Solved Malware/Keeps rebooting after blue screen

Woodstock · 2011/03/24

I am checking windows now

Woodstock · 2011/03/24

windows started slow

broni · 2011/03/24

That's fine.
We're back in business

We have some work to do though.

Please, complete all steps listed here: this post

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

Woodstock · 2011/03/24

Is free AVG ok??

broni · 2011/03/24

I don't recommend it for various reasons.
I listed AV programs, which I DO recommend.

Woodstock · 2011/03/24

I've downloaded your recommendations but I am unable to get into Control Panel, all I see is flashlight

broni · 2011/03/24

Why do you need to get to control panel?
Your computer is, most likely, still seriously infected, so you may be experiencing all kind of problems.
Let me know about them, but keep going with prescribed steps.
If you can't do something let me know.

Woodstock · 2011/03/24

Right now comp is very slow, able to go online but can't run browser. I'm restarting now. I am going to control panel to set up my firewall

broni · 2011/03/24

At this moment, the most important steps from my manual are scans.
If you can't get to control panel, you can't.
Leave that alone for now.

Which browser are you using?
Did you try different browser?
You can always use working computer to download necessary tools.

Woodstock · 2011/03/24

back on track, thxs

broni · 2011/03/24

Go on......

Woodstock · 2011/03/24

I am currently runing malware quick scan.
I used Microsoft Essientials and found one virus called win32/alureon.h when I tried to remove it then I got the message security ess couldn't apply action
Error code 0x80501001

broni · 2011/03/24

As I said, if you can't do something, leave it alone.

Post all logs whenever ready.

Woodstock · 2011/03/24

One sec

Woodstock · 2011/03/24

Logs for Melaware removal

As in structed i'm posting my results from the numerus scans.

Melaware Bytes:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6136

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

3/25/2011 6:03:26 AM
mbam-log-2011-03-25 (06-03-26).txt

Scan type: Quick scan
Objects scanned: 152740
Time elapsed: 31 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

GMER:
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-25 06:48:06
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HTS541680J9SA00 rev.SB2OC70P
Running: hd2j9y5x.exe; Driver: C:\DOCUME~1\BENSAG~1\LOCALS~1\Temp\pwdoikow.sys

---- System - GMER 1.0.15 ----

SSDT spsa.sys ZwCreateKey [0xF82C20E0]
SSDT spsa.sys ZwEnumerateKey [0xF82DADA4]
SSDT spsa.sys ZwEnumerateValueKey [0xF82DB132]
SSDT spsa.sys ZwOpenKey [0xF82C20C0]
SSDT spsa.sys ZwQueryKey [0xF82DB20A]
SSDT spsa.sys ZwQueryValueKey [0xF82DB08A]
SSDT spsa.sys ZwSetValueKey [0xF82DB29C]

INT 0x62 ? 82B8CBF8
INT 0x82 ? 82B8CBF8
INT 0x83 ? 82898F00
INT 0x84 ? 82898F00
INT 0x94 ? 82898F00

---- Kernel code sections - GMER 1.0.15 ----

? spsa.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F77748AC 5 Bytes JMP 828984E0
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF76E0EBF]
.rsrc C:\WINDOWS\system32\DRIVERS\kbdclass.sys entry point in ".rsrc" section [0xF87F9E14]
.text a1z32fwq.SYS F7503386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a1z32fwq.SYS F75033AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a1z32fwq.SYS F75033C4 3 Bytes [00, 80, 02]
.text a1z32fwq.SYS F75033C9 1 Byte [30]
.text a1z32fwq.SYS F75033C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
? System32\Drivers\avgtdix.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1256] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[1256] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[1256] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[1256] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0090000C
.text C:\WINDOWS\System32\svchost.exe[1256] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[1256] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00EA000A
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1868] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02D14408 C:\Program Files\MessengerPlus! 3\MsgPlusH.dll (Messenger Plus! Hook DLL/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1868] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02D148E8 C:\Program Files\MessengerPlus! 3\MsgPlusH.dll (Messenger Plus! Hook DLL/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1868] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02D148A6 C:\Program Files\MessengerPlus! 3\MsgPlusH.dll (Messenger Plus! Hook DLL/Patchou)
.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[1868] SHELL32.dll!Shell_NotifyIcon 7CA28C16 5 Bytes JMP 02D11163 C:\Program Files\MessengerPlus! 3\MsgPlusH.dll (Messenger Plus! Hook DLL/Patchou)
.text C:\WINDOWS\Explorer.EXE[1956] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[1956] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1956] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F82C3042] spsa.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F82C313E] spsa.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F82C30C0] spsa.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F82C3800] spsa.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F82C36D6] spsa.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F82D2B90] spsa.sys
IAT \SystemRoot\System32\Drivers\a1z32fwq.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
IAT \SystemRoot\System32\Drivers\a1z32fwq.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
IAT \SystemRoot\System32\Drivers\a1z32fwq.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
IAT \SystemRoot\System32\Drivers\a1z32fwq.SYS[HAL.dll!KfRaiseIrql] 00001CB1
IAT \SystemRoot\System32\Drivers\a1z32fwq.SYS[HAL.dll!KfLowerIrql] 0E798366
IAT \SystemRoot\System32\Drivers\a1z32fwq.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
IAT \SystemRoot\System32\Drivers\a1z32fwq.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
IAT \SystemRoot\System32\Drivers\a1z32fwq.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
IAT \SystemRoot\System32\Drivers\a1z32fwq.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
IAT \SystemRoot\System32\Drivers\a1z32fwq.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
IAT \SystemRoot\System32\Drivers\a1z32fwq.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
IAT \SystemRoot\System32\Drivers\a1z32fwq.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
IAT \SystemRoot\System32\Drivers\a1z32fwq.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
IAT \SystemRoot\System32\Drivers\a1z32fwq.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
IAT \SystemRoot\System32\Drivers\a1z32fwq.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E

---- Devices - GMER 1.0.15 ----

Device 82B8A1F8
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device 824E8500
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)
Device \Driver\NetBT \Device\NetBT_Tcpip_{FFFF51CC-DF92-474A-B0C0-A47A379FA49F} 82551500

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys

Device \Driver\usbuhci \Device\USBPDO-0 829E71F8
Device \Driver\usbuhci \Device\USBPDO-1 829E71F8
Device \Driver\usbehci \Device\USBPDO-2 829A51F8
Device \Driver\usbuhci \Device\USBPDO-3 829E71F8
Device \Driver\usbuhci \Device\USBPDO-4 829E71F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys

Device \Driver\Ftdisk \Device\HarddiskVolume1 82B8D1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 82B8D1F8
Device \Driver\Cdrom \Device\CdRom0 8294A1F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 827E8AEA
Device \Driver\atapi \Device\Ide\IdePort0 [F821EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 827E8AEA
Device \Driver\atapi \Device\Ide\IdePort1 [F821EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 827E8AEA
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F821EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 8294A1F8
Device \Driver\Cdrom \Device\CdRom2 8294A1F8
Device \Driver\Cdrom \Device\CdRom3 8294A1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 82551500
Device \Driver\NetBT \Device\NetbiosSmb 82551500
Device \Driver\sptd \Device\2000177586 spsa.sys
Device \Driver\PCI_PNP3836 \Device\0000004e spsa.sys

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys

Device \Driver\usbuhci \Device\USBFDO-0 829E71F8
Device \Driver\usbuhci \Device\USBFDO-1 829E71F8
Device \Driver\usbuhci \Device\USBFDO-2 829E71F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82915500
Device 82915500
Device \Driver\usbuhci \Device\USBFDO-3 829E71F8
Device \Driver\usbehci \Device\USBFDO-4 829A51F8
Device \Driver\Ftdisk \Device\FtControl 82B8D1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{0C1A4E29-72B1-43FD-927F-536CD04675D8} 82551500
Device \Driver\USBSTOR \Device\0000008b 82781500
Device \Driver\USBSTOR \Device\0000008c 82781500
Device \Driver\a1z32fwq \Device\Scsi\a1z32fwq1Port2Path0Target2Lun0 829471F8
Device \Driver\a1z32fwq \Device\Scsi\a1z32fwq1Port2Path0Target0Lun0 829471F8
Device \Driver\a1z32fwq \Device\Scsi\a1z32fwq1Port2Path0Target1Lun0 829471F8
Device \Driver\a1z32fwq \Device\Scsi\a1z32fwq1 829471F8

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 81D161F8
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS541680J9SA00_________________SB2OC70P#5&1951e31a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\avgrsstx.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [788] 0x6C1B0000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x79 0x02 0xC6 0x5F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA8 0xC5 0x27 0xA1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x05 0x02 0x33 0x27 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x96 0x04 0x5C 0xA4 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x14 0x18 0xFD 0xD4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x79 0x02 0xC6 0x5F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA8 0xC5 0x27 0xA1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x05 0x02 0x33 0x27 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x96 0x04 0x5C 0xA4 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x14 0x18 0xFD 0xD4 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 75

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\Temp\TMP00001A62758AB830FBCD0D99 0 bytes
File C:\WINDOWS\system32\DRIVERS\kbdclass.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

MBRCheck:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000001dc

Kernel Drivers (total 129):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF89B5000 \WINDOWS\system32\KDCOM.DLL
0xF88C5000 \WINDOWS\system32\BOOTVID.dll
0xF82C1000 spsa.sys
0xF89B7000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF82A9000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF827B000 ACPI.sys
0xF826A000 pci.sys
0xF84B5000 isapnp.sys
0xF88C9000 compbatt.sys
0xF88CD000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF8A7D000 pciide.sys
0xF8735000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF824C000 pcmcia.sys
0xF84C5000 MountMgr.sys
0xF822D000 ftdisk.sys
0xF88D1000 ACPIEC.sys
0xF8A7E000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF873D000 PartMgr.sys
0xF84D5000 VolSnap.sys
0xF8215000 atapi.sys
0xF84E5000 disk.sys
0xF84F5000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF81F5000 fltmgr.sys
0xF81E3000 sr.sys
0xF8505000 PxHelp20.sys
0xF81CC000 KSecDD.sys
0xF813F000 Ntfs.sys
0xF8112000 NDIS.sys
0xF80F8000 Mup.sys
0xF8685000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF77F5000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF77E1000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77BC000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7780000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xF87E5000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF775C000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF87ED000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF76E4000 \SystemRoot\system32\DRIVERS\ar5211.sys
0xF76BC000 \SystemRoot\system32\drivers\tifm21.sys
0xF8695000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF87F5000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF8805000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF86B5000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF86C5000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF86D5000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF753C000 \SystemRoot\system32\DRIVERS\ks.sys
0xF880D000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF7503000 \SystemRoot\System32\Drivers\a1z32fwq.SYS
0xF89A5000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF89A9000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7437000 \SystemRoot\system32\DRIVERS\btkrnl.sys
0xF8BB4000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF86E5000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF89AD000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF7420000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF86F5000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF8705000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF8875000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF740F000 \SystemRoot\system32\DRIVERS\psched.sys
0xF8715000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF88BD000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF8745000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF62A7000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF8565000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF8A09000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6249000 \SystemRoot\system32\DRIVERS\update.sys
0xF809F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF61D3000 \SystemRoot\system32\drivers\btaudio.sys
0xF61AF000 \SystemRoot\system32\drivers\portcls.sys
0xF8575000 \SystemRoot\system32\drivers\drmk.sys
0xF8585000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA365000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA252000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF8A0D000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF8765000 \SystemRoot\System32\Drivers\Modem.SYS
0xF85D5000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xAA1DB000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xF877D000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF8A11000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8A98000 \SystemRoot\System32\Drivers\Null.SYS
0xF8A13000 \SystemRoot\System32\Drivers\Beep.SYS
0xF878D000 \SystemRoot\System32\drivers\vga.sys
0xF8A15000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8A17000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF8795000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF879D000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF6241000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA1A8000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA14F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA115000 \SystemRoot\System32\Drivers\avgtdix.sys
0xAA0EF000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF85F5000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAA09F000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA07D000 \SystemRoot\System32\drivers\afd.sys
0xF8605000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAA052000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9FE2000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF87AD000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6809CAF0-AF93-4992-9734-DFEB540CC0CB}\MpKslce6d3e2f.sys
0xF8645000 \SystemRoot\System32\Drivers\Fips.SYS
0xA9EEA000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xAA226000 \SystemRoot\System32\drivers\Dxapi.sys
0xF87A5000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8B3E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF021000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF043000 \SystemRoot\System32\ialmdev5.DLL
0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA9975000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF8655000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xA9510000 \SystemRoot\system32\drivers\wdmaud.sys
0xA989D000 \SystemRoot\system32\drivers\sysaudio.sys
0xA91C3000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA9AB8000 \??\C:\WINDOWS\system32\ANIO.SYS
0xF8855000 \??\C:\WINDOWS\system32\drivers\btserial.sys
0xA9073000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xA8C91000 \SystemRoot\system32\DRIVERS\srv.sys
0xA8C79000 \??\C:\WINDOWS\system32\drivers\tmcomm.sys
0xA8D58000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA85DC000 \SystemRoot\System32\Drivers\HTTP.sys
0xA8591000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{6809CAF0-AF93-4992-9734-DFEB540CC0CB}\MpKsl64b02c8b.sys
0xA83B2000 \??\C:\DOCUME~1\BENSAG~1\LOCALS~1\Temp\pwdoikow.sys
0xA8387000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
0x10000000 \Program Files\DAEMON Tools Lite\Engine.dll

Processes (total 43):
0 System Idle Process
4 System
696 C:\WINDOWS\system32\smss.exe
760 csrss.exe
788 C:\WINDOWS\system32\winlogon.exe
836 C:\WINDOWS\system32\services.exe
848 C:\WINDOWS\system32\lsass.exe
1012 C:\WINDOWS\system32\svchost.exe
1072 svchost.exe
1216 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
1256 C:\WINDOWS\system32\svchost.exe
1348 svchost.exe
1652 svchost.exe
276 C:\WINDOWS\system32\spoolsv.exe
1956 C:\WINDOWS\explorer.exe
640 C:\WINDOWS\system32\hkcmd.exe
656 C:\WINDOWS\system32\igfxpers.exe
668 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
712 C:\Program Files\Java\jre6\bin\jusched.exe
812 C:\WINDOWS\RTHDCPL.exe
980 C:\Program Files\MessengerPlus! 3\MsgPlus.exe
1060 C:\Program Files\iTunes\iTunesHelper.exe
1116 C:\Program Files\D-Link\DWA-130\AirNCFG.exe
1208 C:\WINDOWS\AGRSMMSG.exe
1336 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
1380 svchost.exe
1160 C:\Program Files\Microsoft Security Client\msseces.exe
1448 C:\WINDOWS\system32\ctfmon.exe
1644 C:\Program Files\Messenger\msmsgs.exe
1768 C:\Program Files\DAEMON Tools Lite\DTLite.exe
1868 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
2252 C:\Program Files\WinZip\WZQKPICK.EXE
2284 C:\WINDOWS\system32\ANIWConnService.exe
2460 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2772 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
2884 C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
3048 C:\Program Files\Java\jre6\bin\jqs.exe
3460 C:\WINDOWS\system32\svchost.exe
4072 C:\DOCUME~1\BENSAG~1\LOCALS~1\Temp\RtkBtMnt.exe
2964 C:\Program Files\iPod\bin\iPodService.exe
3992 alg.exe
2032 C:\WINDOWS\system32\wscntfy.exe
3836 D:\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`f3947600 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS541680J9SA00, Rev: SB2OC70P

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

Woodstock · 2011/03/24

DDS Both Logs (DDS then Attach)
DDS (Ver_11-03-05.01) - NTFSx86
Run by Booda at 6:52:46.32 on Fri 03/25/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.202 [GMT -4:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Link\DWA-130\AirNCFG.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
svchost.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ANIWConnService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\HP\HP LaserJet M1319 MFP Series\ReceiveFaxUtility.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\DOCUME~1\BENSAG~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
D:\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
mSearch Bar = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
EB: GP Bar: {c3538050-face-11de-8a39-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MessengerPlus3] "c:\program files\messengerplus! 3\MsgPlus.exe" /WinStart
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MessengerPlus3] "c:\program files\messengerplus! 3\MsgPlus.exe "
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [D-Link D-Link Wireless N DWA-130] c:\program files\d-link\dwa-130\AirNCFG.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=OQBBAFYARgBSAEUARQAtAFYATgBKADMAMgAtAEcAMwBMAEEAQQAtAEEANAA4ADkAUgAtADkAVQBKAEsARgAtAEUASwBLADMAWAA "& "inst=NwA3AC0ANQA3ADEANQAyADMANAA0ADYALQBYAE8AMwA2ACsAMQAtAEYATAArADkA "& "prod=90 "& "ver=9.0.894
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\corel\wordperfect office x4\programs\WPLauncher.hta
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\bensag~1\applic~1\mozilla\firefox\profiles\t6mft10w.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.aleph.se/Trans/Individual/Mental/rules.html|http://www.menshealth.com/jumpstartyourday/10-minute-fat-blaster.php
FF - prefs.js: keyword.URL - hxxp://ca.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_ca&p=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\windows\system32\c2mp\npdivx32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {A922CF20-CFF6-43F0-B526-940D70ED19AA} - c:\documents and settings\ben sage\local settings\application data\{A922CF20-CFF6-43F0-B526-940D70ED19AA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: StumbleUpon: {AE93811A-5C9A-4d34-8462-F7B864FC4696} - %profile%\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl64b02c8b;MpKsl64b02c8b;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6809caf0-af93-4992-9734-dfeb540cc0cb}\MpKsl64b02c8b.sys [2011-3-25 28752]
R1 MpKslce6d3e2f;MpKslce6d3e2f;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{6809caf0-af93-4992-9734-dfeb540cc0cb}\MpKslce6d3e2f.sys [2011-3-25 28752]
R2 ANIWConnService;ANIWConn Service;c:\windows\system32\ANIWConnService.exe [2009-12-27 143360]
R2 HPM1319RcvFaxSrvc;HP M1319 Receive Fax Service;c:\program files\hp\hp laserjet m1319 mfp series\ReceiveFaxUtility.exe [2008-3-27 348160]
R4 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys --> c:\windows\system32\drivers\avgtdix.sys [?]
S3 HP1319EWS;HP1319EWS;c:\windows\system32\drivers\HP1319EWS.sys [2009-7-30 12800]
S3 HP1319FAX;HP1319MFP FAX;c:\windows\system32\drivers\HP1319FAX.sys [2009-7-30 13824]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys --> c:\windows\system32\drivers\rt2870.sys [?]
S3 RTL8192u;Realtek RTL8192U Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192u.sys [2009-10-14 443776]
.
=============== Created Last 30 ================
.
2011-03-25 10:48:52 -------- d-----w- c:\docume~1\bensag~1\locals~1\applic~1\PCHealth
2011-03-25 10:48:15 -------- d-----w- C:\d5ebb8874e8867b203b9c123e502
2011-03-25 09:34:13 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{6809caf0-af93-4992-9734-dfeb540cc0cb}\MpKsl64b02c8b.sys
2011-03-25 09:11:50 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{6809caf0-af93-4992-9734-dfeb540cc0cb}\MpKslce6d3e2f.sys
2011-03-25 08:23:45 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{6809caf0-af93-4992-9734-dfeb540cc0cb}\mpengine.dll
2011-03-25 08:23:39 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-03-25 08:16:06 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-25 07:25:00 507904 ----a-w- c:\windows\system32\winlogon.exe
2011-03-25 07:23:41 1033728 ----a-w- c:\windows\explorer.exe
2011-03-24 05:16:04 2234368 ----a-r- C:\OTLPE.exe
2011-03-24 05:15:55 -------- d-----w- C:\_OTL
2011-03-23 03:16:35 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
2011-03-23 03:16:29 12536 ------w- c:\windows\system32\avgrsstx.dll.install_backup
2011-03-23 03:11:03 -------- d-----w- c:\docume~1\alluse~1\applic~1\avg9
2011-03-22 23:07:59 54016 ----a-w- c:\windows\system32\drivers\dxfigiv.sys
2011-03-22 22:19:19 -------- d-----w- c:\docume~1\bensag~1\applic~1\Malwarebytes
2011-03-22 22:19:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-22 22:19:14 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-22 22:19:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-22 22:19:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS541680J9SA00 rev.SB2OC70P -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x827E8EC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x82074872; SUB DWORD [EBP-0x4], 0x8207412e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x82B4F030]
3 CLASSPNP[0xF84F5FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000007c[0x82B23330]
5 ACPI[0xF8281620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x82B23448]
[0x825452E0] -> IRP_MJ_CREATE -> 0x827E8EC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS541680J9SA00_________________SB2OC70P#5&1951e31a&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x827E8AEA
user & kernel MBR OK
sectors 156301486 (+255): user != kernel
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 6:56:19.03 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/24/2009 5:22:50 PM
System Uptime: 3/25/2011 5:24:35 AM (1 hours ago)
.
Motherboard: Acer, Inc. | | Prespa1
Processor: Intel(R) Celeron(R) M CPU 520 @ 1.60GHz | U2E1 | 1600/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 67 GiB total, 40.823 GiB free.
D: is Removable
E: is CDROM ()
G: is CDROM ()
H: is CDROM ()
I: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 8/19/2010 7:53:39 PM - System Checkpoint
RP2: 8/19/2010 9:35:53 PM - Removed AVG Free 9.0
RP3: 8/19/2010 9:40:39 PM - Installed AVG 9.0
RP4: 8/19/2010 9:58:30 PM - avast! Free Antivirus Setup
RP5: 9/11/2010 1:23:06 PM - System Checkpoint
RP6: 3/22/2011 2:16:41 PM - avast! Free Antivirus Setup
RP7: 3/22/2011 2:19:32 PM - Removed Bonjour
RP8: 3/22/2011 5:30:30 PM - Installed Windows XP WgaNotify.
RP9: 3/22/2011 10:57:14 PM - Installed ANIWZCS2 Service
RP10: 3/22/2011 10:59:15 PM - Removed Skype™ 4.2
RP11: 3/22/2011 11:00:40 PM - Removed Skype Toolbars
RP12: 3/22/2011 11:11:02 PM - Installed AVG Free 9.0
RP13: 3/22/2011 11:35:33 PM - Avg Update
RP14: 3/25/2011 6:14:26 AM - Removed AVG Free 9.0
RP15: 3/25/2011 6:18:55 AM - Installed AVG Free 9.0
.
==== Installed Programs ======================
.
µTorrent
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
Adobe Shockwave Player 11.5
Agere Systems HDA Modem
ANIO Service
ANIWZCS2 Service
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Wireless LAN
Cole2k Media - Codec Pack (Advanced) 7.9.0
Compatibility Pack for the 2007 Office system
D-Link Wireless N DWA-130
FaxSendInstaller
FaxSetupInstaller
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP LaserJet M1319 MFP Series
HP LaserJet M1319 MFP Series Toolbox
HP LaserJet Toolbox
hppusgM1310
Intel(R) Graphics Media Accelerator Driver
iTunes
Java(TM) 6 Update 16
LimeWire 5.4.6
Lux Delux 6.0.2
Malwarebytes' Anti-Malware
MarketResearch
Messenger Plus! 3
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.8)
MrvlUsgTracking
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
NVIDIA Drivers
Picasa 3
QuickTime
Realtek High Definition Audio Driver
ReceiveInstaller
Scan To
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Segoe UI
Software Update for Web Folders
Spelling Dictionaries Support For Adobe Reader 9
Synaptics Pointing Device Driver
Tango
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VLC media player 1.0.1
WIDCOMM Bluetooth Software
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows XP Service Pack 3
WinZip 12.1
.
==== Event Viewer Messages From Past Week ========
.
3/25/2011 6:23:09 AM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
3/25/2011 6:19:25 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
3/25/2011 5:03:16 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
3/25/2011 5:02:49 AM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
3/25/2011 5:02:49 AM, error: Service Control Manager [7034] - The HP M1319 Receive Fax Service service terminated unexpectedly. It has done this 1 time(s).
3/25/2011 5:02:48 AM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
3/25/2011 5:02:47 AM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/25/2011 5:02:44 AM, error: Service Control Manager [7031] - The Bluetooth Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
3/25/2011 5:02:43 AM, error: Service Control Manager [7034] - The ANIWConn Service service terminated unexpectedly. It has done this 1 time(s).
3/25/2011 5:02:24 AM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
3/25/2011 4:51:38 AM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.H&threatid=2147632576 Name: Virus:Win32/Alureon.H ID: 2147632576 Severity: Severe Category: Virus Path: rootkit:_Alureon->Kbdclass Detection Origin: Unknown Detection Type: Concrete Detection Source: User User: SAGELAPTOP\Booda Process Name: Unknown Action: Quarantine Action Status: To finish removing malware and other potentially unwanted software, restart the computer. To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x80070032 Error description: The request is not supported. Signature Version: AV: 1.101.77.0, AS: 1.101.77.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/25/2011 4:51:38 AM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Alureon.H&threatid=2147632576 Name: Virus:Win32/Alureon.H ID: 2147632576 Severity: Severe Category: Virus Path: rootkit:_Alureon->Kbdclass Detection Origin: Unknown Detection Type: Concrete Detection Source: User User: SAGELAPTOP\Booda Process Name: Unknown Action: Clean Action Status: To finish removing malware and other potentially unwanted software, restart the computer. To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Signature Version: AV: 1.101.77.0, AS: 1.101.77.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/25/2011 4:24:01 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
3/25/2011 4:20:10 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
3/25/2011 4:18:49 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072f76 Error description: The requested header was not found
3/25/2011 4:18:49 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072f76 Error description: The requested header was not found
3/25/2011 4:18:49 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072f76 Error description: The requested header was not found
3/25/2011 4:18:49 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072f76 Error description: The requested header was not found
3/25/2011 4:18:49 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Malware Protection Center Update Stage: Search Source Path: http://go.microsoft.com/fwlink/?Lin...0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094 Signature Type: AntiSpyware Update Type: Full User: NT AUTHORITY\NETWORK SERVICE Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072f76 Error description: The requested header was not found
3/25/2011 4:18:47 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 0.0.0.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 0.0.0.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
3/22/2011 6:32:11 PM, error: Service Control Manager [7001] - The Universal Plug and Play Device Host service depends on the SSDP Discovery Service service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/22/2011 6:32:11 PM, error: DCOM [10005] - DCOM got error "%1068" attempting to start the service upnphost with arguments " " in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
3/22/2011 10:49:30 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
3/22/2011 10:09:57 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
3/22/2011 10:09:57 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
3/22/2011 10:09:54 PM, error: Service Control Manager [7023] - The SSHNAS service terminated with the following error: The specified module could not be found.
3/19/2011 6:52:33 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service iPod Service with arguments " " in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
.
==== End Of File ===========================

Thanks Again

broni · 2011/03/24

Do NOT create new topic to post required logs.
This time, I merged both topics.

Hold on....

broni · 2011/03/24

We have a rootkit there...

Download TDSSKiller and save it to your desktop.

Extract (unzip) its contents to your desktop.

Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

Woodstock · 2011/03/25

2011/03/25 17:06:41.0359 1652 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/25 17:06:43.0703 1652 ================================================================================
2011/03/25 17:06:43.0703 1652 SystemInfo:
2011/03/25 17:06:43.0703 1652
2011/03/25 17:06:43.0703 1652 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/25 17:06:43.0703 1652 Product type: Workstation
2011/03/25 17:06:43.0703 1652 ComputerName: SAGELAPTOP
2011/03/25 17:06:43.0750 1652 UserName: Booda
2011/03/25 17:06:44.0140 1652 Windows directory: C:\WINDOWS
2011/03/25 17:06:44.0140 1652 System windows directory: C:\WINDOWS
2011/03/25 17:06:44.0140 1652 Processor architecture: Intel x86
2011/03/25 17:06:44.0140 1652 Number of processors: 1
2011/03/25 17:06:44.0140 1652 Page size: 0x1000
2011/03/25 17:06:44.0140 1652 Boot type: Normal boot
2011/03/25 17:06:44.0140 1652 ================================================================================
2011/03/25 17:06:57.0687 1652 Initialize success
2011/03/25 17:07:20.0687 3908 ================================================================================
2011/03/25 17:07:20.0687 3908 Scan started
2011/03/25 17:07:20.0687 3908 Mode: Manual;
2011/03/25 17:07:20.0687 3908 ================================================================================
2011/03/25 17:07:36.0953 3908 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/25 17:07:39.0906 3908 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/03/25 17:07:43.0046 3908 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/25 17:07:45.0718 3908 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/25 17:07:48.0312 3908 AgereSoftModem (c41a5740468d0b9cb46e6390a0e15ce3) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/03/25 17:07:56.0484 3908 ANIO (920298c7aef97d8168d219d35975d295) C:\WINDOWS\system32\ANIO.SYS
2011/03/25 17:07:58.0703 3908 AR5211 (baa6b3cc74a4377d063c5a92dd9c4098) C:\WINDOWS\system32\DRIVERS\ar5211.sys
2011/03/25 17:08:04.0843 3908 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/25 17:08:06.0046 3908 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/25 17:08:08.0015 3908 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/25 17:08:09.0140 3908 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/25 17:08:10.0296 3908 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/25 17:08:12.0234 3908 btaudio (f73d41fd3653fe64cc79610f7b240472) C:\WINDOWS\system32\drivers\btaudio.sys
2011/03/25 17:08:13.0890 3908 BTDriver (4854ed2ee57769b9527680978a9dd5b4) C:\WINDOWS\system32\DRIVERS\btport.sys
2011/03/25 17:08:16.0796 3908 BTKRNL (4ebd4ebff01617fbda6ce7963f150918) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2011/03/25 17:08:18.0625 3908 BTSERIAL (6d9f1d03d4eba886e1626d856762b4f0) C:\WINDOWS\system32\drivers\btserial.sys
2011/03/25 17:08:20.0171 3908 BTWDNDIS (96708d343264abaf8ad93c464b2fc9ca) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2011/03/25 17:08:21.0265 3908 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/25 17:08:23.0468 3908 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/25 17:08:24.0687 3908 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/25 17:08:25.0687 3908 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/25 17:08:27.0750 3908 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/03/25 17:08:29.0265 3908 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/03/25 17:08:32.0062 3908 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/25 17:08:33.0359 3908 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/25 17:08:35.0531 3908 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/25 17:08:36.0468 3908 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/25 17:08:37.0453 3908 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/25 17:08:39.0281 3908 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/25 17:08:40.0312 3908 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/25 17:08:41.0046 3908 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/03/25 17:08:41.0921 3908 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/25 17:08:42.0859 3908 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/03/25 17:08:43.0796 3908 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/25 17:08:44.0656 3908 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/25 17:08:45.0140 3908 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/25 17:08:45.0875 3908 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/03/25 17:08:46.0453 3908 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/25 17:08:47.0359 3908 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/03/25 17:08:48.0328 3908 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/25 17:08:49.0031 3908 HP1319EWS (caf5f35a244dfccc151f4d372c259ed3) C:\WINDOWS\system32\Drivers\HP1319EWS.sys
2011/03/25 17:08:49.0812 3908 HP1319FAX (1782b193438d451228143d2e4e11d4bb) C:\WINDOWS\system32\Drivers\HP1319FAX.sys
2011/03/25 17:08:51.0187 3908 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/25 17:08:53.0375 3908 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/25 17:08:54.0968 3908 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/03/25 17:08:56.0484 3908 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/25 17:09:00.0843 3908 IntcAzAudAddService (a799e941c3d19bcf6f93cbe12b55bc17) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/03/25 17:09:05.0375 3908 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/25 17:09:06.0109 3908 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/25 17:09:06.0656 3908 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/25 17:09:07.0437 3908 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/25 17:09:08.0015 3908 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/25 17:09:09.0000 3908 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/25 17:09:09.0937 3908 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/25 17:09:10.0718 3908 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/25 17:09:11.0359 3908 Kbdclass (f16d3834fef230861d2292fdc5a292e6) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/25 17:09:11.0359 3908 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdclass.sys. Real md5: f16d3834fef230861d2292fdc5a292e6, Fake md5: 463c1ec80cd17420a542b7f36a36f128
2011/03/25 17:09:11.0609 3908 Kbdclass - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/03/25 17:09:12.0296 3908 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/25 17:09:13.0234 3908 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/25 17:09:15.0390 3908 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/25 17:09:16.0562 3908 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/25 17:09:17.0296 3908 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/25 17:09:18.0187 3908 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/25 17:09:19.0140 3908 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/25 17:09:20.0140 3908 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/03/25 17:09:22.0500 3908 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/25 17:09:23.0781 3908 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/25 17:09:24.0875 3908 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/25 17:09:25.0656 3908 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/25 17:09:26.0578 3908 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/25 17:09:27.0218 3908 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/25 17:09:28.0250 3908 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/25 17:09:29.0406 3908 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/25 17:09:30.0531 3908 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/25 17:09:31.0593 3908 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/25 17:09:32.0406 3908 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/25 17:09:33.0656 3908 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/25 17:09:34.0703 3908 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/25 17:09:35.0515 3908 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/25 17:09:37.0078 3908 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/25 17:09:38.0250 3908 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/25 17:09:39.0421 3908 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/25 17:09:40.0468 3908 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/25 17:09:41.0468 3908 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/25 17:09:42.0281 3908 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/25 17:09:43.0062 3908 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/03/25 17:09:43.0953 3908 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/25 17:09:44.0750 3908 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/25 17:09:45.0375 3908 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/25 17:09:46.0656 3908 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/25 17:09:47.0625 3908 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/03/25 17:09:52.0375 3908 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/25 17:09:53.0093 3908 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/25 17:09:53.0906 3908 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/25 17:09:54.0796 3908 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/03/25 17:09:58.0390 3908 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/25 17:09:58.0968 3908 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/25 17:09:59.0828 3908 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/25 17:10:00.0437 3908 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/25 17:10:01.0312 3908 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/25 17:10:02.0218 3908 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/25 17:10:02.0968 3908 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/25 17:10:03.0968 3908 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/25 17:10:04.0953 3908 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/25 17:10:06.0765 3908 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/03/25 17:10:07.0390 3908 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/03/25 17:10:08.0375 3908 rspndr (0e11b35e972796042044bc27ce13b065) C:\WINDOWS\system32\DRIVERS\rspndr.sys
2011/03/25 17:10:09.0343 3908 RT25USBAP (9c377dbf9d2d19098db935dc1e8361a3) C:\WINDOWS\system32\DRIVERS\rt25usbap.sys
2011/03/25 17:10:11.0203 3908 RTL8192u (7068471ff5d85917fd693dfe0c7934be) C:\WINDOWS\system32\DRIVERS\RTL8192u.sys
2011/03/25 17:10:12.0468 3908 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/25 17:10:13.0406 3908 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/03/25 17:10:14.0078 3908 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/25 17:10:16.0140 3908 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/25 17:10:17.0578 3908 sptd (cdddec541bc3c96f91ecb48759673505) C:\WINDOWS\system32\Drivers\sptd.sys
2011/03/25 17:10:17.0578 3908 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/03/25 17:10:17.0625 3908 sptd - detected Locked file (1)
2011/03/25 17:10:18.0406 3908 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/25 17:10:20.0171 3908 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/25 17:10:21.0328 3908 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/25 17:10:22.0437 3908 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/25 17:10:25.0625 3908 SynTP (65adc25fe9659f93e0a3d7cbbbb6f4ad) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/03/25 17:10:25.0703 3908 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\SynTP.sys. Real md5: 65adc25fe9659f93e0a3d7cbbbb6f4ad, Fake md5: 76603675e5a452dca3c64289538d1682
2011/03/25 17:10:25.0718 3908 SynTP - detected Forged file (1)
2011/03/25 17:10:26.0359 3908 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/25 17:10:27.0187 3908 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/25 17:10:28.0000 3908 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/25 17:10:28.0609 3908 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/25 17:10:29.0296 3908 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/25 17:10:30.0125 3908 tifm21 (9179e07503630d6fb2e4162ff0196191) C:\WINDOWS\system32\drivers\tifm21.sys
2011/03/25 17:10:30.0890 3908 tmcomm (df8444a8fa8fd38d8848bdd40a8403b3) C:\WINDOWS\system32\drivers\tmcomm.sys
2011/03/25 17:10:32.0093 3908 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/25 17:10:33.0312 3908 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/25 17:10:34.0234 3908 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/03/25 17:10:34.0953 3908 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/25 17:10:35.0734 3908 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/25 17:10:36.0406 3908 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/25 17:10:37.0156 3908 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/03/25 17:10:37.0890 3908 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/25 17:10:38.0531 3908 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/25 17:10:39.0187 3908 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/25 17:10:39.0796 3908 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/25 17:10:41.0000 3908 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/25 17:10:41.0703 3908 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/25 17:10:42.0625 3908 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/03/25 17:10:43.0906 3908 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/25 17:10:44.0703 3908 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/03/25 17:10:45.0421 3908 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/25 17:10:46.0187 3908 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/25 17:10:47.0140 3908 yukonwxp (c6d818bc783a3eaa974aa5046eb698c0) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
2011/03/25 17:10:54.0500 3908 ================================================================================
2011/03/25 17:10:54.0500 3908 Scan finished
2011/03/25 17:10:54.0500 3908 ================================================================================
2011/03/25 17:11:01.0062 1228 Detected object count: 3
2011/03/25 17:11:45.0718 1228 Kbdclass (f16d3834fef230861d2292fdc5a292e6) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/25 17:11:45.0921 1228 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\kbdclass.sys. Real md5: f16d3834fef230861d2292fdc5a292e6, Fake md5: 463c1ec80cd17420a542b7f36a36f128
2011/03/25 17:13:30.0171 1228 Backup copy not found, trying to cure infected file..
2011/03/25 17:13:30.0171 1228 Cure success, using it..
2011/03/25 17:13:32.0312 1228 C:\WINDOWS\system32\DRIVERS\kbdclass.sys - will be cured after reboot
2011/03/25 17:13:32.0312 1228 Rootkit.Win32.TDSS.tdl3(Kbdclass) - User select action: Cure
2011/03/25 17:13:32.0328 1228 Locked file(sptd) - User select action: Skip
2011/03/25 17:13:32.0328 1228 Forged file(SynTP) - User select action: Skip
2011/03/25 17:13:51.0343 3860 Deinitialize success

broni · 2011/03/25

Good

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Log in or Sign up

Solved Malware/Keeps rebooting after blue screen

Woodstock Inactive Thread Starter

Woodstock Inactive Thread Starter

broni Moderator Malware Analyst

Woodstock Inactive Thread Starter

broni Moderator Malware Analyst

Woodstock Inactive Thread Starter

broni Moderator Malware Analyst

Woodstock Inactive Thread Starter

broni Moderator Malware Analyst

Woodstock Inactive Thread Starter

broni Moderator Malware Analyst

Woodstock Inactive Thread Starter

broni Moderator Malware Analyst

Woodstock Inactive Thread Starter

Woodstock Inactive Thread Starter

Woodstock Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Woodstock Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Malware/Keeps rebooting after blue screen

Woodstock Inactive Thread Starter

Woodstock Inactive Thread Starter

broni Moderator Malware Analyst

Woodstock Inactive Thread Starter

broni Moderator Malware Analyst

Woodstock Inactive Thread Starter

broni Moderator Malware Analyst

Woodstock Inactive Thread Starter

broni Moderator Malware Analyst

Woodstock Inactive Thread Starter

broni Moderator Malware Analyst

Woodstock Inactive Thread Starter

broni Moderator Malware Analyst

Woodstock Inactive Thread Starter

Woodstock Inactive Thread Starter

Woodstock Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Woodstock Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches