Inactive virus removal difficulty

fantasma · 2011/01/30

[Inactive] virus removal difficulty

I recently removed 5 virus from laptop using Kaspersky removal tool. At the end of the process, the Kaspersky report said that one of the 'trojans' could not be eliminated. I now get a message during boot up that "specified module could not be found" with reference to: C:\user\name\EXLOAD~1.DDL. Once I click "OK" the message disappears and computer seems to be running OK. I'd like to sort this out so this message does not appear everytime I start up. Following forum guidelines, I am attacking the results of the various scans requested:

MALWARE (MBAM)
www.malwarebytes.org

Database version: 5640

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

1/30/2011 3:16:01 PM
mbam-log-2011-01-30 (15-16-01).txt

Scan type: Full scan (C:\|)
Objects scanned: 383499
Time elapsed: 2 hour(s), 19 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-30 12:31:39
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543216L9A300 rev.FB2OC44C
Running: gmer.exe; Driver: C:\Users\Dennis\AppData\Local\Temp\pwryrpog.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAB3272C7]

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwTerminateProcess 82603DA3 5 Bytes JMP AB3272CB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

MBR CHECK

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Wistron
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: Compaq Presario CQ50 Notebook PC
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 198):
0x82413000 \SystemRoot\system32\ntkrnlpa.exe
0x827CC000 \SystemRoot\system32\hal.dll
0x8040F000 \SystemRoot\system32\kdcom.dll
0x80416000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80486000 \SystemRoot\system32\PSHED.dll
0x80497000 \SystemRoot\system32\BOOTVID.dll
0x8049F000 \SystemRoot\system32\CLFS.SYS
0x804E0000 \SystemRoot\system32\CI.dll
0x8060F000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8068B000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80698000 \SystemRoot\system32\drivers\acpi.sys
0x806DE000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806E7000 \SystemRoot\system32\drivers\msisadrv.sys
0x806EF000 \SystemRoot\system32\drivers\pci.sys
0x80716000 \SystemRoot\system32\drivers\isapnp.sys
0x80725000 \SystemRoot\system32\drivers\mpio.sys
0x80741000 \SystemRoot\System32\drivers\partmgr.sys
0x80750000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80753000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8075D000 \SystemRoot\system32\drivers\volmgr.sys
0x8076C000 \SystemRoot\System32\drivers\volmgrx.sys
0x807B6000 \SystemRoot\system32\drivers\intelide.sys
0x807BD000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x807CB000 \SystemRoot\system32\drivers\pciide.sys
0x807D2000 \SystemRoot\system32\drivers\aliide.sys
0x807D9000 \SystemRoot\system32\drivers\amdide.sys
0x807E0000 \SystemRoot\system32\drivers\cmdide.sys
0x807E8000 \SystemRoot\System32\drivers\mountmgr.sys
0x805C0000 \SystemRoot\system32\drivers\msdsm.sys
0x805DA000 \SystemRoot\system32\drivers\nvraid.sys
0x82A08000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x82A29000 \SystemRoot\system32\drivers\viaide.sys
0x82A31000 \SystemRoot\system32\drivers\iastorv.sys
0x82AD2000 \SystemRoot\system32\drivers\atapi.sys
0x82ADA000 \SystemRoot\system32\drivers\ataport.SYS
0x82AF8000 \SystemRoot\system32\drivers\lsi_scsi.sys
0x82B12000 \SystemRoot\system32\drivers\storport.sys
0x82B53000 \SystemRoot\system32\drivers\nvstor.sys
0x82B60000 \SystemRoot\system32\drivers\msahci.sys
0x82B6A000 \SystemRoot\system32\drivers\hpcisss.sys
0x82B75000 \SystemRoot\system32\drivers\adp94xx.sys
0x8860A000 \SystemRoot\system32\drivers\adpahci.sys
0x88656000 \SystemRoot\system32\drivers\adpu160m.sys
0x88671000 \SystemRoot\system32\drivers\SCSIPORT.SYS
0x88697000 \SystemRoot\system32\drivers\adpu320.sys
0x886BD000 \SystemRoot\system32\drivers\djsvs.sys
0x886D1000 \SystemRoot\system32\drivers\arc.sys
0x886E7000 \SystemRoot\system32\drivers\arcsas.sys
0x886FD000 \SystemRoot\system32\drivers\elxstor.sys
0x88791000 \SystemRoot\system32\drivers\i2omp.sys
0x8879B000 \SystemRoot\system32\drivers\iirsp.sys
0x887AB000 \SystemRoot\system32\drivers\iteatapi.sys
0x887B7000 \SystemRoot\system32\drivers\iteraid.sys
0x887C3000 \SystemRoot\system32\drivers\lsi_fc.sys
0x887DD000 \SystemRoot\system32\drivers\lsi_sas.sys
0x887F5000 \SystemRoot\system32\drivers\megasas.sys
0x8880F000 \SystemRoot\system32\drivers\megasr.sys
0x888C6000 \SystemRoot\system32\drivers\mraid35x.sys
0x888D1000 \SystemRoot\system32\drivers\nfrd960.sys
0x88A0A000 \SystemRoot\system32\drivers\ql2300.sys
0x88B42000 \SystemRoot\system32\drivers\ql40xx.sys
0x88B97000 \SystemRoot\system32\drivers\sisraid2.sys
0x88BA4000 \SystemRoot\system32\drivers\sisraid4.sys
0x88BB9000 \SystemRoot\system32\drivers\symc8xx.sys
0x88BC5000 \SystemRoot\system32\drivers\sym_hi.sys
0x88BD0000 \SystemRoot\system32\drivers\sym_u3.sys
0x888DF000 \SystemRoot\system32\drivers\uliahci.sys
0x88BDB000 \SystemRoot\system32\drivers\ulsata.sys
0x8891B000 \SystemRoot\system32\drivers\ulsata2.sys
0x88947000 \SystemRoot\system32\drivers\vsmraid.sys
0x88968000 \SystemRoot\system32\drivers\fltmgr.sys
0x8899A000 \SystemRoot\system32\drivers\fileinfo.sys
0x88C0F000 \SystemRoot\System32\Drivers\ksecdd.sys
0x88C80000 \SystemRoot\system32\drivers\ndis.sys
0x88D8B000 \SystemRoot\system32\drivers\msrpc.sys
0x88DB6000 \SystemRoot\system32\drivers\NETIO.SYS
0x88E0F000 \SystemRoot\System32\drivers\tcpip.sys
0x88EF9000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x88F14000 \SystemRoot\system32\drivers\mfetdik.sys
0x88F20000 \SystemRoot\system32\drivers\TDI.SYS
0x89002000 \SystemRoot\System32\Drivers\Ntfs.sys
0x89112000 \SystemRoot\system32\drivers\wd.sys
0x8911A000 \SystemRoot\system32\drivers\volsnap.sys
0x89153000 \SystemRoot\System32\Drivers\spldr.sys
0x8915B000 \SystemRoot\system32\drivers\sbp2port.sys
0x89170000 \SystemRoot\System32\Drivers\mup.sys
0x8917F000 \SystemRoot\System32\drivers\ecache.sys
0x891A6000 \SystemRoot\system32\drivers\disk.sys
0x891B7000 \SystemRoot\system32\drivers\crcdisk.sys
0x891C0000 \SystemRoot\system32\DRIVERS\72902982.sys
0x891EF000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x88F2B000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x88F34000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x88F43000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8CC04000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8D2E7000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8D388000 \SystemRoot\System32\drivers\watchdog.sys
0x8D394000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8D39F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8D3DD000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x88F4C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x88FD9000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x8D40D000 \SystemRoot\system32\DRIVERS\athr.sys
0x8D4F1000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8D504000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
0x8D509000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8D514000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8D544000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8D546000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8D551000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8D555000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8D56D000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8D573000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8D5A2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8D5B9000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8D5C4000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8D5E7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8D3EC000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x889AA000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x889BF000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8D5F6000 \SystemRoot\system32\DRIVERS\swenum.sys
0x889CF000 \SystemRoot\system32\DRIVERS\ks.sys
0x8D400000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x88E00000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8D60E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8D643000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8D654000 \SystemRoot\system32\drivers\CHDRT32.sys
0x8D68F000 \SystemRoot\system32\drivers\portcls.sys
0x8D6BC000 \SystemRoot\system32\drivers\drmk.sys
0x8D6E1000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0x8D80A000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0x8D90D000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x8D9C2000 \SystemRoot\system32\drivers\modem.sys
0x8D9CF000 \SystemRoot\system32\drivers\IntcHdmi.sys
0x8D9F0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8D9F9000 \SystemRoot\System32\Drivers\Null.SYS
0x8D800000 \SystemRoot\System32\Drivers\Beep.SYS
0x8D728000 \SystemRoot\system32\drivers\HIDPARSE.SYS
0x8D72F000 \SystemRoot\System32\drivers\vga.sys
0x8D73B000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8D75C000 \SystemRoot\system32\drivers\RTSTOR.SYS
0x8D76F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8D777000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8D77F000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8D78A000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8D798000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8D7A1000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8D7B7000 \SystemRoot\system32\DRIVERS\smb.sys
0x8D7CB000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8DC0A000 \SystemRoot\system32\drivers\afd.sys
0x8DC52000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8DC68000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8DC76000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8DC89000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0x8DCAB000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0x8DCB1000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8DCED000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8DCF7000 \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
0x8DCFE000 \SystemRoot\System32\Drivers\dfsc.sys
0x8E00B000 \SystemRoot\system32\DRIVERS\72902981.sys
0x8E52B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8E534000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

DDS

DDS (Ver_10-12-12.02) - NTFSx86
Run by Dennis at 15:32:05.70 on Sun 01/30/2011
Internet Explorer: 8.0.6001.18999
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.1978.747 [GMT -5:00]

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Dennis\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Presario&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: WOT Helper: {c920e44a-7f78-4e64-bdd7-a57026e7feb7} - c:\program files\wot\WOT.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: WOT: {71576546-354d-41c9-aae8-31f2ec22bf0d} - c:\program files\wot\WOT.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe" AcPro7_1_0 -reboot 1
uRun: [NvCplDaemonTool] rundll32.exe c:\users\dennis\EXLOAD~1.DLL,_IWMPEvents
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe "
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe "
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [<NO NAME>]
mRun: [B2C_AGENT] c:\programdata\lgmobileax\b2c_client\B2CNotiAgent.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - c:\program files\wot\WOT.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe "

============= SERVICES / DRIVERS ===============

R0 72902982;72902982 Boot Guard Driver;c:\windows\system32\drivers\72902982.sys [2010-3-25 37392]
R1 72902981;72902981;c:\windows\system32\drivers\72902981.sys [2010-3-25 128016]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-12-16 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 67656]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2008-10-24 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2006-11-30 54872]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\windows\sminst\BLService.exe [2008-6-27 361808]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-23 24652]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-6-27 193840]
R3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-30 112128]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-10-24 72264]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-10-24 168776]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 12872]

=============== Created Last 30 ================

2011-01-28 12:20:58 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{f4043a49-b3ab-4528-a26f-14e05fdb2d41}\mpengine.dll
2011-01-26 12:52:57 -------- d-----w- c:\program files\iPod
2011-01-26 12:40:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-01-26 12:40:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-01-26 12:40:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-01-26 12:40:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-01-26 12:40:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-01-26 12:40:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-01-26 12:40:12 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-01-12 12:45:34 413696 ----a-w- c:\windows\system32\odbc32.dll
2011-01-12 12:45:32 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
2011-01-12 12:45:31 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll
2011-01-12 12:45:31 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll
2011-01-12 12:45:30 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll
2011-01-12 12:45:30 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll
2011-01-12 12:45:21 1169408 ----a-w- c:\windows\system32\sdclt.exe
2011-01-11 02:49:52 -------- d-----w- C:\5da9ca78c0cd08dd788ab178d0ac
2011-01-06 19:30:50 -------- d-----w- C:\PSP Revamp

==================== Find3M ====================

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
1998-04-24 09:06:42 463872 ----a-w- c:\program files\Convert.exe

============= FINISH: 15:34:07.88 ===============

Any feed back / advice as to what I should do next will be appreciated.

Thanks in advance.

broni · 2011/01/30

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

================================================================

MBRCheck log is incomplete.
Please, repost it.

Attach.txt part of DDS is missing.

fantasma · 2011/01/30

Here is file for NBR CHECK:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Wistron
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: Compaq Presario CQ50 Notebook PC
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 199):
0x82413000 \SystemRoot\system32\ntkrnlpa.exe
0x827CC000 \SystemRoot\system32\hal.dll
0x8040F000 \SystemRoot\system32\kdcom.dll
0x80416000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80486000 \SystemRoot\system32\PSHED.dll
0x80497000 \SystemRoot\system32\BOOTVID.dll
0x8049F000 \SystemRoot\system32\CLFS.SYS
0x804E0000 \SystemRoot\system32\CI.dll
0x8060F000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8068B000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80698000 \SystemRoot\system32\drivers\acpi.sys
0x806DE000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806E7000 \SystemRoot\system32\drivers\msisadrv.sys
0x806EF000 \SystemRoot\system32\drivers\pci.sys
0x80716000 \SystemRoot\system32\drivers\isapnp.sys
0x80725000 \SystemRoot\system32\drivers\mpio.sys
0x80741000 \SystemRoot\System32\drivers\partmgr.sys
0x80750000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80753000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x8075D000 \SystemRoot\system32\drivers\volmgr.sys
0x8076C000 \SystemRoot\System32\drivers\volmgrx.sys
0x807B6000 \SystemRoot\system32\drivers\intelide.sys
0x807BD000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x807CB000 \SystemRoot\system32\drivers\pciide.sys
0x807D2000 \SystemRoot\system32\drivers\aliide.sys
0x807D9000 \SystemRoot\system32\drivers\amdide.sys
0x807E0000 \SystemRoot\system32\drivers\cmdide.sys
0x807E8000 \SystemRoot\System32\drivers\mountmgr.sys
0x805C0000 \SystemRoot\system32\drivers\msdsm.sys
0x805DA000 \SystemRoot\system32\drivers\nvraid.sys
0x82A08000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x82A29000 \SystemRoot\system32\drivers\viaide.sys
0x82A31000 \SystemRoot\system32\drivers\iastorv.sys
0x82AD2000 \SystemRoot\system32\drivers\atapi.sys
0x82ADA000 \SystemRoot\system32\drivers\ataport.SYS
0x82AF8000 \SystemRoot\system32\drivers\lsi_scsi.sys
0x82B12000 \SystemRoot\system32\drivers\storport.sys
0x82B53000 \SystemRoot\system32\drivers\nvstor.sys
0x82B60000 \SystemRoot\system32\drivers\msahci.sys
0x82B6A000 \SystemRoot\system32\drivers\hpcisss.sys
0x82B75000 \SystemRoot\system32\drivers\adp94xx.sys
0x8860A000 \SystemRoot\system32\drivers\adpahci.sys
0x88656000 \SystemRoot\system32\drivers\adpu160m.sys
0x88671000 \SystemRoot\system32\drivers\SCSIPORT.SYS
0x88697000 \SystemRoot\system32\drivers\adpu320.sys
0x886BD000 \SystemRoot\system32\drivers\djsvs.sys
0x886D1000 \SystemRoot\system32\drivers\arc.sys
0x886E7000 \SystemRoot\system32\drivers\arcsas.sys
0x886FD000 \SystemRoot\system32\drivers\elxstor.sys
0x88791000 \SystemRoot\system32\drivers\i2omp.sys
0x8879B000 \SystemRoot\system32\drivers\iirsp.sys
0x887AB000 \SystemRoot\system32\drivers\iteatapi.sys
0x887B7000 \SystemRoot\system32\drivers\iteraid.sys
0x887C3000 \SystemRoot\system32\drivers\lsi_fc.sys
0x887DD000 \SystemRoot\system32\drivers\lsi_sas.sys
0x887F5000 \SystemRoot\system32\drivers\megasas.sys
0x8880F000 \SystemRoot\system32\drivers\megasr.sys
0x888C6000 \SystemRoot\system32\drivers\mraid35x.sys
0x888D1000 \SystemRoot\system32\drivers\nfrd960.sys
0x88A0A000 \SystemRoot\system32\drivers\ql2300.sys
0x88B42000 \SystemRoot\system32\drivers\ql40xx.sys
0x88B97000 \SystemRoot\system32\drivers\sisraid2.sys
0x88BA4000 \SystemRoot\system32\drivers\sisraid4.sys
0x88BB9000 \SystemRoot\system32\drivers\symc8xx.sys
0x88BC5000 \SystemRoot\system32\drivers\sym_hi.sys
0x88BD0000 \SystemRoot\system32\drivers\sym_u3.sys
0x888DF000 \SystemRoot\system32\drivers\uliahci.sys
0x88BDB000 \SystemRoot\system32\drivers\ulsata.sys
0x8891B000 \SystemRoot\system32\drivers\ulsata2.sys
0x88947000 \SystemRoot\system32\drivers\vsmraid.sys
0x88968000 \SystemRoot\system32\drivers\fltmgr.sys
0x8899A000 \SystemRoot\system32\drivers\fileinfo.sys
0x88C0F000 \SystemRoot\System32\Drivers\ksecdd.sys
0x88C80000 \SystemRoot\system32\drivers\ndis.sys
0x88D8B000 \SystemRoot\system32\drivers\msrpc.sys
0x88DB6000 \SystemRoot\system32\drivers\NETIO.SYS
0x88E0F000 \SystemRoot\System32\drivers\tcpip.sys
0x88EF9000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x88F14000 \SystemRoot\system32\drivers\mfetdik.sys
0x88F20000 \SystemRoot\system32\drivers\TDI.SYS
0x89002000 \SystemRoot\System32\Drivers\Ntfs.sys
0x89112000 \SystemRoot\system32\drivers\wd.sys
0x8911A000 \SystemRoot\system32\drivers\volsnap.sys
0x89153000 \SystemRoot\System32\Drivers\spldr.sys
0x8915B000 \SystemRoot\system32\drivers\sbp2port.sys
0x89170000 \SystemRoot\System32\Drivers\mup.sys
0x8917F000 \SystemRoot\System32\drivers\ecache.sys
0x891A6000 \SystemRoot\system32\drivers\disk.sys
0x891B7000 \SystemRoot\system32\drivers\crcdisk.sys
0x891C0000 \SystemRoot\system32\DRIVERS\72902982.sys
0x891EF000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x88F2B000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x88F34000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x88F43000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8CC04000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8D2E7000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8D388000 \SystemRoot\System32\drivers\watchdog.sys
0x8D394000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8D39F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8D3DD000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x88F4C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x88FD9000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x8D40D000 \SystemRoot\system32\DRIVERS\athr.sys
0x8D4F1000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8D504000 \SystemRoot\system32\DRIVERS\HpqKbFiltr.sys
0x8D509000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8D514000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8D544000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8D546000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8D551000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8D555000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8D56D000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8D573000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8D5A2000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8D5B9000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8D5C4000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8D5E7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8D3EC000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x889AA000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x889BF000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8D5F6000 \SystemRoot\system32\DRIVERS\swenum.sys
0x889CF000 \SystemRoot\system32\DRIVERS\ks.sys
0x8D400000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x88E00000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8D60E000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8D643000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8D654000 \SystemRoot\system32\drivers\CHDRT32.sys
0x8D68F000 \SystemRoot\system32\drivers\portcls.sys
0x8D6BC000 \SystemRoot\system32\drivers\drmk.sys
0x8D6E1000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0x8D80A000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0x8D90D000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0x8D9C2000 \SystemRoot\system32\drivers\modem.sys
0x8D9CF000 \SystemRoot\system32\drivers\IntcHdmi.sys
0x8D9F0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8D9F9000 \SystemRoot\System32\Drivers\Null.SYS
0x8D800000 \SystemRoot\System32\Drivers\Beep.SYS
0x8D728000 \SystemRoot\system32\drivers\HIDPARSE.SYS
0x8D72F000 \SystemRoot\System32\drivers\vga.sys
0x8D73B000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8D75C000 \SystemRoot\system32\drivers\RTSTOR.SYS
0x8D76F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8D777000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8D77F000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8D78A000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8D798000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8D7A1000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8D7B7000 \SystemRoot\system32\DRIVERS\smb.sys
0x8D7CB000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8DC0A000 \SystemRoot\system32\drivers\afd.sys
0x8DC52000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8DC68000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8DC76000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8DC89000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
0x8DCAB000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0x8DCB1000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8DCED000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8DCF7000 \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys
0x8DCFE000 \SystemRoot\System32\Drivers\dfsc.sys
0x8E00B000 \SystemRoot\system32\DRIVERS\72902981.sys
0x8E52B000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8E534000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8E544000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x8E54C000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8E559000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8E564000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x95C20000 \SystemRoot\System32\win32k.sys
0x8E56E000 \SystemRoot\System32\drivers\Dxapi.sys
0x8E578000 \SystemRoot\system32\DRIVERS\monitor.sys
0x95E40000 \SystemRoot\System32\TSDDD.dll
0x95E60000 \SystemRoot\System32\cdd.dll
0x8E587000 \SystemRoot\system32\drivers\luafv.sys
0x8DD15000 \SystemRoot\system32\drivers\spsys.sys
0x8E5A2000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8E5B2000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8E5DC000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x8E5E6000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xA9604000 \SystemRoot\system32\drivers\HTTP.sys
0xA9671000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xA968E000 \SystemRoot\system32\DRIVERS\bowser.sys
0xA96A7000 \SystemRoot\System32\drivers\mpsdrv.sys
0xA96BC000 \SystemRoot\system32\drivers\mrxdav.sys
0xA96DD000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA96FC000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xA9735000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xA974D000 \SystemRoot\System32\DRIVERS\srv2.sys
0xA9775000 \SystemRoot\System32\DRIVERS\srv.sys
0xA97DB000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xAB202000 \SystemRoot\system32\drivers\peauth.sys
0xAB2E0000 \SystemRoot\System32\Drivers\secdrv.SYS
0xAB2EA000 \SystemRoot\System32\drivers\tcpipreg.sys
0xAB2F6000 \SystemRoot\system32\DRIVERS\xaudio.sys
0xAB2FE000 \SystemRoot\system32\DRIVERS\cdfs.sys
0xAB314000 \SystemRoot\system32\drivers\mfehidk.sys
0xAB33C000 \SystemRoot\system32\drivers\mfeapfk.sys
0xAB34B000 \SystemRoot\system32\drivers\mfeavfk.sys
0xAB35B000 \??\C:\Users\Dennis\AppData\Local\Temp\pwryrpog.sys
0xAB37B000 \??\C:\Users\Dennis\AppData\Local\Temp\mbr.sys
0x77BA0000 \Windows\System32\ntdll.dll

Processes (total 80):
0 System Idle Process
4 System
408 C:\Windows\System32\smss.exe
540 csrss.exe
584 C:\Windows\System32\wininit.exe
596 csrss.exe
628 C:\Windows\System32\services.exe
640 C:\Windows\System32\lsass.exe
652 C:\Windows\System32\lsm.exe
724 C:\Windows\System32\winlogon.exe
836 C:\Windows\System32\svchost.exe
896 C:\Windows\System32\svchost.exe
936 C:\Windows\System32\svchost.exe
1048 C:\Windows\System32\svchost.exe
1100 C:\Windows\System32\svchost.exe
1128 C:\Windows\System32\svchost.exe
1192 C:\Windows\System32\audiodg.exe
1216 C:\Windows\System32\svchost.exe
1240 C:\Windows\System32\SLsvc.exe
1288 C:\Windows\System32\svchost.exe
1480 C:\Windows\System32\svchost.exe
1632 C:\Windows\System32\wlanext.exe
1712 C:\Windows\System32\spoolsv.exe
1764 C:\Windows\System32\svchost.exe
1952 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1980 C:\Program Files\Bonjour\mDNSResponder.exe
2020 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
2044 C:\Program Files\McAfee\Common Framework\FrameworkService.exe
520 C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
600 C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
824 naPrdMgr.exe
1592 C:\Windows\System32\svchost.exe
1844 C:\Windows\SMINST\BLService.exe
2052 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
2120 C:\Windows\System32\svchost.exe
2172 C:\Program Files\Viewpoint\Common\ViewpointService.exe
2188 C:\Windows\System32\svchost.exe
2240 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
2288 C:\Windows\System32\SearchIndexer.exe
2364 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
2396 C:\Windows\System32\drivers\XAudio.exe
2732 C:\Windows\System32\taskeng.exe
2832 C:\Windows\System32\taskeng.exe
2884 C:\Windows\System32\dwm.exe
2968 C:\Windows\explorer.exe
3140 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
3152 C:\Program Files\HP\QuickPlay\QPService.exe
3164 C:\Program Files\Windows Defender\MSASCui.exe
3180 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
3188 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
3196 C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
3204 C:\Program Files\McAfee\Common Framework\UdaterUI.exe
3220 C:\Program Files\McAfee\Common Framework\Mctray.exe
3236 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
3280 C:\Windows\System32\hkcmd.exe
3344 C:\Windows\System32\igfxpers.exe
3404 C:\Program Files\iTunes\iTunesHelper.exe
3412 C:\Program Files\Windows Sidebar\sidebar.exe
3420 C:\Windows\ehome\ehtray.exe
3828 C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
2228 C:\Windows\ehome\ehmsas.exe
2796 C:\Windows\System32\igfxsrvc.exe
1960 WmiPrvSE.exe
2356 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
1732 C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
964 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
3620 C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
3676 C:\Program Files\iPod\bin\iPodService.exe
3320 C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
5660 C:\Windows\System32\svchost.exe
3452 C:\Windows\System32\conime.exe
4164 C:\Program Files\Internet Explorer\iexplore.exe
4844 C:\Windows\System32\Macromed\Flash\FlashUtil10l_ActiveX.exe
6008 C:\Program Files\Internet Explorer\iexplore.exe
2308 C:\Program Files\Internet Explorer\iexplore.exe
4544 C:\Program Files\Internet Explorer\iexplore.exe
4016 C:\Users\Dennis\Desktop\MBRCheck.exe
6056 C:\Windows\System32\SearchProtocolHost.exe
4272 C:\Windows\System32\SearchFilterHost.exe
4972 C:\Users\Dennis\Desktop\MBRCheck2.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000022`cc100000 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS543216L9A300, Rev: FB2OC44C

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 08F21ADD893776C287CC68A3558F8D095B50ED3C

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

I am pasting the content of the "attachment" of DDS scan. (I made a compressed version of it, but do not see how I can send an attachment to this mail.) If the pasted version below is not satisfactory, advise. Thanks.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft® Windows Vistaâ„¢ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 9/8/2008 1:39:21 AM
System Uptime: 1/30/2011 9:37:39 AM (10 hours ago)

Motherboard: Wistron | | 360B
Processor: Intel(R) Pentium(R) Dual CPU T3200 @ 2.00GHz | CPU | 2000/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 139 GiB total, 27.658 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 1.746 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP717: 1/21/2011 7:22:39 AM - Windows Update
RP718: 1/22/2011 8:24:22 PM - Scheduled Checkpoint
RP719: 1/24/2011 10:23:36 AM - Scheduled Checkpoint
RP720: 1/25/2011 9:21:00 AM - Windows Update
RP721: 1/26/2011 7:47:12 AM - Device Driver Package Install: Apple, Inc. Universal Serial Bus controllers
RP722: 1/26/2011 7:48:16 AM - Device Driver Package Install: Apple Network adapters
RP723: 1/26/2011 8:24:03 PM - Scheduled Checkpoint
RP724: 1/27/2011 2:52:52 PM - Scheduled Checkpoint
RP725: 1/28/2011 7:20:14 AM - Windows Update
RP726: 1/30/2011 10:42:36 AM - Scheduled Checkpoint

==== Installed Programs ======================

Acrobat.com
ActiveCheck component for HP Active Support Library
Adobe Acrobat 7.0 Professional
Adobe Acrobat 7.1.0 Professional
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.4.1
Adobe Shockwave Player
AIM 6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Driver Installation Program
Bonjour
Cards_Calendar_OrderGift_DoMorePlugout
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Compresor WinRAR
Conexant HD Audio
CyberLink DVD Suite
D3DX10
ESU for Microsoft Vista
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.7
HP Help and Support
HP Photosmart Essential 2.5
HP Quick Launch Buttons 6.40 F1
HP Smart Web Printing
HP Total Care Advisor
HP Update
HP User Guides 0121
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabel_Tattoo
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotoSmartPhotobookHolidayPack1
HPPhotoSmartPhotobookModernPack1
HPPhotoSmartPhotobookPlayfulPack1
HPPhotoSmartPhotobookScrapbookPack1
HPPhotoSmartPhotobookWebPack1
HPTCSSetup
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 17
Java(TM) 6 Update 5
Java(TM) 6 Update 7
LG PC Suite II
LG USB Modem driver
LightScribe System Software 1.12.33.2
Malwarebytes' Anti-Malware
Mate Programming utility Ver 2.2.1
McAfee VirusScan Enterprise
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.1
My HP Games
NetWaiting
OGA Notifier 2.0.0048.0
PoiZone
Power2Go
PowerDirector
PSSWCORE
QuickPlay SlingPlayer 0.4.6
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek USB 2.0 Card Reader
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Segoe UI
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VideoToolkit01
Viewpoint Media Player
WhiteCap
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
WOT for Internet Explorer
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

1/30/2011 7:44:07 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: mfetdik
1/30/2011 7:44:07 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
1/30/2011 7:29:17 AM, Error: EventLog [6008] - The previous system shutdown at 7:28:13 AM on 1/30/2011 was unexpected.
1/30/2011 6:52:20 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the HP Health Check Service service to connect.
1/30/2011 6:52:20 AM, Error: Service Control Manager [7000] - The HP Health Check Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/29/2011 9:27:01 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.33 for the Network Card with network address 00234D086C4B has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
1/29/2011 9:24:56 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the hpqwmiex service to connect.
1/29/2011 9:24:56 PM, Error: Service Control Manager [7000] - The hpqwmiex service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/29/2011 9:23:47 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service hpqwmiex with arguments " " in order to run the server: {F5539356-2F02-40D4-999E-FA61F45FE12E}
1/29/2011 9:21:02 PM, Error: EventLog [6008] - The previous system shutdown at 9:20:01 PM on 1/29/2011 was unexpected.
1/29/2011 5:28:09 PM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/29/2011 5:00:39 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Com4QLBEx service to connect.
1/29/2011 5:00:39 PM, Error: Service Control Manager [7000] - The Com4QLBEx service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/29/2011 5:00:39 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service Com4QLBEx with arguments " " in order to run the server: {DB536E5D-10F7-4B34-B443-140161048E2E}
1/29/2011 11:17:12 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.34 for the Network Card with network address 00234D086C4B has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
1/27/2011 10:24:29 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
1/26/2011 7:49:03 AM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
1/23/2011 9:29:03 PM, Error: EventLog [6008] - The previous system shutdown at 9:27:34 PM on 1/23/2011 was unexpected.
1/23/2011 9:16:25 PM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.

==== End Of File ===========================

broni · 2011/01/30

Found non-standard or infected MBR.
Click to expand...

We need to double check your MBR.

Download Bootkit Remover to your Desktop.

You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/

After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).

It will show a Black screen with some data on it.

Right click on the screen and click Select All.

Press CTRL+C

Open a Notepad and press CTRL+V

Post the output back here.

fantasma · 2011/01/31

Here is log requested:

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
002), 32-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 2404788b716b45266811c1294c3c975c

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>

Done;
Press any key to quit...

I'll check back to see your comments. Thanks.

broni · 2011/01/31

We need to fix your MBR....

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)

Place a blank CD in your CD drive.

Double click on NTBR_CD.exe file and a folder of the same name will appear.

Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.

Follow the prompts to burn the CD.

Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)

If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.

Insert the newly created CD into your infected PC and reboot your computer.

Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!

Read the warning and then continue as prompted.

You first need to select your keyboard layout - press Enter for English.

Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK

On the following screen enter 5 to select Install Standard MBR code.

Enter 1 to overwrite the infected MBR Code with the Standard MBR code.

When asked to confirm please do so.

Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.

Eject the disc and then press ctrl+alt+del to reboot the PC.

Once rebooted, run MBRCheck again and post its log.

**Important note to Dell users - fixing the MBR may prevent access to the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. If this is Dell computer, let me know before proceeding.

Log in or Sign up

Inactive virus removal difficulty

fantasma Well-Known Member Thread Starter

broni Moderator Malware Analyst

fantasma Well-Known Member Thread Starter

broni Moderator Malware Analyst

fantasma Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive virus removal difficulty

fantasma Well-Known Member Thread Starter

broni Moderator Malware Analyst

fantasma Well-Known Member Thread Starter

broni Moderator Malware Analyst

fantasma Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches