Solved Can not access windows update or support microsoft web sites

MOUNTAINBIKER · 2011/03/21

[Resolved] Can not access windows update or support microsoft web sites

I can not access any Microsoft website however all other Internet sites work just fine. When problem occurred I ran a full scan with Panda Internet Security 2011 and it found nothing. Then I ran HiJackThis with same result. It should be noted that when I ran MBAM per forum instructions my system would not reboot until I selected "boot with last known good config. "
Here are the requested log files:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6110

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/20/2011 10:23:58 PM
mbam-log-2011-03-20 (22-23-58).txt

Scan type: Full scan (C:\|)
Objects scanned: 408305
Time elapsed: 2 hour(s), 39 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\usb-flash driver\stopjupc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\program files\GIMP-2.2\lib\gimp\2.0\plug-ins\autostretch_hsv.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f8dd72f0-7822-48b5-b684-b21b7aa73b80}\RP1164\A0209612.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\system volume information\_restore{f8dd72f0-7822-48b5-b684-b21b7aa73b80}\RP1164\A0209613.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-03-20 22:58:04
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD800BB-00FRA0 rev.77.07W77
Running: jtu3y4p1.exe; Driver: C:\DOCUME~1\RICHAR~1.WIN\LOCALS~1\Temp\uxtdqpog.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys (Panda Protection driver/Panda Security, S.L.) ZwTerminateProcess [0xB88404FE]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF59D1B8D]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF1441360, 0x1DE5ED, 0xE8000020]
? C:\WINDOWS\system32\PavTPK.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Java\jre6\bin\jqs.exe[252] WS2_32.dll!sendto 71AB2F51 6 Bytes JMP 5F100F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[252] WS2_32.dll!recvfrom 71AB2FF7 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[252] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F220F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[252] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F040F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[252] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[252] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F160F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[252] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F070F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[252] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[252] WS2_32.dll!WSARecvFrom 71ABF66A 6 Bytes JMP 5F190F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[252] WS2_32.dll!WSASendTo 71AC0AAD 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[252] WS2_32.dll!WSAConnect 71AC0C81 6 Bytes JMP 5F130F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[704] WS2_32.dll!sendto 71AB2F51 6 Bytes JMP 5F100F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[704] WS2_32.dll!recvfrom 71AB2FF7 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[704] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F220F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[704] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F040F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[704] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[704] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F160F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[704] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F070F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[704] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[704] WS2_32.dll!WSARecvFrom 71ABF66A 6 Bytes JMP 5F190F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[704] WS2_32.dll!WSASendTo 71AC0AAD 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe[704] WS2_32.dll!WSAConnect 71AC0C81 6 Bytes JMP 5F130F5A
.text C:\Program Files\DNA\btdna.exe[2752] WS2_32.dll!sendto 71AB2F51 6 Bytes JMP 5F100F5A
.text C:\Program Files\DNA\btdna.exe[2752] WS2_32.dll!recvfrom 71AB2FF7 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\DNA\btdna.exe[2752] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F220F5A
.text C:\Program Files\DNA\btdna.exe[2752] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F040F5A
.text C:\Program Files\DNA\btdna.exe[2752] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\DNA\btdna.exe[2752] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F160F5A
.text C:\Program Files\DNA\btdna.exe[2752] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F070F5A
.text C:\Program Files\DNA\btdna.exe[2752] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F1C0F5A
.text C:\Program Files\DNA\btdna.exe[2752] WS2_32.dll!WSARecvFrom 71ABF66A 6 Bytes JMP 5F190F5A
.text C:\Program Files\DNA\btdna.exe[2752] WS2_32.dll!WSASendTo 71AC0AAD 6 Bytes JMP 5F1F0F5A
.text C:\Program Files\DNA\btdna.exe[2752] WS2_32.dll!WSAConnect 71AC0C81 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\Explorer.EXE[2852] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01640001
.text C:\WINDOWS\Explorer.EXE[2852] WS2_32.dll!sendto 71AB2F51 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\Explorer.EXE[2852] WS2_32.dll!recvfrom 71AB2FF7 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[2852] WS2_32.dll!closesocket 71AB3E2B 6 Bytes JMP 5F220F5A
.text C:\WINDOWS\Explorer.EXE[2852] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[2852] WS2_32.dll!send 71AB4C27 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[2852] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\Explorer.EXE[2852] WS2_32.dll!recv 71AB676F 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\Explorer.EXE[2852] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 5F1C0F5A
.text C:\WINDOWS\Explorer.EXE[2852] WS2_32.dll!WSARecvFrom 71ABF66A 6 Bytes JMP 5F190F5A
.text C:\WINDOWS\Explorer.EXE[2852] WS2_32.dll!WSASendTo 71AC0AAD 6 Bytes JMP 5F1F0F5A
.text C:\WINDOWS\Explorer.EXE[2852] WS2_32.dll!WSAConnect 71AC0C81 6 Bytes JMP 5F130F5A

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)
Device \FileSystem\Fastfat \FatCdrom ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)

AttachedDevice \Driver\Tcpip \Device\Ip NETFLTDI.SYS (Panda TDI Filter/Panda Security, S.L.)
AttachedDevice \Driver\Tcpip \Device\Tcp NETFLTDI.SYS (Panda TDI Filter/Panda Security, S.L.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8337F27F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8337F27F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8337F27F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-18 8337F27F
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-20 8337F27F

AttachedDevice \Driver\Tcpip \Device\Udp NETFLTDI.SYS (Panda TDI Filter/Panda Security, S.L.)
AttachedDevice \Driver\Tcpip \Device\RawIp NETFLTDI.SYS (Panda TDI Filter/Panda Security, S.L.)

Device \FileSystem\Fastfat \Fat ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskWDC_WD800BB-00FRA0______________________77.07W77#4457572d414d444a373133363837_035_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000047d

Kernel Drivers (total 136):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0x8336C000 \WINDOWS\system32\KDCOM.DLL
0xF8A0A000 \WINDOWS\system32\BOOTVID.dll
0xF85A7000 ACPI.sys
0xF8AF6000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF8596000 pci.sys
0xF85F6000 isapnp.sys
0xF8BBE000 pciide.sys
0xF8876000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF8AF8000 viaide.sys
0xF8606000 MountMgr.sys
0xF8577000 ftdisk.sys
0xF8AFA000 dmload.sys
0xF8551000 dmio.sys
0xF887E000 PartMgr.sys
0xF8616000 pavboot.sys
0xF8626000 VolSnap.sys
0xF8539000 atapi.sys
0xF8636000 disk.sys
0xF8646000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF8519000 fltmgr.sys
0xF8507000 sr.sys
0xF8656000 PxHelp20.sys
0xF84E3000 Fastfat.sys
0xF84CC000 KSecDD.sys
0xF849F000 NDIS.sys
0xF8A0E000 nv_agp.sys
0xF8485000 Mup.sys
0xF8886000 amdagpxp.sys
0xF59D9000 \SystemRoot\System32\DRIVERS\amdk7.sys
0xF2562000 \SystemRoot\System32\DRIVERS\usbohci.sys
0xF17AD000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF255A000 \SystemRoot\System32\DRIVERS\usbehci.sys
0xF1799000 \SystemRoot\system32\DRIVERS\NVENET.sys
0xF59C9000 \SystemRoot\system32\drivers\nvax.sys
0xF2552000 \SystemRoot\System32\DRIVERS\DM9PCI5.SYS
0xF59B9000 \SystemRoot\System32\DRIVERS\imapi.sys
0xF59A9000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF5999000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF1776000 \SystemRoot\System32\DRIVERS\ks.sys
0xF1441000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF142D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF254A000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF5989000 \SystemRoot\system32\DRIVERS\serial.sys
0xF8420000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF1419000 \SystemRoot\System32\DRIVERS\parport.sys
0xF5979000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF2542000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF39DB000 \SystemRoot\system32\drivers\msmpu401.sys
0xF13F5000 \SystemRoot\system32\drivers\portcls.sys
0xF1CB0000 \SystemRoot\system32\drivers\drmk.sys
0xF841C000 \SystemRoot\System32\DRIVERS\gameenum.sys
0xF1CA0000 \SystemRoot\system32\DRIVERS\jswscimd.sys
0xF39DA000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF1C90000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF8A86000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF133E000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF1C80000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF1C70000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF1D5D000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF1D55000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF1D4D000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF12BE000 \SystemRoot\system32\DRIVERS\neti1642.sys
0xF128E000 \SystemRoot\System32\DRIVERS\rdpdr.sys
0xF1C60000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF1D45000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF8B54000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF1230000 \SystemRoot\System32\DRIVERS\update.sys
0xF6E12000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF1C50000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF8B56000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF1C40000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF1144000 \SystemRoot\System32\drivers\dmboot.sys
0xEDC4F000 \SystemRoot\system32\drivers\nvapu.sys
0xEDB64000 \SystemRoot\system32\drivers\nvmcp.sys
0xEDB53000 \SystemRoot\system32\drivers\nvarm.sys
0xF8956000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF8B3E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xEE16F000 \SystemRoot\System32\Drivers\Null.SYS
0xF8B40000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8966000 \SystemRoot\System32\drivers\vga.sys
0xF8B42000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8B44000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF896E000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF8976000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEEBC1000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xECA08000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xEE441000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xEC9AF000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xEC989000 \??\C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
0xEC961000 \SystemRoot\System32\DRIVERS\netbt.sys
0xEC93B000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xEC919000 \SystemRoot\System32\drivers\afd.sys
0xEE431000 \SystemRoot\System32\DRIVERS\netbios.sys
0xEE421000 \??\C:\WINDOWS\system32\Drivers\WNMFLT.SYS
0xF897E000 \SystemRoot\System32\DRIVERS\ShlDrv51.sys
0xEC8EE000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xEC87E000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xEC850000 \??\C:\WINDOWS\system32\Drivers\IDSFLT.SYS
0xEDFAD000 \??\C:\WINDOWS\system32\Drivers\fnetmon.SYS
0xEE411000 \SystemRoot\System32\Drivers\Fips.SYS
0xEE401000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xEE3E1000 \??\C:\WINDOWS\system32\Drivers\DSAFLT.SYS
0xEC83F000 \??\C:\WINDOWS\system32\Drivers\APPFLT.SYS
0xEC7B2000 \SystemRoot\System32\Drivers\Ntfs.SYS
0xEE5E3000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xEE5DB000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xF69C8000 \SystemRoot\System32\DRIVERS\hidusb.sys
0xEE0A3000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
0xEE5D3000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
0xF69C4000 \SystemRoot\System32\DRIVERS\mouhid.sys
0xF1C20000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEC73B000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8AFE000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF1220000 \SystemRoot\System32\drivers\Dxapi.sys
0xF5E37000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF5DEA000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBF3CD000 \SystemRoot\System32\ATMFD.DLL
0xF8816000 \SystemRoot\system32\DRIVERS\amm8651.sys
0xF8AD6000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF87C6000 \??\C:\WINDOWS\system32\PavTPK.sys
0xB8986000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF8B98000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB88DE000 \SystemRoot\System32\DRIVERS\srv.sys
0xB883F000 \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys
0xB7CBA000 \SystemRoot\system32\drivers\wdmaud.sys
0xB7D3F000 \SystemRoot\system32\drivers\sysaudio.sys
0xB7C6C000 \SystemRoot\system32\drivers\kmixer.sys
0xB74FE000 \SystemRoot\System32\Drivers\HTTP.sys
0xB4FED000 \??\C:\DOCUME~1\RICHAR~1.WIN\LOCALS~1\Temp\uxtdqpog.sys
0xB4F8E000 \SystemRoot\system32\DRIVERS\A5AGU.sys
0x7C900000 \WINDOWS\System32\ntdll.dll

Processes (total 43):
0 System Idle Process
4 System
556 C:\WINDOWS\system32\SMSS.EXE
1432 C:\WINDOWS\system32\csrss.exe
1456 C:\WINDOWS\system32\winlogon.exe
1500 C:\WINDOWS\system32\services.exe
1520 C:\WINDOWS\system32\lsass.exe
1668 C:\WINDOWS\system32\svchost.exe
1768 C:\WINDOWS\system32\svchost.exe
1808 C:\WINDOWS\system32\svchost.exe
1832 C:\Program Files\Panda Security\Panda Internet Security 2011\TPSrv.exe
1912 C:\WINDOWS\system32\svchost.exe
112 C:\WINDOWS\system32\svchost.exe
360 C:\Program Files\Panda Security\Panda Internet Security 2011\WebProxy.exe
1056 C:\WINDOWS\system32\spoolsv.exe
148 C:\WINDOWS\system32\svchost.exe
704 C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
252 C:\Program Files\Java\jre6\bin\jqs.exe
900 C:\WINDOWS\system32\nvsvc32.exe
1244 C:\Program Files\Panda Security\Panda Internet Security 2011\PsCtrlS.exe
948 C:\Program Files\Panda Security\Panda Internet Security 2011\PavFnSvr.exe
848 C:\Program Files\Common Files\Panda Security\PavShld\PavPrSrv.exe
1360 C:\Program Files\Panda Security\Panda Internet Security 2011\firewall\PSHost.exe
1280 C:\Program Files\Panda Security\Panda Internet Security 2011\PsImSvc.exe
1896 C:\Program Files\Panda Security\Panda Internet Security 2011\PskSvc.exe
1240 C:\Program Files\Panda Security\Panda Internet Security 2011\pavsrvx86.exe
236 C:\Program Files\Panda Security\Panda Internet Security 2011\AVENGINE.EXE
2852 C:\WINDOWS\EXPLORER.EXE
2832 C:\WINDOWS\system32\ALG.EXE
3900 C:\WINDOWS\system32\JupitCo.exe
540 C:\WINDOWS\system32\svchost.exe
3584 C:\WINDOWS\system32\qttask.exe
3640 C:\WINDOWS\Logi_MwX.Exe
1272 C:\WINDOWS\Mixer.exe
2340 C:\Program Files\Eraser\eraser.exe
2528 C:\WINDOWS\system32\ctfmon.exe
2752 C:\Program Files\DNA\btdna.exe
2264 C:\Program Files\Panda Security\Panda Internet Security 2011\PavBckPT.exe
3156 C:\Program Files\Panda Security\Panda Internet Security 2011\ApVxdWin.exe
680 C:\Program Files\Panda Security\Panda Internet Security 2011\SrvLoad.exe
3208 C:\Program Files\Mozilla Firefox\FIREFOX.EXE
616 C:\Program Files\Mozilla Firefox\plugin-container.exe
3488 C:\Documents and Settings\Richard M. Winkler\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\G: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (FAT32)
\\.\K: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD800BB-00FRA0, Rev: 77.07W77
PhysicalDrive1 Model Number: WDCWD1200JB-00GVA0, Rev: 08.02D08
PhysicalDrive3 Model Number: WDMy Book, Rev: 1028
PhysicalDrive2 Model Number: Maxtor 6Y120P0, Rev: 1BW0

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: D50BAA72C6EF1A9112B57C99EE15975514C2D79E
111 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
931 GB \\.\PhysicalDrive3 RE: Western Digital MBR code detected
SHA1: CCCF1B32EE08ECFB66B30883CFF6110F69219FEA
114 GB \\.\PhysicalDrive2 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

DDS LOG
DDS (Ver_11-03-05.01) - FAT32x86
Run by Richard M. Winkler at 23:28:46.64 on Sun 03/20/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.138 [GMT -7:00]
.
AV: Panda Internet Security 2011 *Enabled/Updated* {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}
FW: Panda Personal Firewall 2011 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Panda Security\Panda Internet Security 2011\TPSrv.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2011\WebProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Internet Security 2011\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2011\PavFnSvr.exe
C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
c:\program files\panda security\panda internet security 2011\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Internet Security 2011\PsImSvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2011\PskSvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2011\pavsrvx86.exe
C:\Program Files\Panda Security\Panda Internet Security 2011\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\JupitCo.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\SYSTEM32\qttask.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Eraser\eraser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Panda Security\Panda Internet Security 2011\PavBckPT.exe
C:\Program Files\Panda Security\Panda Internet Security 2011\apvxdwin.exe
C:\Program Files\Panda Security\Panda Internet Security 2011\SRVLOAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Richard M. Winkler\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Eraser] c:\program files\eraser\eraser.exe -hide
uRun: [OM2_Monitor] "c:\program files\olympus\olympus master 2\MMonitor.exe" -NoStart
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe "
mRun: [USB SECURITY DEVICE CoInstaller] JupitCo.exe
mRun: [Cyber] c:\program files\belkin\cyberChk.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\nvcpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mRun: [APVXDWIN] "c:\program files\panda security\panda internet security 2011\APVXDWIN.EXE" /s
mRun: [SCANINICIO] "c:\program files\panda security\panda internet security 2011\Inicio.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
mRun: [QuickTime Task] "c:\windows\system32\qttask.exe" -atboottime
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
mPolicies-explorer: UseDesktopIniCache = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
Trusted Zone: keplers.com\menlopark
DPF: DirectAnimation Java Classes - file://c:\windows\system\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\system\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Win32 Classes
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1239565591640
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} - hxxp://www.pandasoftware.com/ActiveScanpro/as5/ASPROinst.cab
Notify: avldr - avldr.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outloo~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "c:\progra~1\outloo~1\setup50.exe" /appe /caller:win9x /user /install - "c:\progra~1\outloo~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\progra~1\outloo~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
mASetup: {7790769C-0471-11d2-AF11-00C04FA35D02} - "c:\progra~1\outloo~1\setup50.exe" /app:wab /caller:win9x /user /install - "c:\progra~1\outloo~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
mASetup: {9EF0045A-CDD9-438e-95E6-02B9AFEC8E11} - c:\windows\system32\updcrl.exe -e -u c:\windows\system\verisignpub1.crl
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\richar~1.win\applic~1\mozilla\firefox\profiles\yona0dqz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\richard m. winkler\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Shop to Win: {5835466c-49af-4cbe-b102-a8c8b6313749} - %profile%\extensions\{5835466c-49af-4cbe-b102-a8c8b6313749}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 amdagpxp;AMD NB AGP Bus Filter;c:\windows\system32\drivers\amdagpxp.sys [2005-5-10 27776]
R0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [2010-9-22 26696]
R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [2010-9-22 76296]
R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [2010-9-22 53256]
R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [2010-9-22 22024]
R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [2010-9-22 193800]
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [2010-9-22 159112]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [2010-9-22 37896]
R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [2010-9-22 46856]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 AmFSM;AmFSM;c:\windows\system32\drivers\amm8651.sys [2010-9-22 59080]
R2 Panda Software Controller;Panda Software Controller;c:\program files\panda security\panda internet security 2011\PsCtrlS.exe [2010-9-22 173312]
R2 PAVFNSVR;Panda Function Service;c:\program files\panda security\panda internet security 2011\PavFnSvr.exe [2010-9-22 202048]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2010-9-22 163336]
R2 PavPrSrv;Panda Process Protection Service;c:\program files\common files\panda security\pavshld\PavPrSrv.exe [2010-9-22 62768]
R2 PAVSRV;Panda On-Access Anti-Malware Service;c:\program files\panda security\panda internet security 2011\pavsrvx86.exe [2010-9-22 314176]
R2 PskSvcRetail;Panda PSK service;c:\program files\panda security\panda internet security 2011\psksvc.exe [2010-9-22 28992]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2006-5-8 386784]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2009-4-12 57440]
R3 NETIMFLT01060042;PANDA NDIS IM Filter Miniport v1.6.0.42;c:\windows\system32\drivers\neti1642.sys [2010-9-22 199688]
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\pavtpk.sys --> c:\windows\system32\PavTPK.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-7-26 312152]
S2 JUPITER;USB SECURITY DEVICE;c:\windows\system32\drivers\Jupiter.sys [2004-4-24 9312]
S3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [2007-5-17 5632]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\d-link\rangebooster g wua-2340\jswutil\jswpsapi.exe [2009-4-12 356434]
S3 naecd;naecd;\??\c:\docume~1\richar~1.win\locals~1\temp\naecd.sys --> c:\docume~1\richar~1.win\locals~1\temp\naecd.sys [?]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\rkpavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\rkpavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 ZD1201U(ZyDAS);ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB)(ZyDAS);c:\windows\system32\drivers\zd1201u.sys --> c:\windows\system32\drivers\zd1201u.sys [?]
S3 ZD1201U;TwinMOS Netkey Wireless LAN Driver (USB);c:\windows\system32\drivers\zd1201u.sys --> c:\windows\system32\drivers\zd1201u.sys [?]
S3 ZDNDIS5;ZDNDIS5 NDIS Protocol Driver;c:\windows\system32\ZDNDIS5.sys [2005-1-28 16157]
.
=============== File Associations ===============
.
JSEFile=c:\progra~1\pandas~1\pandai~1\PAVSCRIP.EXE "%1" %*
VBEFile=c:\progra~1\pandas~1\pandai~1\PAVSCRIP.EXE "%1" %*
VBSFile=c:\progra~1\pandas~1\pandai~1\PAVSCRIP.EXE "%1" %*
.
=============== Created Last 30 ================
.
2011-03-21 05:24:51 54016 ----a-w- c:\windows\system32\drivers\ymflrn.sys
2011-03-20 06:27:31 54016 ----a-w- c:\windows\system32\drivers\wnmokgl.sys
2011-03-20 06:21:34 -------- d-----w- c:\docume~1\richar~1.win\applic~1\Malwarebytes
2011-03-20 06:21:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-20 06:21:25 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-20 06:21:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-20 06:21:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-19 19:55:07 -------- d--h--w- c:\windows\ie8
2011-03-19 18:16:28 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-19 18:16:28 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-19 18:15:52 -------- d-sh--w- C:\FOUND.000
2011-02-27 19:00:53 -------- d-----w- c:\docume~1\richar~1.win\locals~1\applic~1\Opera
.
==================== Find3M ====================
.
2011-02-09 12:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 12:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 06:58:36 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 10:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 13:44:38 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 13:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 12:10:34 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 11:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-00FRA0 rev.77.07W77 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8337F439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x833857d0]; MOV EAX, [0x8338584c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8335EAB8]
3 CLASSPNP[0xF8646FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\0000006e[0x83311460]
5 ACPI[0xF85AD620] -> nt!IofCallDriver[0x804E37D5] -> [0x83395940]
\Driver\atapi[0x83396C50] -> IRP_MJ_CREATE -> 0x8337F439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskWDC_WD800BB-00FRA0______________________77.07W77#4457572d414d444a373133363837_035_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8337F27F
user != kernel MBR !!!
sectors 156301486 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 23:48:19.68 ===============

The Attach.txt file will not fit into this post and I can find nothing on this screen that allows me to attach a zip file. I will enter it in a second post.

MOUNTAINBIKER · 2011/03/21

the attach.txt file

Here is the attach.txt file that would not fit in my first post:

DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 8/18/2005 2:53:13 PM
System Uptime: 3/20/2011 10:27:30 PM (1 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | A7N8X-X
Processor: AMD Athlon(tm) XP 2400+ | Socket A | 1996/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (FAT32) - 75 GiB total, 17.615 GiB free.
D: is CDROM (CDFS)
E: is CDROM (CDFS)
F: is FIXED (NTFS) - 112 GiB total, 103.967 GiB free.
G: is FIXED (FAT32) - 931 GiB total, 540.008 GiB free.
K: is FIXED (NTFS) - 114 GiB total, 109.513 GiB free.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1082: 12/21/2010 12:10:05 AM - System Checkpoint
RP1083: 12/23/2010 3:00:44 AM - System Checkpoint
RP1084: 12/24/2010 3:29:27 AM - System Checkpoint
RP1085: 12/25/2010 4:15:49 AM - System Checkpoint
RP1086: 12/26/2010 5:10:08 AM - System Checkpoint
RP1087: 12/27/2010 11:14:21 AM - System Checkpoint
RP1088: 12/28/2010 3:11:02 PM - System Checkpoint
RP1089: 12/29/2010 4:39:12 PM - System Checkpoint
RP1090: 12/30/2010 4:43:41 PM - System Checkpoint
RP1091: 12/31/2010 4:45:13 PM - System Checkpoint
RP1092: 1/1/2011 5:13:47 PM - System Checkpoint
RP1093: 1/2/2011 5:44:33 PM - System Checkpoint
RP1094: 1/3/2011 6:19:10 PM - System Checkpoint
RP1095: 1/4/2011 7:04:00 PM - System Checkpoint
RP1096: 1/5/2011 7:23:39 PM - System Checkpoint
RP1097: 1/6/2011 9:01:22 PM - System Checkpoint
RP1098: 1/7/2011 9:11:56 PM - System Checkpoint
RP1099: 1/8/2011 11:09:45 PM - System Checkpoint
RP1100: 1/9/2011 11:10:58 PM - System Checkpoint
RP1101: 1/10/2011 11:44:41 PM - System Checkpoint
RP1102: 1/11/2011 11:00:59 PM - Software Distribution Service 3.0
RP1103: 1/12/2011 7:51:09 PM - Removed Bonjour
RP1104: 1/13/2011 7:56:52 PM - System Checkpoint
RP1105: 1/15/2011 12:22:45 AM - System Checkpoint
RP1106: 1/16/2011 3:28:59 AM - System Checkpoint
RP1107: 1/17/2011 10:49:53 AM - System Checkpoint
RP1108: 1/18/2011 4:47:08 PM - System Checkpoint
RP1109: 1/19/2011 5:39:33 PM - System Checkpoint
RP1110: 1/20/2011 6:09:09 PM - System Checkpoint
RP1111: 1/21/2011 6:18:16 PM - System Checkpoint
RP1112: 1/22/2011 7:52:04 PM - System Checkpoint
RP1113: 1/23/2011 9:50:45 PM - System Checkpoint
RP1114: 1/24/2011 10:08:18 PM - System Checkpoint
RP1115: 1/26/2011 4:43:40 PM - System Checkpoint
RP1116: 1/27/2011 5:19:14 PM - System Checkpoint
RP1117: 1/28/2011 5:52:37 PM - System Checkpoint
RP1118: 1/29/2011 5:57:04 PM - System Checkpoint
RP1119: 1/30/2011 6:28:26 PM - System Checkpoint
RP1120: 1/31/2011 7:10:41 PM - System Checkpoint
RP1121: 2/1/2011 7:31:51 PM - System Checkpoint
RP1122: 2/2/2011 8:38:43 PM - System Checkpoint
RP1123: 2/3/2011 8:45:37 PM - System Checkpoint
RP1124: 2/4/2011 9:32:02 PM - System Checkpoint
RP1125: 2/5/2011 9:39:10 PM - System Checkpoint
RP1126: 2/6/2011 10:34:45 PM - System Checkpoint
RP1127: 2/8/2011 6:31:33 PM - System Checkpoint
RP1128: 2/9/2011 9:12:36 AM - Software Distribution Service 3.0
RP1129: 2/10/2011 9:25:17 AM - System Checkpoint
RP1130: 2/11/2011 10:17:03 AM - System Checkpoint
RP1131: 2/12/2011 10:58:57 AM - System Checkpoint
RP1132: 2/13/2011 1:57:28 PM - System Checkpoint
RP1133: 2/14/2011 1:57:56 PM - System Checkpoint
RP1134: 2/15/2011 8:06:44 PM - System Checkpoint
RP1135: 2/16/2011 8:27:39 PM - System Checkpoint
RP1136: 2/17/2011 8:42:30 PM - System Checkpoint
RP1137: 2/18/2011 11:35:59 PM - System Checkpoint
RP1138: 2/20/2011 10:11:44 AM - System Checkpoint
RP1139: 2/21/2011 11:18:50 AM - System Checkpoint
RP1140: 2/22/2011 11:32:28 AM - System Checkpoint
RP1141: 2/23/2011 4:42:16 PM - System Checkpoint
RP1142: 2/24/2011 5:11:23 PM - System Checkpoint
RP1143: 2/25/2011 5:12:14 PM - System Checkpoint
RP1144: 2/26/2011 5:41:43 PM - System Checkpoint
RP1145: 2/27/2011 7:59:56 PM - System Checkpoint
RP1146: 2/28/2011 9:48:20 PM - System Checkpoint
RP1147: 3/1/2011 11:28:43 PM - System Checkpoint
RP1148: 3/3/2011 10:40:08 AM - System Checkpoint
RP1149: 3/4/2011 11:35:57 AM - System Checkpoint
RP1150: 3/5/2011 12:36:01 PM - System Checkpoint
RP1151: 3/6/2011 1:31:03 PM - System Checkpoint
RP1152: 3/7/2011 2:32:53 PM - System Checkpoint
RP1153: 3/8/2011 3:06:57 PM - System Checkpoint
RP1154: 3/9/2011 12:02:41 AM - Software Distribution Service 3.0
RP1155: 3/10/2011 11:02:52 AM - System Checkpoint
RP1156: 3/11/2011 1:04:27 PM - System Checkpoint
RP1157: 3/12/2011 1:49:45 PM - System Checkpoint
RP1158: 3/13/2011 3:00:52 PM - System Checkpoint
RP1159: 3/14/2011 4:31:49 PM - System Checkpoint
RP1160: 3/15/2011 4:32:59 PM - System Checkpoint
RP1161: 3/16/2011 8:08:10 PM - System Checkpoint
RP1162: 3/17/2011 10:40:18 AM - Software Distribution Service 3.0
RP1163: 3/18/2011 10:45:16 AM - System Checkpoint
RP1164: 3/19/2011 10:55:30 AM - Restore Operation
RP1165: 3/19/2011 11:11:57 AM - Restore Operation
RP1166: 3/19/2011 12:49:11 PM - Software Distribution Service 3.0
RP1167: 3/19/2011 1:24:01 PM - Software Distribution Service 3.0
RP1168: 3/19/2011 3:55:58 PM - Installed Microsoft Fix it 50195
RP1169: 3/19/2011 11:50:48 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Photoshop Elements 7.0
Adobe Photoshop.com Inspiration Browser
Adobe Reader 9.4.2
AMD AGP Driver
Apple Application Support
Apple Software Update
Autodesk DWF Viewer
Avanquest update
Bink and Smacker
BitTorrent
Compatibility Pack for the 2007 Office system
Corel Uninstaller
CyberClean CD Laser Lens Cleaner
DDS Converter 2.1
DDS Thumbnail Viewer
DivX Converter
DivX Plus DirectShow Filters
DivX Setup
DivX Version Checker
DivX Web Player
DNA
DSAbstraction Siegelet 0.997
Dungeon Siege 2
Dungeon Siege 2 Broken World
Dungeon Siege II Tool Kit 1.0
Dungeon Siege Legends of Aranna
Dungeon Siege Legends of Aranna Bonus Pack
Dungeon Siege Tool Kit
Elys DS2 Succubus Manager
Eraser
FastStone Photo Resizer 2.9
Free File Opener version 2011.6.0
Free Solitaire 3D 5.01
Generic USB Mass Storage Patch Driver
Google Chrome
GTK+ 2.6.4 runtime environment
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP DeskJet 640C Series (Remove only)
HP PhotoSmart Photo Printing Software
InterVideo WinDVD
IObit Security 360
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 9
Java Auto Updater
Java(TM) 6 Update 22
Jigs@w Puzzle 2
JPGVideo 1.05.0.0
KDiff3 (remove only)
Logitech Desktop Messenger
Logitech MouseWare 9.76
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Microsoft Works 4.5
Microsoft Works Calendar 1.0
Microsoft Works Setup Launcher
Mozilla Firefox (3.6.15)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MyDeluxeInvoices & Estimates
MyProfessionalBusinessCards
MySoftware Fonts
NVIDIA DDS Utilities
NVIDIA Drivers
NVIDIA Photoshop Plug-ins
NVIDIA Windows 2000/XP nForce Drivers
OLYMPUS Master 2
Opera 11.01
Panda Internet Security 2011
Panda Secure Vault 5
PCI Audio Driver
PhotoshopdotcomInspirationBrowser
PlayFKiSS
QuickTime
RangeBooster G WUA-2340
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Septerra Core
The GIMP 2.2.4
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB-Flash Driver
v1.20
VC80CRTRedist - 8.0.50727.4053
VIA PCI IRQ Routing Miniport Driver - V1.3A
VideoLAN VLC media player 0.8.5
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Windows XP Uninstall
WinRAR archiver
WinZip 12.1
.
==== Event Viewer Messages From Past Week ========
.
3/19/2011 4:09:03 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments " " in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
3/19/2011 12:06:57 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
3/19/2011 10:54:15 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 APPFLT DSAFLT Fips FNETMON IDSFLT IPSec MRxSmb NetBIOS NetBT NETFLTDI pavboot RasAcd Rdbss ShldDrv Tcpip WNMFLT
3/19/2011 10:54:15 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
3/19/2011 10:54:15 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/19/2011 10:54:15 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/19/2011 10:54:15 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/19/2011 10:54:06 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
3/18/2011 9:06:03 PM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\D.
3/18/2011 9:06:03 PM, error: atapi [5] - A parity error was detected on \Device\Ide\IdePort0.
3/18/2011 7:48:59 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 APPFLT DSAFLT Fips FNETMON IDSFLT pavboot ShldDrv WNMFLT
3/18/2011 4:01:10 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
3/18/2011 12:53:39 PM, error: Service Control Manager [7000] - The USB SECURITY DEVICE service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
3/18/2011 11:27:47 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the HTTP SSL service to connect.
3/18/2011 11:27:47 PM, error: Service Control Manager [7000] - The HTTP SSL service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
3/18/2011 11:03:59 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/18/2011 11:03:44 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service Panda Software Controller with arguments " " in order to run the server: {1D13E84F-91EE-45C7-9656-A05E3417B4D5}
3/17/2011 3:39:01 PM, error: Dhcp [1002] - The IP address lease 192.168.2.15 for the Network Card with network address 001CF013AF61 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
3/16/2011 8:35:54 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.104 with the system having network hardware address 90:4C:E5:1D:30B. Network operations on this system may be disrupted as a result.
3/15/2011 11:24:57 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
3/14/2011 9:33:23 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 001CF013AF61 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================

Even though I was a computer hardware engineer 25 years, this problem is software and I'm lost

Admin. · 2011/03/21

I see you have P2P software ( Azures, Limewire, BitTorrent, uTorrent etc…) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them, and read the links above for educational value!

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

A Malware expert will have a look at your log in due course.

MOUNTAINBIKER · 2011/03/21

Thanks I will take note of that and remove it. The file-sharing software that my room-mate installed is no longer on the computer. I will ask my room-mate when they get home from work not to reinstall the program or any P2P programs on my computer. Now I understand why she was using my desktop and not her notebook. I guess it really was not because she had limited hard disk space.

Rich

broni · 2011/03/21

Welcome aboard

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================================================

You're infected with a rootkit....

Download TDSSKiller and save it to your desktop.

Extract (unzip) its contents to your desktop.

Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

MOUNTAINBIKER · 2011/03/22

What occurred when I ran TDSSKiller

Hi broni,
I first copied and printed your instructions. Then Downloaded and unzipped TDSSKiller. Following your instructions I started the program and it found an infected file so per your directions I clicked continue on the cure page.
I received a blue screen of death reporting a Kernel_Stack_Inpage_Error
Once the computer finished doing the memory dump and running a check on the file system of C drive I found the TDSSKiller log file and here it is:

2011/03/21 22:51:32.0140 2612 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/21 22:51:34.0187 2612 ================================================================================
2011/03/21 22:51:34.0187 2612 SystemInfo:
2011/03/21 22:51:34.0187 2612
2011/03/21 22:51:34.0187 2612 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/21 22:51:34.0187 2612 Product type: Workstation
2011/03/21 22:51:34.0187 2612 ComputerName: WINXP
2011/03/21 22:51:34.0421 2612 UserName: Richard M. Winkler
2011/03/21 22:51:34.0421 2612 Windows directory: C:\WINDOWS
2011/03/21 22:51:34.0421 2612 System windows directory: C:\WINDOWS
2011/03/21 22:51:34.0421 2612 Processor architecture: Intel x86
2011/03/21 22:51:34.0421 2612 Number of processors: 1
2011/03/21 22:51:34.0421 2612 Page size: 0x1000
2011/03/21 22:51:34.0421 2612 Boot type: Normal boot
2011/03/21 22:51:34.0421 2612 ================================================================================
2011/03/21 22:51:37.0515 2612 Initialize success
2011/03/21 22:52:05.0656 2848 ================================================================================
2011/03/21 22:52:05.0656 2848 Scan started
2011/03/21 22:52:05.0656 2848 Mode: Manual;
2011/03/21 22:52:05.0656 2848 ================================================================================
2011/03/21 22:52:07.0484 2848 A5AGU (304d8a51672c760f5d92d73652e8fbfc) C:\WINDOWS\system32\DRIVERS\A5AGU.sys
2011/03/21 22:52:09.0031 2848 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/21 22:52:09.0296 2848 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/21 22:52:10.0171 2848 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/21 22:52:10.0734 2848 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/21 22:52:13.0390 2848 amdagpxp (0bd52001b37b9260145b3c44efa7e86c) C:\WINDOWS\system32\DRIVERS\amdagpxp.sys
2011/03/21 22:52:13.0531 2848 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2011/03/21 22:52:14.0281 2848 AmFSM (ef9dd27aa5a3baaf2fd2b44c08a3e622) C:\WINDOWS\system32\DRIVERS\amm8651.sys
2011/03/21 22:52:15.0390 2848 APPFLT (f57b596c8b6a143e9dc7ecc52b718a48) C:\WINDOWS\system32\Drivers\APPFLT.SYS
2011/03/21 22:52:17.0218 2848 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/21 22:52:17.0781 2848 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/21 22:52:18.0906 2848 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/21 22:52:19.0328 2848 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/21 22:52:19.0609 2848 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/21 22:52:19.0984 2848 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/21 22:52:20.0750 2848 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/21 22:52:21.0156 2848 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/21 22:52:21.0593 2848 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/21 22:52:22.0531 2848 cmpci (98ee8a849afe95ffde41073af1745941) C:\WINDOWS\system32\drivers\cmaudio.sys
2011/03/21 22:52:24.0156 2848 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/21 22:52:24.0453 2848 DM9102 (5be22b57e65d5bd9c349e130f613cafc) C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS
2011/03/21 22:52:24.0937 2848 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/21 22:52:25.0421 2848 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2011/03/21 22:52:25.0609 2848 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/21 22:52:26.0015 2848 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/21 22:52:26.0671 2848 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/21 22:52:27.0062 2848 DSAFLT (5bb0f91ffd84057d094d106d9ff53298) C:\WINDOWS\system32\Drivers\DSAFLT.SYS
2011/03/21 22:52:27.0531 2848 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/21 22:52:27.0906 2848 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/21 22:52:28.0250 2848 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/21 22:52:28.0656 2848 fixustor (dac3a68e757b147a142829b8d2d6b57e) C:\WINDOWS\system32\drivers\fixustor.sys
2011/03/21 22:52:28.0812 2848 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/03/21 22:52:29.0015 2848 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/21 22:52:29.0500 2848 FNETMON (a38b9ba7a4c17f7dce9ec4e8f7870026) C:\WINDOWS\system32\Drivers\fnetmon.SYS
2011/03/21 22:52:29.0781 2848 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/21 22:52:30.0125 2848 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/21 22:52:30.0437 2848 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/03/21 22:52:30.0703 2848 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/21 22:52:31.0031 2848 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/21 22:52:31.0671 2848 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/21 22:52:32.0687 2848 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/21 22:52:33.0109 2848 IDSFLT (188eed48de6dc75e1067e78ed99d928a) C:\WINDOWS\system32\Drivers\IDSFLT.SYS
2011/03/21 22:52:33.0500 2848 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/21 22:52:34.0625 2848 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/21 22:52:34.0875 2848 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/21 22:52:35.0250 2848 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/21 22:52:35.0578 2848 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/21 22:52:35.0859 2848 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/21 22:52:36.0265 2848 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/21 22:52:36.0609 2848 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/21 22:52:37.0093 2848 JSWSCIMD (335a35f4c6c3eee724201eafcd6ffc46) C:\WINDOWS\system32\DRIVERS\jswscimd.sys
2011/03/21 22:52:37.0500 2848 JUPITER (21943d8f48cea331e1ebf44323426fed) C:\WINDOWS\system32\DRIVERS\JUPITER.sys
2011/03/21 22:52:37.0843 2848 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/21 22:52:38.0234 2848 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/21 22:52:38.0640 2848 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/21 22:52:39.0421 2848 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/21 22:52:39.0671 2848 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/21 22:52:40.0078 2848 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/21 22:52:40.0312 2848 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/21 22:52:40.0453 2848 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/21 22:52:41.0109 2848 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/21 22:52:41.0328 2848 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/21 22:52:41.0703 2848 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/21 22:52:41.0953 2848 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/21 22:52:42.0234 2848 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/21 22:52:42.0531 2848 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/21 22:52:42.0828 2848 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/21 22:52:43.0140 2848 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
2011/03/21 22:52:43.0500 2848 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/21 22:52:44.0093 2848 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/21 22:52:44.0343 2848 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/21 22:52:44.0562 2848 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/21 22:52:44.0921 2848 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/21 22:52:45.0328 2848 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/21 22:52:45.0656 2848 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/21 22:52:46.0000 2848 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/21 22:52:46.0281 2848 NETFLTDI (d8f44fc13db193c9379297973ee42272) C:\WINDOWS\system32\Drivers\NETFLTDI.SYS
2011/03/21 22:52:46.0718 2848 NETIMFLT01060042 (9eeb6df1f5ffd878a3a44874607eaaef) C:\WINDOWS\system32\DRIVERS\neti1642.sys
2011/03/21 22:52:47.0046 2848 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/21 22:52:47.0265 2848 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/21 22:52:47.0531 2848 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/21 22:52:47.0890 2848 nv (7fe3f1721856365c882dae13f3600223) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/03/21 22:52:48.0421 2848 nvax (47b3852808dd579a463fce7085b77413) C:\WINDOWS\system32\drivers\nvax.sys
2011/03/21 22:52:48.0906 2848 NVENET (fbe448efa5484a256528e1d02b959bbc) C:\WINDOWS\system32\DRIVERS\NVENET.sys
2011/03/21 22:52:49.0375 2848 nvnforce (adbcba116496229a163193bbe0bb28ce) C:\WINDOWS\system32\drivers\nvapu.sys
2011/03/21 22:52:49.0578 2848 nv_agp (db36442c20793c53b4128eb85f9a3d32) C:\WINDOWS\system32\DRIVERS\nv_agp.sys
2011/03/21 22:52:49.0906 2848 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/21 22:52:50.0171 2848 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/21 22:52:50.0531 2848 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/21 22:52:50.0828 2848 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/21 22:52:51.0109 2848 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/21 22:52:51.0281 2848 pavboot (55d654258a9c509b671310c314bd30b4) C:\WINDOWS\system32\Drivers\pavboot.sys
2011/03/21 22:52:51.0703 2848 PavProc (018f51f5757819fcd9f32162c9808565) C:\WINDOWS\system32\DRIVERS\PavProc.sys
2011/03/21 22:52:54.0265 2848 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/21 22:52:55.0406 2848 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/21 22:52:56.0453 2848 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/21 22:52:58.0890 2848 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/21 22:52:59.0296 2848 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/21 22:52:59.0750 2848 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/03/21 22:53:01.0671 2848 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/21 22:53:01.0984 2848 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/21 22:53:02.0234 2848 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/21 22:53:02.0515 2848 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/21 22:53:02.0671 2848 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/21 22:53:02.0906 2848 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/21 22:53:03.0125 2848 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/21 22:53:03.0359 2848 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/21 22:53:03.0515 2848 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/21 22:53:04.0531 2848 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/21 22:53:04.0890 2848 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/21 22:53:05.0171 2848 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/21 22:53:05.0578 2848 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/03/21 22:53:05.0937 2848 ShldDrv (a2f0bf07cac43a11555c173f7b1ad28a) C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
2011/03/21 22:53:06.0765 2848 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/21 22:53:06.0953 2848 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/21 22:53:07.0375 2848 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/21 22:53:07.0656 2848 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/21 22:53:07.0968 2848 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/21 22:53:10.0312 2848 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/21 22:53:10.0625 2848 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/21 22:53:11.0015 2848 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/21 22:53:11.0125 2848 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/21 22:53:11.0359 2848 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/21 22:53:12.0093 2848 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/21 22:53:13.0671 2848 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/21 22:53:14.0015 2848 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/21 22:53:14.0125 2848 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/21 22:53:14.0187 2848 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/21 22:53:14.0312 2848 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/03/21 22:53:14.0453 2848 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/21 22:53:14.0687 2848 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/21 22:53:14.0937 2848 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/21 22:53:15.0187 2848 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/03/21 22:53:15.0453 2848 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/21 22:53:15.0828 2848 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/21 22:53:16.0250 2848 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/21 22:53:16.0734 2848 WNMFLT (0411d0433e8c48ad24b2ef32d7c97ae0) C:\WINDOWS\system32\Drivers\WNMFLT.SYS
2011/03/21 22:53:16.0953 2848 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/03/21 22:53:17.0375 2848 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/21 22:53:17.0750 2848 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/21 22:53:18.0921 2848 ZDNDIS5 (400d51f003643e5399d5aac6a93b813e) C:\WINDOWS\system32\ZDNDIS5.SYS
2011/03/21 22:53:19.0062 2848 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/03/21 22:53:19.0703 2848 ================================================================================
2011/03/21 22:53:19.0703 2848 Scan finished
2011/03/21 22:53:19.0703 2848 ================================================================================
2011/03/21 22:53:19.0718 3044 Detected object count: 1
2011/03/21 22:53:43.0390 3044 \HardDisk1 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/03/21 22:53:43.0390 3044 \HardDisk1 - ok
2011/03/21 22:53:43.0390 3044 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure

MOUNTAINBIKER · 2011/03/22

Problem seems to be resolved

After rebooting several times and testing access to microsoft sites problems appear to be gone. However when I open threadtools to mark as resolved I do not get that option.

broni · 2011/03/22

Good news

In this forum, only I can mark topic as resolved.

We still have some work to do, to make sure, your computer is totally clean.

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

MOUNTAINBIKER · 2011/03/22

ComboFix Log

ComboFix 11-03-22.04 - Richard M. Winkler 03/22/2011 20:27:35.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.224 [GMT -7:00]
Running from: c:\documents and settings\Richard M. Winkler\My Documents\Downloads\ComboFix.exe
AV: Panda Internet Security 2011 *Disabled/Updated* {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}
FW: Panda Personal Firewall 2011 *Disabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Richard M. Winkler\Favorites\Thumbs.db
c:\windows\start.exe
c:\windows\system32\encapi32.dll
c:\windows\system32\Thumbs.db
c:\windows\Web\default.htt
.
.
((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
.
.
2011-03-22 05:51 . 2011-03-22 05:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-21 05:24 . 2011-03-21 05:24 54016 ----a-w- c:\windows\system32\drivers\ymflrn.sys
2011-03-20 06:27 . 2011-03-20 06:27 54016 ----a-w- c:\windows\system32\drivers\wnmokgl.sys
2011-03-20 06:21 . 2011-03-20 06:21 -------- d-----w- c:\documents and settings\Richard M. Winkler\Application Data\Malwarebytes
2011-03-20 06:21 . 2011-03-20 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-20 06:21 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-20 06:21 . 2011-03-20 06:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-20 06:21 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-19 19:55 . 2011-03-19 19:55 -------- d--h--w- c:\windows\ie8
2011-03-19 18:16 . 2011-03-19 18:16 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-19 18:15 . 2011-03-19 18:15 -------- d-----w- C:\FOUND.000
2011-02-27 19:00 . 2011-02-27 19:00 -------- d-----w- c:\documents and settings\Richard M. Winkler\Local Settings\Application Data\Opera
2011-02-27 19:00 . 2011-02-27 19:00 -------- d-----w- c:\program files\Opera
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 12:53 . 2003-03-31 19:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 12:53 . 2003-03-31 19:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 06:58 . 2005-08-18 21:47 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 10:57 . 2005-08-18 21:47 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 13:44 . 2003-03-31 19:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 13:09 . 2003-03-31 19:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 12:10 . 2003-03-31 20:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eraser "= "c:\program files\Eraser\eraser.exe" [2003-07-25 536576]
"OM2_Monitor "= "c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-02-09 95800]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB SECURITY DEVICE CoInstaller "= "JupitCo.exe" [2002-03-15 28672]
"Cyber "= "c:\program files\BELKIN\cyberChk.exe" [1999-05-21 192000]
"NvCplDaemon "= "c:\windows\SYSTEM32\nvcpl.dll" [2005-07-21 7110656]
"nwiz "= "nwiz.exe" [2005-07-21 1519616]
"NvMediaCenter "= "c:\windows\SYSTEM32\NVMCTRAY.DLL" [2005-07-21 86016]
"IObit Security 360 "= "c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-12 1280344]
"APVXDWIN "= "c:\program files\Panda Security\Panda Internet Security 2011\APVXDWIN.EXE" [2010-08-26 988480]
"SCANINICIO "= "c:\program files\Panda Security\Panda Internet Security 2011\Inicio.exe" [2010-06-11 68928]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task "= "c:\windows\SYSTEM32\qttask.exe" [2004-04-09 98304]
"Logitech Utility "= "Logi_MwX.Exe" [2003-03-07 19968]
"C-Media Mixer "= "Mixer.exe" [2002-06-12 1495040]
"LoadPowerProfile "= "powrprof.dll" [2008-04-13 17408]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-4-8 169472]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-11 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache "= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2010-03-24 19:55 55552 ----a-w- c:\windows\SYSTEM32\avldr.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@= "Service "
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySoftware NewsFlash.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MySoftware NewsFlash.lnk
backup=c:\windows\pss\MySoftware NewsFlash.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2002-06-12 07:23 1495040 ----a-r- c:\windows\mixer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-07-08 03:10 136176 ----a-w- c:\documents and settings\Richard M. Winkler\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 23:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tracker]
2000-06-14 21:36 94208 ----a-w- c:\program files\MySoftware\MyInvoices\Tracker.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\System32\\DPNSvr.exe "=
"c:\\Program Files\\2K Games\\Dungeon Siege 2 Broken World\\DungeonSiege2.exe "=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe "=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege\\DSLOA.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\WINDOWS\\System32\\java.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\Opera\\opera.exe "=
.
R0 amdagpxp;AMD NB AGP Bus Filter;c:\windows\SYSTEM32\DRIVERS\amdagpxp.sys [5/10/2005 7:12 PM 27776]
R0 pavboot;Panda boot driver;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [9/22/2010 9:45 PM 26696]
R1 APPFLT;App Filter Plugin;c:\windows\SYSTEM32\DRIVERS\APPFLT.SYS [9/22/2010 9:45 PM 76296]
R1 DSAFLT;DSA Filter Plugin;c:\windows\SYSTEM32\DRIVERS\dsaflt.sys [9/22/2010 9:45 PM 53256]
R1 FNETMON;NetMon Filter Plugin;c:\windows\SYSTEM32\DRIVERS\fnetmon.sys [9/22/2010 9:45 PM 22024]
R1 IDSFLT;Ids Filter Plugin;c:\windows\SYSTEM32\DRIVERS\idsflt.sys [9/22/2010 9:45 PM 193800]
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\SYSTEM32\DRIVERS\NETFLTDI.SYS [9/22/2010 9:45 PM 159112]
R1 ShldDrv;Panda File Shield Driver;c:\windows\SYSTEM32\DRIVERS\ShlDrv51.sys [9/22/2010 9:44 PM 37896]
R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\SYSTEM32\DRIVERS\wnmflt.sys [9/22/2010 9:45 PM 46856]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 AmFSM;AmFSM;c:\windows\SYSTEM32\DRIVERS\amm8651.sys [9/22/2010 9:45 PM 59080]
R2 PavProc;Panda Process Protection Driver;c:\windows\SYSTEM32\DRIVERS\PavProc.sys [9/22/2010 9:44 PM 163336]
R2 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Internet Security 2011\psksvc.exe [9/22/2010 9:45 PM 28992]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\SYSTEM32\DRIVERS\A5AGU.sys [5/8/2006 7:10 PM 386784]
R3 JSWSCIMD;jswscimd Service;c:\windows\SYSTEM32\DRIVERS\jswscimd.sys [4/12/2009 9:38 PM 57440]
R3 NETIMFLT01060042;PANDA NDIS IM Filter Miniport v1.6.0.42;c:\windows\SYSTEM32\DRIVERS\neti1642.sys [9/22/2010 9:45 PM 199688]
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys --> c:\windows\system32\PavTPK.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [7/26/2010 7:34 PM 312152]
S2 JUPITER;USB SECURITY DEVICE;c:\windows\SYSTEM32\DRIVERS\Jupiter.sys [4/24/2004 11:10 PM 9312]
S3 fixustor;fixustor;c:\windows\SYSTEM32\DRIVERS\fixustor.sys [5/17/2007 8:40 PM 5632]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\RangeBooster G WUA-2340\JSWUtil\jswpsapi.exe [4/12/2009 9:38 PM 356434]
S3 naecd;naecd;\??\c:\docume~1\RICHAR~1.WIN\LOCALS~1\Temp\naecd.sys --> c:\docume~1\RICHAR~1.WIN\LOCALS~1\Temp\naecd.sys [?]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 ZD1201U(ZyDAS);ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB)(ZyDAS);c:\windows\system32\DRIVERS\zd1201u.sys --> c:\windows\system32\DRIVERS\zd1201u.sys [?]
S3 ZD1201U;TwinMOS Netkey Wireless LAN Driver (USB);c:\windows\system32\DRIVERS\zd1201u.sys --> c:\windows\system32\DRIVERS\zd1201u.sys [?]
S3 ZDNDIS5;ZDNDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\ZDNDIS5.sys [1/28/2005 8:02 PM 16157]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-13 23:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-13 23:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-13 23:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-13 23:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2004-04-08 19:31 7168 ------w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1383384898-854245398-1003Core1cb6cf3b945d8aa.job
- c:\documents and settings\Richard M. Winkler\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-08 03:10]
.
2011-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
Trusted Zone: keplers.com\menlopark
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Win32 Classes
FF - ProfilePath - c:\documents and settings\Richard M. Winkler\Application Data\Mozilla\Firefox\Profiles\yona0dqz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Shop to Win: {5835466c-49af-4cbe-b102-a8c8b6313749} - %profile%\extensions\{5835466c-49af-4cbe-b102-a8c8b6313749}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{7D688A77-C613-11D0-999B-00C04FD655E1} - (no file)
AddRemove-FixUstor - c:\windows\temp\fixustor\remove.exe
AddRemove-JPGVideo_is1 - c:\program files\NDW\JPGVideo\unins000.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 20:36
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ef,48,c3,29,10,a8,26,42,ad,df,53,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ef,48,c3,29,10,a8,26,42,ad,df,53,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101 "
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe "
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1100)
c:\windows\system32\avldr.dll
.
Completion time: 2011-03-22 20:38:51
ComboFix-quarantined-files.txt 2011-03-23 03:38
.
Pre-Run: 18,669,502,464 bytes free
Post-Run: 18,756,894,720 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug= "do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
.
- - End Of File - - BF4604AA8E15948B162C8FF34B54917A

broni · 2011/03/22

There is still some infection there.

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\system32\drivers\ymflrn.sys
c:\windows\system32\drivers\wnmokgl.sys
c:\docume~1\RICHAR~1.WIN\LOCALS~1\Temp\naecd.sys


Driver::
ymflrn.
wnmokgl
naecd
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

MOUNTAINBIKER · 2011/03/22

not sure what is happening

Broni

writing to you via my room-mates notebook. Copied the data in gray box and then pasted it into notepad and named as directed. then i drug the text file onto the program icon for combo fix. the program started small box with green line. after the line moved from left to right it sat for 5 minutes and then disappeared. the activity light on the hard disk is blinking randomly but the program screen never opened and it has been over 20 minutes. what am i doing wrong? **** i hate the keyboard on this notebook. much to small.

Rich

broni · 2011/03/22

Restart manually and try again.

MOUNTAINBIKER · 2011/03/23

by starting manually i assume you mean...

Double Clicking on the Combofix Icon. I did this and the same thing happened.
I will redownload the program and try again. please give me the link again for combofix

broni · 2011/03/23

My post #8.

Try options from that post, which tell you what to do, if Combofix doesn't want to run (rename, run rKill first).

MOUNTAINBIKER · 2011/03/23

okay I am doing as directed in post 8

system is running rkill now. rkill finished and I am starting combofix with antivirus and spyware programs disabled.

MOUNTAINBIKER · 2011/03/23

things running in safemode

As I write this my computer is running combofix by dragging CFScript.txt onto icon

MOUNTAINBIKER · 2011/03/23

Here are the Combofix and Rkill Logs

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/22/2011 at 23:03:10.
Operating System: Microsoft Windows XP

Processes terminated by Rkill or while it was running:

C:\32788R22FWJFW\cmd.cfxxe

ComboFix 11-03-22.05 - Richard M. Winkler 03/22/2011 23:24:08.3.1 - FAT32x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.325 [GMT -7:00]
Running from: c:\documents and settings\Richard M. Winkler\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Richard M. Winkler\My Documents\Downloads\CFScript.txt
AV: Panda Internet Security 2011 *Disabled/Updated* {4570FB70-5C9E-47E9-B16C-A3A6A06C4BF0}
FW: Panda Personal Firewall 2011 *Disabled* {7B090DC0-8905-4BAF-8040-FD98A41C8FB8}
.
FILE ::
"c:\docume~1\RICHAR~1.WIN\LOCALS~1\Temp\naecd.sys "
"c:\windows\system32\drivers\wnmokgl.sys "
"c:\windows\system32\drivers\ymflrn.sys "
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\wnmokgl.sys
c:\windows\system32\Drivers\ymflrn.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NAECD
-------\Service_naecd
.
.
((((((((((((((((((((((((( Files Created from 2011-02-23 to 2011-03-23 )))))))))))))))))))))))))))))))
.
.
2011-03-22 05:51 . 2011-03-22 05:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-20 06:21 . 2011-03-20 06:21 -------- d-----w- c:\documents and settings\Richard M. Winkler\Application Data\Malwarebytes
2011-03-20 06:21 . 2011-03-20 06:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-20 06:21 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-20 06:21 . 2011-03-20 06:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-20 06:21 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-19 19:55 . 2011-03-19 19:55 -------- d--h--w- c:\windows\ie8
2011-03-19 18:16 . 2011-03-19 18:16 -------- d-----w- c:\windows\system32\wbem\Repository
2011-03-19 18:15 . 2011-03-19 18:15 -------- d-----w- C:\FOUND.000
2011-02-27 19:00 . 2011-02-27 19:00 -------- d-----w- c:\documents and settings\Richard M. Winkler\Local Settings\Application Data\Opera
2011-02-27 19:00 . 2011-02-27 19:00 -------- d-----w- c:\program files\Opera
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 12:53 . 2003-03-31 19:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 12:53 . 2003-03-31 19:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 06:58 . 2005-08-18 21:47 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 10:57 . 2005-08-18 21:47 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 13:44 . 2003-03-31 19:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 13:09 . 2003-03-31 19:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 12:10 . 2003-03-31 20:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-23_03.36.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-23 06:33 . 2011-03-23 06:33 16384 c:\windows\temp\Perflib_Perfdata_a4.dat
+ 2011-03-23 06:35 . 2011-03-23 06:35 58177 c:\windows\temp\cteng_tld.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eraser "= "c:\program files\Eraser\eraser.exe" [2003-07-25 536576]
"OM2_Monitor "= "c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2007-02-09 95800]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USB SECURITY DEVICE CoInstaller "= "JupitCo.exe" [2002-03-15 28672]
"Cyber "= "c:\program files\BELKIN\cyberChk.exe" [1999-05-21 192000]
"NvCplDaemon "= "c:\windows\SYSTEM32\nvcpl.dll" [2005-07-21 7110656]
"nwiz "= "nwiz.exe" [2005-07-21 1519616]
"NvMediaCenter "= "c:\windows\SYSTEM32\NVMCTRAY.DLL" [2005-07-21 86016]
"IObit Security 360 "= "c:\program files\IObit\IObit Security 360\IS360tray.exe" [2010-06-12 1280344]
"APVXDWIN "= "c:\program files\Panda Security\Panda Internet Security 2011\APVXDWIN.EXE" [2010-08-26 988480]
"SCANINICIO "= "c:\program files\Panda Security\Panda Internet Security 2011\Inicio.exe" [2010-06-11 68928]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task "= "c:\windows\SYSTEM32\qttask.exe" [2004-04-09 98304]
"Logitech Utility "= "Logi_MwX.Exe" [2003-03-07 19968]
"C-Media Mixer "= "Mixer.exe" [2002-06-12 1495040]
"LoadPowerProfile "= "powrprof.dll" [2008-04-13 17408]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2004-4-8 169472]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-9-11 113664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"UseDesktopIniCache "= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
2010-03-24 19:55 55552 ----a-w- c:\windows\SYSTEM32\avldr.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]
@= "Service "
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySoftware NewsFlash.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MySoftware NewsFlash.lnk
backup=c:\windows\pss\MySoftware NewsFlash.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
2002-06-12 07:23 1495040 ----a-r- c:\windows\mixer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-07-08 03:10 136176 ----a-w- c:\documents and settings\Richard M. Winkler\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-13 23:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-30 00:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 18:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tracker]
2000-06-14 21:36 94208 ----a-w- c:\program files\MySoftware\MyInvoices\Tracker.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\System32\\DPNSvr.exe "=
"c:\\Program Files\\2K Games\\Dungeon Siege 2 Broken World\\DungeonSiege2.exe "=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe "=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege\\DSLOA.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\WINDOWS\\System32\\java.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\Opera\\opera.exe "=
.
R0 amdagpxp;AMD NB AGP Bus Filter;c:\windows\SYSTEM32\DRIVERS\amdagpxp.sys [5/10/2005 7:12 PM 27776]
R0 pavboot;Panda boot driver;c:\windows\SYSTEM32\DRIVERS\pavboot.sys [9/22/2010 9:45 PM 26696]
R1 APPFLT;App Filter Plugin;c:\windows\SYSTEM32\DRIVERS\APPFLT.SYS [9/22/2010 9:45 PM 76296]
R1 DSAFLT;DSA Filter Plugin;c:\windows\SYSTEM32\DRIVERS\dsaflt.sys [9/22/2010 9:45 PM 53256]
R1 FNETMON;NetMon Filter Plugin;c:\windows\SYSTEM32\DRIVERS\fnetmon.sys [9/22/2010 9:45 PM 22024]
R1 IDSFLT;Ids Filter Plugin;c:\windows\SYSTEM32\DRIVERS\idsflt.sys [9/22/2010 9:45 PM 193800]
R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\SYSTEM32\DRIVERS\NETFLTDI.SYS [9/22/2010 9:45 PM 159112]
R1 ShldDrv;Panda File Shield Driver;c:\windows\SYSTEM32\DRIVERS\ShlDrv51.sys [9/22/2010 9:44 PM 37896]
R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\SYSTEM32\DRIVERS\wnmflt.sys [9/22/2010 9:45 PM 46856]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 12:03 PM 169312]
R2 AmFSM;AmFSM;c:\windows\SYSTEM32\DRIVERS\amm8651.sys [9/22/2010 9:45 PM 59080]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [7/26/2010 7:34 PM 312152]
R2 PavProc;Panda Process Protection Driver;c:\windows\SYSTEM32\DRIVERS\PavProc.sys [9/22/2010 9:44 PM 163336]
R2 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Internet Security 2011\psksvc.exe [9/22/2010 9:45 PM 28992]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\SYSTEM32\DRIVERS\A5AGU.sys [5/8/2006 7:10 PM 386784]
R3 JSWSCIMD;jswscimd Service;c:\windows\SYSTEM32\DRIVERS\jswscimd.sys [4/12/2009 9:38 PM 57440]
R3 NETIMFLT01060042;PANDA NDIS IM Filter Miniport v1.6.0.42;c:\windows\SYSTEM32\DRIVERS\neti1642.sys [9/22/2010 9:45 PM 199688]
R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys --> c:\windows\system32\PavTPK.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 JUPITER;USB SECURITY DEVICE;c:\windows\SYSTEM32\DRIVERS\Jupiter.sys [4/24/2004 11:10 PM 9312]
S3 fixustor;fixustor;c:\windows\SYSTEM32\DRIVERS\fixustor.sys [5/17/2007 8:40 PM 5632]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\D-Link\RangeBooster G WUA-2340\JSWUtil\jswpsapi.exe [4/12/2009 9:38 PM 356434]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\RkPavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 RkPavproc2;RkPavproc2;\??\c:\windows\system32\drivers\RkPavproc2.sys --> c:\windows\system32\drivers\RkPavproc2.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 ZD1201U(ZyDAS);ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB)(ZyDAS);c:\windows\system32\DRIVERS\zd1201u.sys --> c:\windows\system32\DRIVERS\zd1201u.sys [?]
S3 ZD1201U;TwinMOS Netkey Wireless LAN Driver (USB);c:\windows\system32\DRIVERS\zd1201u.sys --> c:\windows\system32\DRIVERS\zd1201u.sys [?]
S3 ZDNDIS5;ZDNDIS5 NDIS Protocol Driver;c:\windows\SYSTEM32\ZDNDIS5.sys [1/28/2005 8:02 PM 16157]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-13 23:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-13 23:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-13 23:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-13 23:12 73216 ----a-w- c:\progra~1\OUTLOO~1\setup50.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2004-04-08 19:31 7168 ------w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-1383384898-854245398-1003Core1cb6cf3b945d8aa.job
- c:\documents and settings\Richard M. Winkler\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-08 03:10]
.
2011-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
Trusted Zone: keplers.com\menlopark
DPF: DirectAnimation Java Classes - file://c:\windows\SYSTEM\dajava.cab
DPF: Internet Explorer Classes for Java - file://c:\windows\SYSTEM\iejava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Win32 Classes
FF - ProfilePath - c:\documents and settings\Richard M. Winkler\Application Data\Mozilla\Firefox\Profiles\yona0dqz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Shop to Win: {5835466c-49af-4cbe-b102-a8c8b6313749} - %profile%\extensions\{5835466c-49af-4cbe-b102-a8c8b6313749}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-22 23:34
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ef,48,c3,29,10,a8,26,42,ad,df,53,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ef,48,c3,29,10,a8,26,42,ad,df,53,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101 "
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe "
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\avldr.dll
.
- - - - - - - > 'explorer.exe'(4008)
c:\windows\system32\WININET.dll
c:\program files\Panda Security\Panda Internet Security 2011\pavoepl.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Panda Security\Panda Internet Security 2011\TPSrv.exe
c:\program files\PANDA SECURITY\PANDA INTERNET SECURITY 2011\WebProxy.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Panda Security\Panda Internet Security 2011\PsCtrls.exe
c:\program files\Panda Security\Panda Internet Security 2011\PavFnSvr.exe
c:\program files\Common Files\Panda Security\PavShld\pavprsrv.exe
c:\program files\panda security\panda internet security 2011\firewall\PSHOST.EXE
c:\program files\Panda Security\Panda Internet Security 2011\PsImSvc.exe
c:\program files\Panda Security\Panda Internet Security 2011\pavsrvx86.exe
c:\program files\Panda Security\Panda Internet Security 2011\AVENGINE.EXE
c:\windows\system32\JupitCo.exe
c:\windows\Logi_MwX.Exe
c:\program files\Panda Security\Panda Internet Security 2011\SRVLOAD.EXE
c:\program files\Panda Security\Panda Internet Security 2011\PavBckPT.exe
c:\program files\IObit\IObit Security 360\is360.exe
c:\program files\IObit\IObit Security 360\is360.exe
.
**************************************************************************
.
Completion time: 2011-03-22 23:59:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-23 06:58
.
Pre-Run: 18,730,516,480 bytes free
Post-Run: 18,614,845,440 bytes free
.
- - End Of File - - 69F7EC41361264F0A8CA390C1EC17E40

broni · 2011/03/23

Looks good

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Click the Scan All Users checkbox.

Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

MOUNTAINBIKER · 2011/03/23

The OTL File is to large to post

BBS says I must reduce it by 55000 characters. Is there a way I can post a zip of it?

broni · 2011/03/23

Split it between couple of posts.

Log in or Sign up

Solved Can not access windows update or support microsoft web sites

MOUNTAINBIKER Inactive Thread Starter

MOUNTAINBIKER Inactive Thread Starter

Admin. Administrator Administrator Staff

MOUNTAINBIKER Inactive Thread Starter

broni Moderator Malware Analyst

MOUNTAINBIKER Inactive Thread Starter

MOUNTAINBIKER Inactive Thread Starter

broni Moderator Malware Analyst

MOUNTAINBIKER Inactive Thread Starter

broni Moderator Malware Analyst

MOUNTAINBIKER Inactive Thread Starter

broni Moderator Malware Analyst

MOUNTAINBIKER Inactive Thread Starter

broni Moderator Malware Analyst

MOUNTAINBIKER Inactive Thread Starter

MOUNTAINBIKER Inactive Thread Starter

MOUNTAINBIKER Inactive Thread Starter

broni Moderator Malware Analyst

MOUNTAINBIKER Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Can not access windows update or support microsoft web sites

MOUNTAINBIKER Inactive Thread Starter

MOUNTAINBIKER Inactive Thread Starter

Admin. Administrator Administrator Staff

MOUNTAINBIKER Inactive Thread Starter

broni Moderator Malware Analyst

MOUNTAINBIKER Inactive Thread Starter

MOUNTAINBIKER Inactive Thread Starter

broni Moderator Malware Analyst

MOUNTAINBIKER Inactive Thread Starter

broni Moderator Malware Analyst

MOUNTAINBIKER Inactive Thread Starter

broni Moderator Malware Analyst

MOUNTAINBIKER Inactive Thread Starter

broni Moderator Malware Analyst

MOUNTAINBIKER Inactive Thread Starter

MOUNTAINBIKER Inactive Thread Starter

MOUNTAINBIKER Inactive Thread Starter

broni Moderator Malware Analyst

MOUNTAINBIKER Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches