000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF738D000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0x806EF000 ACPI_HAL 81152 bytes
0x806EF000 C:\WINDOWS\system32\hal.dll 81152 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB8CC4000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF75B2000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF765F000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF6D44000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7048000 C:\WINDOWS\system32\drivers\tifm.sys 69632 bytes (Texas Instruments, tifm.sys)
0xB58CA000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF77EF000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF773F000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF770F000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF775F000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF780F000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF77FF000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF6CA0000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF6CB0000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF771F000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBF012000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF76FF000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF77CF000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF781F000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF76DF000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF783F000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF77BF000 C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys 45056 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
0xB601F000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF77DF000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF76CF000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF782F000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xEE604000 C:\WINDOWS\system32\drivers\drvnddm.sys 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF76BF000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF78EF000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF786F000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xB4391000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xF76EF000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xEE674000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF77AF000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF785F000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB603F000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF6C40000 C:\WINDOWS\system32\dla\tfsncofs.sys 36864 bytes (Sonic Solutions, Drive Letter Access Component)
0xF774F000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF79E7000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF7A17000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF79CF000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7A5F000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF793F000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xB5B4A000 C:\WINDOWS\system32\dla\tfsnboio.sys 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xF79D7000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF79DF000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xB5B3A000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xBA256000 C:\WINDOWS\system32\drivers\ssrtln.sys 24576 bytes (Sonic Solutions, Shared Driver Component)
0xF79C7000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA24E000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF7A07000 C:\WINDOWS\system32\DRIVERS\wanatw4.sys 24576 bytes (America Online, Inc., Wan Miniport (ATW))
0xBA246000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7A0F000 C:\WINDOWS\system32\DRIVERS\omci.sys 20480 bytes (Dell Inc, OMCI Device Driver)
0xF7947000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF79F7000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF794F000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF79FF000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF79EF000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF797F000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF7AEB000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 16384 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xF7AD7000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF7454000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xB57AC000 C:\WINDOWS\system32\drivers\mbam.sys 16384 bytes (Malwarebytes Corporation, Malwarebytes' Anti-Malware)
0xF7B6F000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB5BAB000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA0B6000 C:\WINDOWS\system32\dla\tfsnopio.sys 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7ADB000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF7ACF000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF7AD3000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xEC557000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF7B67000 C:\WINDOWS\system32\DRIVERS\eacfilt.sys 12288 bytes (Nortel Networks, NDIS Filter Intermediate Driver)
0xF7B7F000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF6D38000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0xB5395000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF7BA3000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF744C000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xEC53B000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF6906000 C:\WINDOWS\system32\DRIVERS\s24trans.sys 12288 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xB5F30000 C:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes
0xB5D26000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows ® 2000 DDK provider, TR Manager)
0xF7C71000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7C21000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7C6F000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7BC3000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7BBF000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7C73000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7C75000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7BED000 C:\WINDOWS\system32\drivers\sscdbhk5.sys 8192 bytes (Sonic Solutions, Shared Driver Component)
0xF7BEF000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xB5776000 C:\WINDOWS\system32\dla\tfsnpool.sys 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7BEB000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7BC1000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7DFE000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7DE6000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7DF4000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7C88000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7C87000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xB9CD9000 C:\WINDOWS\system32\dla\tfsndrct.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xEB4BE000 C:\WINDOWS\system32\dla\tfsndres.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xB5E2E000 C:\WINDOWS\System32\Drivers\WDHLLKNL.SYS 4096 bytes (Wall Data Incorporated, RUMBA DOS HLLAPI NT Kernel Driver)
!!!!!!!!!!!Hidden driver: 0x855FA830 00004660 2000 bytes
0x855FA830 unknown_irp_handler 2000 bytes
==============================================
>Stealth
==============================================
WARNING: Virus alike driver modification [netbt.sys]
0x855FD21F Unknown page with executable code, 3553 bytes


Thanks again for your help.

#4 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:09:28 PM

Posted 26 September 2011 - 08:05 PM

Hello and welcome to Bleeping Computer.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Watch Topic near the top of the page, then select Immediate Notification. Click on Proceed. If it shows Stop watching topic, it means you are already subscribed.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 5 days, this topic will be closed. If you have since resolved the original problem you were having, we would appreciate you letting us know.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#5 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:09:28 PM

Posted 26 September 2011 - 09:11 PM

Hello paradux :),

Welcome to Bleeping Computer. I am Jack&Jill, and I will be helping you out.

Before we go further, there are a few things that I would like to make clear so that we are share the same understanding.
  • Please observe and follow these Board Rules and Terms of Use.
  • Any advice is for your computer only and is taken at your own risk. Fixes sometimes will cause unexpected results, but I will do my best to assist you.
  • Please read the instructions carefully and follow them closely, in the order they are presented to you.
  • If you have any doubts or problems during the fix, please stop and ask.
  • All the tools that I will ask you to download and use are safe. Please allow if prompted by any of your security softwares.
  • Do not use or run any malware cleaning tools without supervision as they may cause more harm if improperly used.
  • Refrain from installing any new programs except those that I request during the fix to prevent interference to my diagnosis of the problem.
  • Lack of malware symptoms does not mean your computer is clean. Stick to this topic until I give the All Clear.
  • If you do not reply within 5 days, this topic will be closed.
If you are agreeable to the above, then everything should go smoothly :) . We may begin.

--------------------

Is this a business computer?

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#6 paradux

paradux
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 27 September 2011 - 08:16 AM

Hello, Jack&Jill,

Thank you for your response. I have read and agree to the terms of use. And yes, I still need help.

The state of the PC is still pretty much the same, with one exception. I downloaded and was able to execute a new copy of TDSS killer. This got my PC back to the original symptom of MBAM constantly alerting me to blocking outbound web site connection attempts. However, I still cannot start MBAM to scan for viruses.

This is my personal laptop but there are business applications on it that I use to work from home (remote access).

During the next several days I will only have access to the home PC in the evenings but will follow your instructions as soon as I get home each evening.

Thanks in advance for your assistance.

Liz (paradux)

#7 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:09:28 PM

Posted 27 September 2011 - 09:20 AM

Hello paradux :),

Since your laptop / computer is a personal one, I could continue, but there are possibilities the tools that I may request you to run could reveal a lot of information to the public.

Are you comfortable with that and agreeable to be responsible for any consequences that could arise? If you are OK with this, please proceed further. Otherwise, we should stop here and you should get help from your IT department or the local computer shop.

--------------------

Your computer has/had some serious infections with rootkit/backdoor capabilities.
Sorry for the bad news. Backdoors provide outsiders full access to your computer, enabling them to record key strokes, steal passwords, spread malwares, and even using it for other illegal activities.

If your computer has been used for important or sensitive data such as online banking, shopping or any other financial transactions, I strongly recommend you to do the following:
  • Disconnect from the Internet and any network immediately.
  • Inform your financial institutions that you may be a victim of identity theft and to put a watch on all your accounts or change them.
  • Change all your online passwords from a clean computer.
  • Take any other steps that you may think is necessary to prevent financial distress due to identity theft.

Due to the backdoor functionality, your computer is compromised and can no longer be fully trusted. Many experts in the security community believe that once tainted with this type of infections, the best course of action would be a reformat and reinstall of the OS. I too strongly recommend you to format your computer. We can still attempt to clean it if you wish, but due to the severity of the infections, I cannot guarantee it will be safe or clean afterwards. It is up to you to decide. Please let me know which course of action you wish to take.

Here are some read to help you decide:
How to respond to possible ID theft and Internet fraud
When should I reformat?

--------------------

Please post back:
1. if you are agreeable to your computer being in public
2. and if yes, how you would like to proceed

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#8 paradux

paradux
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 27 September 2011 - 10:45 AM

Jack&Jill,

Ouch. Sounds like my best bet is to recover whatever I can from this computer (photos and such) and either reformat or get a new one. (This one is NOT new.)

I can get new copies of the business related software I have on this machine.

Thanks for your help - any idea what the name of this virus/malware is? Or from whence it came? It seems odd to me that all was well until I told Verizon that I was NOT paying $20/month for their internet security package and to please take it off my bill. I had been fine with MBAM until then, but unfortunately did not keep my virus definitions up to date as much as I should have.

I practice what I thought were safe internet practices. Any idea how I might have gotten this?

Thanks again for your help.

--Liz

#9 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:09:28 PM

Posted 27 September 2011 - 08:38 PM

Hello paradux :),

The infection is called zeroaccess. As for how you get infected, any vulnerabilities in your system will be an attack point.

On your machine, you have outdated third party softwares like Adobe Reader, Java, and lack of an Antivirus program.

Since you are decided on which course of action to take, here are some security recommendations for the new setup.

--------------------

Some tips to help you stay clean and safe:

1. Keep your Windows up to date. Enable Automatic Updates for Windows XP to always update the latest security patches from Microsoft, or you can download from the Microsoft website. Otherwise, your computer will be vulnerable to new exploits or malwares.

2. Update your Antivirus program regularly, it is a must for constant protection against viruses. If you do not have one, Microsoft Security Essentials and Avast are some great and free antivirus programs that you can try. For paid versions, Avast, ESET NOD32 and Kaspersky are some good options. Please keep only one AV installed.

3. Install Malwarebytes' Anti-Malware if you haven't and use it occasionally. It is a new and powerful anti-malware tool, totally free but for real-time protection you will have to pay a small one-time fee.

4. Install WinPatrol, a great protection program that helps you monitor for unwanted files or applications.

5. Use a hosts file to block the access of bad sites from your computer. Get yourself a MVPS Hosts for this purpose.

6. Install Web of Trust (WOT). WOT keeps you from dangerous websites with warnings and blockings.

7. Protect your computer from removable or USB drive infections with MCShield, an effective method to prevent malware from spreading.

8. Keep all your softwares updated. Visit Secunia Software Inspector to find out if any updates required.

9. Install a third party firewall if you do not have one for additional defense against internet dangers. Built-in Windows firewall can only keep nasties from breaking in, but unable to protect against any malwares from sending information out. Some recommended firewalls are Online Armor, Outpost and PC Tools. More information on firewalls. Please keep only one FW installed.

10. Also look up:
Computer Security - a short guide to staying safer online
PC Safety and Security - What Do I Need? By Glaswegian
How to prevent malware: By miekiemoes
So how did I get infected in the first place? By Tony Klein
Microsoft Online Safety

Stay safe.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#10 paradux

paradux
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 28 September 2011 - 07:15 AM

Jack&Jill,

Thanks for the great info. I will make sure any new/reformatted computer stays up to date per your recommendations.

--Liz

#11 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:09:28 PM

Posted 28 September 2011 - 10:27 AM

Hello paradux :),

Glad to be of help. I will keep this topic open for another day in case you have any questions.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.


#12 Jack&Jill

Jack&Jill

  • Malware Response Team
  • 385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South East Asia
  • Local time:09:28 PM

Posted 29 September 2011 - 07:52 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Jack&Jill
MRU Teacher of Malware Removal University.
Member of ASAP and UNITE.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users