Solved CPU extremely slow and redirects ebay login to phishing site

timbob18 · 2010/04/18

I was able to run GMER in safe mode (you were right it took along time)...here's the log file:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-18 13:52:09
Windows 5.1.2600 Service Pack 3
Running: 0okze4oz.exe; Driver: C:\DOCUME~1\Tim\LOCALS~1\Temp\kxtdypob.sys

---- System - GMER 1.0.15 ----

SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwCreateKey [0xF86F7A1C]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF8721CDE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF8721ED0]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteKey [0xF86F7C10]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwDeleteValueKey [0xF86F7CB6]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwOpenKey [0xF86F790C]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF8741D60]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwSetValueKey [0xF86F7E52]
SSDT TfSysMon.sys (ThreatFire System Monitor/PC Tools) ZwTerminateProcess [0xF86F9B30]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Spyware Doctor\pctsSvc.exe[660] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044BC05 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1284] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044B8D9 C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtServicePackUninstall$\spuninst\Service Pack 2.asms 4132 bytes
File C:\WINDOWS\$NtServicePackUninstall$\spuninst\Service Pack 3.asms 4828 bytes
File C:\WINDOWS\$NtServicePackUninstall$\spuninst\spcompat.dll 438272 bytes executable
File C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe 231288 bytes executable
File C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.inf 1103379 bytes
File C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.txt 451501 bytes
File C:\WINDOWS\$NtServicePackUninstall$\spuninst\updspapi.dll 382840 bytes executable
File C:\WINDOWS\WinSxS\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8\4.20.9839.0.cat 8383 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8\4.20.9839.0.policy 652 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8\4.20.9841.0.cat 8359 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8\4.20.9841.0.policy 652 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8\4.20.9848.0.cat 10997 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8\4.20.9848.0.policy 652 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8\4.20.9870.0.cat 10715 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8\4.20.9870.0.policy 652 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8\4.20.9876.0.cat 7452 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.4.20.Microsoft.MSXML2_6bd6b9abf345378f_x-ww_88e8eab8\4.20.9876.0.policy 652 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\5.1.2600.2000.cat 10680 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.5.1.Microsoft.Windows.SystemCompatible_6595b64144ccf1df_x-ww_a0111510\5.1.2600.2000.Policy 625 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\5.2.2.3.cat 10678 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Dxmrtp_6595b64144ccf1df_x-ww_362e60dd\5.2.2.3.Policy 641 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\5.2.2.3.cat 10678 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.5.2.Microsoft.Windows.Networking.Rtcdll_6595b64144ccf1df_x-ww_c7b7206f\5.2.2.3.Policy 641 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_x-ww_527a1c68\6.0.9792.0.cat 10676 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Tools.VisualCPlusPlus.Runtime-Libraries_6595b64144ccf1df_x-ww_527a1c68\6.0.9792.0.Policy 644 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.10.0.cat 7243 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.10.0.Policy 606 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.1740.cat 7377 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.1740.Policy 621 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.1816.cat 8335 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.1816.Policy 621 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.1873.cat 8335 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.1873.Policy 621 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.cat 7429 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2180.Policy 621 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2982.cat 8335 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2982.Policy 621 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.cat 10678 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy 621 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_x-ww_7d81c9f9\8.0.50727.42.cat 7447 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.8.0.Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_x-ww_7d81c9f9\8.0.50727.42.policy 718 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_x-ww_9e7eb501\9.0.30729.1.cat 9798 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_x-ww_9e7eb501\9.0.30729.1.policy 752 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_x-ww_9e7eb501\9.0.30729.4148.cat 0 bytes
File C:\WINDOWS\WinSxS\Policies\x86_policy.9.0.Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_x-ww_9e7eb501\9.0.30729.4148.policy 0 bytes

---- EOF - GMER 1.0.15 ----

broni · 2010/04/18

It looks good too
How is computer doing at the moment?

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

=================================================================

Download RootRepeal.zip (Mirror1, Mirror2) and unzip it to your Desktop.

Double click RootRepeal.exe to start the program

Click on the Report tab at the bottom of the program window

Click the Scan button

In the Select Scan dialog, check:

[*]Drivers
[*]Files
[*]Processes
[*]SSDT
[*]Stealth Objects
[*]Hidden Services

Click the OK button

In the next dialog, select all drives showing

Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running

When the scan is complete, the Save Report button will become available

Click this and save the report to your Desktop as RootRepeal.txt

Go to File, then Exit to close the program

Open RootRepeal.txt file with Notepad, copy, and paste all content into your next reply.

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

timbob18 · 2010/04/18

The infected computer is still not connected to the net (previously I ran gmer in safe mode without "drivers" checked). The computer still seems to hesitate unnecessarily.

How long should TDSSKiller take to run since it's been about 5 minutes, and I don't have a log yet. A DOS script did flash briefly.

broni · 2010/04/18

Give it few more minutes.

timbob18 · 2010/04/18

Waited a few hours and nothing. Tried to rerun in it and still nothing so I switched to safe mode and still just get the quick command window flash.

This is exactly what I'm typing in the run window -

"%userprofile%\Desktop\TDSSKiller.exe" -| C:\TDSSKiller.txt -v

Should I run rootrepeal or what do you suggest? (safe mode or not?)

Thanks

broni · 2010/04/18

Run Rootrepeal from normal mode.

Also, delete your Combofix file, download new one and give me fresh log.

I also want you to reconnect computer to the net and see how is redirection/eBay issue.

timbob18 · 2010/04/18

Got both run and was not redirected to a phishing site from eBay log in. Computer still seems to be sluggish (if I drag a window I get a trail from where I moved it that takes a second or two to disappear). I'm not sure if this is a related issue but internet explorer won't open/start when clicked (switched to Mozilla). Here are the two logs:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/04/18 18:02
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5BE5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8D84000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF32D3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "TfSysMon.sys" at address 0xf86f7a1c

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf8721cde

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf8721ed0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "TfSysMon.sys" at address 0xf86f7c10

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "TfSysMon.sys" at address 0xf86f7cb6

#: 119 Function Name: NtOpenKey
Status: Hooked by "TfSysMon.sys" at address 0xf86f790c

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf8741d60

#: 247 Function Name: NtSetValueKey
Status: Hooked by "TfSysMon.sys" at address 0xf86f7e52

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "TfSysMon.sys" at address 0xf86f9b30

Stealth Objects
-------------------
Object: Hidden Code [Driver: PCTCore, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82a79130 Size: 31

==EOF==

ComboFix 10-04-17.07 - Tim 04/18/2010 18:56:18.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.292 [GMT -5:00]
Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
.

2010-04-17 01:59 . 2010-04-17 01:59 -------- d-----w- C:\HelpAsst_backup
2010-04-15 03:46 . 2010-04-15 03:46 -------- d-----w- C:\spoolerlogs
2010-04-15 01:40 . 2010-04-15 01:40 -------- d-----w- c:\documents and settings\Tim\Application Data\Malwarebytes
2010-04-15 01:40 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-15 01:40 . 2010-04-15 01:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-15 01:40 . 2010-04-15 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-15 01:40 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 02:59 . 2010-04-13 03:00 -------- d-----w- c:\documents and settings\All Users\Application Data\ReviverSoft
2010-04-13 02:53 . 2010-04-13 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-13 02:53 . 2010-04-13 02:53 -------- d-----w- c:\documents and settings\Tim\Application Data\Yahoo!
2010-04-13 02:53 . 2010-04-13 02:53 -------- d-----w- c:\program files\Yahoo!
2010-03-29 01:38 . 2010-02-20 01:07 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-03-29 01:38 . 2010-03-29 01:38 -------- d-----w- c:\program files\ffdshow
2010-03-29 01:29 . 2010-03-29 01:29 -------- d-----w- c:\program files\Haali
2010-03-27 17:17 . 2010-03-27 17:17 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\OLYMPUS
2010-03-27 17:09 . 2010-03-27 17:09 -------- d-----w- c:\program files\OLYMPUS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-18 23:54 . 2007-12-14 14:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-18 23:29 . 2007-11-29 17:07 -------- d-----w- c:\program files\Spyware Doctor
2010-04-13 02:57 . 2010-02-27 02:53 -------- d-----w- c:\program files\CCleaner
2010-04-13 02:52 . 2010-02-17 03:41 -------- d-----w- c:\program files\Juice
2010-03-10 06:15 . 2003-07-16 16:43 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 03:13 . 2007-03-09 17:57 -------- d-----w- c:\program files\SAS
2010-02-27 02:58 . 2010-02-27 02:58 388096 ----a-r- c:\documents and settings\Tim\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-27 02:58 . 2010-02-27 02:58 -------- d-----w- c:\program files\TrendMicro
2010-02-27 02:45 . 2010-02-27 02:44 -------- d-----w- c:\program files\CleanUp!
2010-02-25 06:24 . 2006-06-23 15:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2003-07-16 16:29 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 02:03 . 2010-02-19 02:03 -------- d-----w- c:\documents and settings\Tim\Application Data\iPodder
2010-02-17 14:10 . 2003-07-16 16:33 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-05-19 12:15 100864 ------w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2003-07-16 16:41 226880 ------w- c:\windows\system32\drivers\tcpip6.sys
2010-01-21 23:21 . 2010-01-01 00:36 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-21 23:21 . 2010-01-01 00:36 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-21 23:21 . 2010-01-01 00:36 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-01-21 23:21 . 2010-01-01 00:36 767952 ----a-w- c:\windows\BDTSupport.dll
2007-10-16 13:25 . 2007-10-16 13:25 31080448 ------w- c:\program files\SPW10_WebInstall.exe
2006-10-13 17:10 . 2006-10-13 17:09 20323355 ------w- c:\program files\SonicCinePlayerDVDDecoderPackv2[1].31_SDD.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-17_00.23.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-18 23:54 . 2010-04-18 23:54 16384 c:\windows\temp\Perflib_Perfdata_8fc.dat
+ 2006-09-27 17:25 . 2010-04-17 00:37 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2010-04-17 00:40 . 2010-04-17 00:40 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2010-03-11 04:07 . 2010-03-11 04:07 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-05-09 10:53 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll
- 2008-05-09 10:53 . 2009-03-08 10:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2008-06-20 11:08 . 2010-02-11 12:02 226880 c:\windows\system32\dllcache\tcpip6.sys
+ 2008-11-12 12:12 . 2010-02-24 13:11 455680 c:\windows\system32\dllcache\mrxsmb.sys
+ 2010-02-12 04:33 . 2010-02-12 04:33 100864 c:\windows\system32\dllcache\6to4svc.dll
+ 2006-09-27 17:25 . 2010-04-17 00:37 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2010-04-17 00:36 . 2009-03-08 10:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll
+ 2010-04-17 00:36 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll
+ 2010-04-17 00:36 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe
+ 2008-11-12 12:12 . 2010-02-24 13:11 455680 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-10-16 12:11 . 2010-02-17 14:10 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-16 12:11 . 2010-02-16 13:25 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-16 12:11 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-16 12:11 . 2010-02-16 14:08 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2010-03-11 17:03 . 2010-03-11 17:03 5524480 c:\windows\Installer\2be7a9.msp
+ 2010-03-12 02:16 . 2010-03-12 02:16 4148224 c:\windows\Installer\2be796.msp
+ 2008-10-16 12:11 . 2010-02-17 14:10 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-16 12:11 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-16 12:11 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-16 12:11 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2006-10-02 21:03 . 2010-04-06 17:52 31971272 c:\windows\system32\MRT.exe
+ 2010-03-22 21:03 . 2010-03-22 21:03 11732992 c:\windows\Installer\2be7b1.msp
+ 2009-04-04 00:46 . 2009-04-04 00:46 17314688 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6425\MSO.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor "= "c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-11-26 95632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"OM2_Monitor "= "c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-11-26 54672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-13 19:17 110592 ------w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=" "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BounceBack Launcher.lnk]
backup=c:\windows\pss\BounceBack Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
backup=c:\windows\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 01:38 623992 ------w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 23:58 856064 ------w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANT Agent]
2008-09-02 18:42 8203352 ----a-w- c:\program files\Garmin\ANT Agent\ANT Agent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 09:59 122880 -c----w- c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 06:04 122933 -c----w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
2008-08-13 20:34 1891416 ----a-w- c:\program files\Garmin\gStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 06:41 49152 ------w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2004-10-26 16:01 4632576 ------w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2004-10-26 16:01 921600 ------w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
2003-12-19 16:49 86016 ------w- c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-03-21 15:32 282624 ------w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-05-02 09:15 75520 ------w- c:\program files\Java\jre1.5.0_12\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ------w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\SAS\\SAS 9.1\\sas.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\WINDOWS\\system32\\spoolsv.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
"c:\\Program Files\\Reference Manager 11\\RM11.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"8874:TCP "= 8874:TCP:Services
"5187:TCP "= 5187:TCP:Services
"4907:TCP "= 4907:TCP:Services
"8314:TCP "= 8314:TCP:Services
"9588:TCP "= 9588:TCP:Services
"5544:TCP "= 5544:TCP:Services

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/8/2009 16:08 207792]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [12/31/2009 19:36 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [12/31/2009 19:36 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [5/8/2009 16:08 233136]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [12/31/2009 19:36 112592]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [8/22/2008 10:10 14976]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/8/2009 16:06 359624]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [5/8/2009 16:07 70408]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [12/31/2009 19:36 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-18 c:\windows\Tasks\User_Feed_Synchronization-{46C9470C-F119-4D10-A03C-80DAD27D564F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nature.com/index.html
uInternet Settings,ProxyServer = proxy.msu.edu:8080
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\3x5is5de.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msutriathlon.com/messageboard/
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-18 19:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\documents and settings\Tim\Application Data\Adobe\Photoshop\9.0\Adobe Photoshop CS2 Settings\WorkSpaces\Tim's 72445 bytes hidden from API

scan completed successfully
hidden files: 1

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82A44068]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf889af28
\Driver\ACPI -> ACPI.sys @ 0xf87cdcb8
\Driver\atapi -> atapi.sys @ 0xf8767852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x82a08670
PacketIndicateHandler -> NDIS.sys @ 0xf8614a0d
SendHandler -> NDIS.sys @ 0xf8628b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\System32\LgNotify.dll

- - - - - - - > 'lsass.exe'(756)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2010-04-18 19:11:44
ComboFix-quarantined-files.txt 2010-04-19 00:11
ComboFix2.txt 2010-04-17 14:09
ComboFix3.txt 2010-04-17 00:29
ComboFix4.txt 2010-04-16 17:14

Pre-Run: 30,291,025,920 bytes free
Post-Run: 30,251,028,480 bytes free

- - End Of File - - A58E15488ADDB26E566456B45F16901C

broni · 2010/04/18

I'm glad, we cured eBay/redirection, so far.

Please, re-run "Profile" for me.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

timbob18 · 2010/04/18

sorry about the double post...Mozilla was freezing up and didn't display anything after sending it.

broni · 2010/04/18

Yeah, I had it three times...hehe

I don't know, if you saw my previous reply?

timbob18 · 2010/04/18

I was able to run profiles and here is the log from that, but when I tried to re-download TDSSKiller on the infected computer it would freeze Mozilla (tried multiple times). I'm going to transfer a new copy from the uninfected computer and try it again.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1229272821-1078145449-1343024091-1005
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Tim

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1229272821-1078145449-1343024091-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

SystemRoot REG_SZ C:\WINDOWS

broni · 2010/04/18

That's good

timbob18 · 2010/04/18

TDSSKiller worked doing it that way, and here's the log...

20:14:42:343 2572 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
20:14:42:343 2572 ================================================================================
20:14:42:343 2572 SystemInfo:

20:14:42:343 2572 OS Version: 5.1.2600 ServicePack: 3.0
20:14:42:343 2572 Product type: Workstation
20:14:42:343 2572 ComputerName: FREDRICKS
20:14:42:343 2572 UserName: Tim
20:14:42:343 2572 Windows directory: C:\WINDOWS
20:14:42:343 2572 Processor architecture: Intel x86
20:14:42:343 2572 Number of processors: 1
20:14:42:343 2572 Page size: 0x1000
20:14:42:383 2572 Boot type: Normal boot
20:14:42:383 2572 ================================================================================
20:14:42:483 2572 UnloadDriverW: NtUnloadDriver error 2
20:14:42:483 2572 ForceUnloadDriverW: UnloadDriverW(klmd21) error 0
20:14:49:874 2572 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
20:14:49:874 2572 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:14:49:874 2572 wfopen_ex: Trying to KLMD file open
20:14:49:874 2572 wfopen_ex: File opened ok (Flags 2)
20:14:49:874 2572 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
20:14:49:874 2572 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:14:49:874 2572 wfopen_ex: Trying to KLMD file open
20:14:49:874 2572 wfopen_ex: File opened ok (Flags 2)
20:14:49:874 2572 Initialize success
20:14:49:874 2572
20:14:49:874 2572 Scanning Services ...
20:14:50:825 2572 Raw services enum returned 383 services
20:14:50:875 2572
20:14:50:875 2572 Scanning Kernel memory ...
20:14:50:875 2572 Devices to scan: 4
20:14:50:875 2572
20:14:50:875 2572 Driver Name: Disk
20:14:50:875 2572 IRP_MJ_CREATE : F889CBB0
20:14:50:875 2572 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
20:14:50:875 2572 IRP_MJ_CLOSE : F889CBB0
20:14:50:875 2572 IRP_MJ_READ : F8896D1F
20:14:50:875 2572 IRP_MJ_WRITE : F8896D1F
20:14:50:875 2572 IRP_MJ_QUERY_INFORMATION : 804FA88E
20:14:50:875 2572 IRP_MJ_SET_INFORMATION : 804FA88E
20:14:50:875 2572 IRP_MJ_QUERY_EA : 804FA88E
20:14:50:875 2572 IRP_MJ_SET_EA : 804FA88E
20:14:50:875 2572 IRP_MJ_FLUSH_BUFFERS : F88972E2
20:14:50:875 2572 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
20:14:50:875 2572 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
20:14:50:875 2572 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
20:14:50:875 2572 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
20:14:50:875 2572 IRP_MJ_DEVICE_CONTROL : F88973BB
20:14:50:875 2572 IRP_MJ_INTERNAL_DEVICE_CONTROL : F889AF28
20:14:50:875 2572 IRP_MJ_SHUTDOWN : F88972E2
20:14:50:875 2572 IRP_MJ_LOCK_CONTROL : 804FA88E
20:14:50:875 2572 IRP_MJ_CLEANUP : 804FA88E
20:14:50:875 2572 IRP_MJ_CREATE_MAILSLOT : 804FA88E
20:14:50:875 2572 IRP_MJ_QUERY_SECURITY : 804FA88E
20:14:50:875 2572 IRP_MJ_SET_SECURITY : 804FA88E
20:14:50:875 2572 IRP_MJ_POWER : F8898C82
20:14:50:875 2572 IRP_MJ_SYSTEM_CONTROL : F889D99E
20:14:50:875 2572 IRP_MJ_DEVICE_CHANGE : 804FA88E
20:14:50:875 2572 IRP_MJ_QUERY_QUOTA : 804FA88E
20:14:50:875 2572 IRP_MJ_SET_QUOTA : 804FA88E
20:14:50:956 2572 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:14:50:956 2572
20:14:50:956 2572 Driver Name: USBSTOR
20:14:50:956 2572 IRP_MJ_CREATE : F8AFB218
20:14:50:956 2572 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
20:14:50:956 2572 IRP_MJ_CLOSE : F8AFB218
20:14:50:956 2572 IRP_MJ_READ : F8AFB23C
20:14:50:956 2572 IRP_MJ_WRITE : F8AFB23C
20:14:50:956 2572 IRP_MJ_QUERY_INFORMATION : 804FA88E
20:14:50:956 2572 IRP_MJ_SET_INFORMATION : 804FA88E
20:14:50:956 2572 IRP_MJ_QUERY_EA : 804FA88E
20:14:50:956 2572 IRP_MJ_SET_EA : 804FA88E
20:14:50:956 2572 IRP_MJ_FLUSH_BUFFERS : 804FA88E
20:14:50:956 2572 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
20:14:50:956 2572 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
20:14:50:956 2572 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
20:14:50:956 2572 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
20:14:50:956 2572 IRP_MJ_DEVICE_CONTROL : F8AFB180
20:14:50:956 2572 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8AF69E6
20:14:50:956 2572 IRP_MJ_SHUTDOWN : 804FA88E
20:14:50:956 2572 IRP_MJ_LOCK_CONTROL : 804FA88E
20:14:50:956 2572 IRP_MJ_CLEANUP : 804FA88E
20:14:50:956 2572 IRP_MJ_CREATE_MAILSLOT : 804FA88E
20:14:50:956 2572 IRP_MJ_QUERY_SECURITY : 804FA88E
20:14:50:956 2572 IRP_MJ_SET_SECURITY : 804FA88E
20:14:50:956 2572 IRP_MJ_POWER : F8AFA5F0
20:14:50:956 2572 IRP_MJ_SYSTEM_CONTROL : F8AF8A6E
20:14:50:956 2572 IRP_MJ_DEVICE_CHANGE : 804FA88E
20:14:50:956 2572 IRP_MJ_QUERY_QUOTA : 804FA88E
20:14:50:956 2572 IRP_MJ_SET_QUOTA : 804FA88E
20:14:50:976 2572 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
20:14:50:986 2572
20:14:50:986 2572 Driver Name: Disk
20:14:50:986 2572 IRP_MJ_CREATE : F889CBB0
20:14:50:986 2572 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
20:14:50:986 2572 IRP_MJ_CLOSE : F889CBB0
20:14:50:986 2572 IRP_MJ_READ : F8896D1F
20:14:50:986 2572 IRP_MJ_WRITE : F8896D1F
20:14:50:986 2572 IRP_MJ_QUERY_INFORMATION : 804FA88E
20:14:50:986 2572 IRP_MJ_SET_INFORMATION : 804FA88E
20:14:50:986 2572 IRP_MJ_QUERY_EA : 804FA88E
20:14:50:986 2572 IRP_MJ_SET_EA : 804FA88E
20:14:50:986 2572 IRP_MJ_FLUSH_BUFFERS : F88972E2
20:14:50:986 2572 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
20:14:50:986 2572 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
20:14:50:986 2572 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
20:14:50:986 2572 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
20:14:50:986 2572 IRP_MJ_DEVICE_CONTROL : F88973BB
20:14:50:986 2572 IRP_MJ_INTERNAL_DEVICE_CONTROL : F889AF28
20:14:50:986 2572 IRP_MJ_SHUTDOWN : F88972E2
20:14:50:986 2572 IRP_MJ_LOCK_CONTROL : 804FA88E
20:14:50:986 2572 IRP_MJ_CLEANUP : 804FA88E
20:14:50:986 2572 IRP_MJ_CREATE_MAILSLOT : 804FA88E
20:14:50:986 2572 IRP_MJ_QUERY_SECURITY : 804FA88E
20:14:50:986 2572 IRP_MJ_SET_SECURITY : 804FA88E
20:14:50:986 2572 IRP_MJ_POWER : F8898C82
20:14:50:986 2572 IRP_MJ_SYSTEM_CONTROL : F889D99E
20:14:50:986 2572 IRP_MJ_DEVICE_CHANGE : 804FA88E
20:14:50:986 2572 IRP_MJ_QUERY_QUOTA : 804FA88E
20:14:50:986 2572 IRP_MJ_SET_QUOTA : 804FA88E
20:14:50:996 2572 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:14:50:996 2572
20:14:50:996 2572 Driver Name: atapi
20:14:50:996 2572 IRP_MJ_CREATE : F876B6F2
20:14:50:996 2572 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
20:14:50:996 2572 IRP_MJ_CLOSE : F876B6F2
20:14:50:996 2572 IRP_MJ_READ : 804FA88E
20:14:50:996 2572 IRP_MJ_WRITE : 804FA88E
20:14:50:996 2572 IRP_MJ_QUERY_INFORMATION : 804FA88E
20:14:50:996 2572 IRP_MJ_SET_INFORMATION : 804FA88E
20:14:50:996 2572 IRP_MJ_QUERY_EA : 804FA88E
20:14:50:996 2572 IRP_MJ_SET_EA : 804FA88E
20:14:50:996 2572 IRP_MJ_FLUSH_BUFFERS : 804FA88E
20:14:50:996 2572 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
20:14:50:996 2572 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
20:14:50:996 2572 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
20:14:50:996 2572 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
20:14:50:996 2572 IRP_MJ_DEVICE_CONTROL : F876B712
20:14:50:996 2572 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8767852
20:14:50:996 2572 IRP_MJ_SHUTDOWN : 804FA88E
20:14:50:996 2572 IRP_MJ_LOCK_CONTROL : 804FA88E
20:14:50:996 2572 IRP_MJ_CLEANUP : 804FA88E
20:14:50:996 2572 IRP_MJ_CREATE_MAILSLOT : 804FA88E
20:14:50:996 2572 IRP_MJ_QUERY_SECURITY : 804FA88E
20:14:50:996 2572 IRP_MJ_SET_SECURITY : 804FA88E
20:14:50:996 2572 IRP_MJ_POWER : F876B73C
20:14:50:996 2572 IRP_MJ_SYSTEM_CONTROL : F8772336
20:14:50:996 2572 IRP_MJ_DEVICE_CHANGE : 804FA88E
20:14:50:996 2572 IRP_MJ_QUERY_QUOTA : 804FA88E
20:14:50:996 2572 IRP_MJ_SET_QUOTA : 804FA88E
20:14:51:066 2572 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
20:14:51:066 2572
20:14:51:066 2572 Completed
20:14:51:066 2572
20:14:51:066 2572 Results:
20:14:51:066 2572 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
20:14:51:066 2572 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:14:51:066 2572 File objects infected / cured / cured on reboot: 0 / 0 / 0
20:14:51:066 2572
20:14:51:076 2572 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
20:14:51:076 2572 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
20:14:51:086 2572 KLMD(ARK) unloaded successfully

broni · 2010/04/18

Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

* Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator ").
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log (mbr.log) file to your next reply.

timbob18 · 2010/04/18

Here's the MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

broni · 2010/04/18

This looks good too

Delete Combofix file, download fresh one and post new log.

timbob18 · 2010/04/19

Here's the new combofix log:

ComboFix 10-04-17.07 - Tim 04/19/2010 8:01.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.281 [GMT -5:00]
Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.

((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 )))))))))))))))))))))))))))))))
.

2010-04-17 01:59 . 2010-04-17 01:59 -------- d-----w- C:\HelpAsst_backup
2010-04-15 03:46 . 2010-04-15 03:46 -------- d-----w- C:\spoolerlogs
2010-04-15 01:40 . 2010-04-15 01:40 -------- d-----w- c:\documents and settings\Tim\Application Data\Malwarebytes
2010-04-15 01:40 . 2010-03-30 05:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-15 01:40 . 2010-04-15 01:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-15 01:40 . 2010-04-15 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-15 01:40 . 2010-03-30 05:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 02:59 . 2010-04-13 03:00 -------- d-----w- c:\documents and settings\All Users\Application Data\ReviverSoft
2010-04-13 02:53 . 2010-04-13 02:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-13 02:53 . 2010-04-13 02:53 -------- d-----w- c:\documents and settings\Tim\Application Data\Yahoo!
2010-04-13 02:53 . 2010-04-13 02:53 -------- d-----w- c:\program files\Yahoo!
2010-03-29 01:38 . 2010-02-20 01:07 85504 ----a-w- c:\windows\system32\ff_vfw.dll
2010-03-29 01:38 . 2010-03-29 01:38 -------- d-----w- c:\program files\ffdshow
2010-03-29 01:29 . 2010-03-29 01:29 -------- d-----w- c:\program files\Haali
2010-03-27 17:17 . 2010-03-27 17:17 -------- d-----w- c:\documents and settings\Tim\Local Settings\Application Data\OLYMPUS
2010-03-27 17:09 . 2010-03-27 17:09 -------- d-----w- c:\program files\OLYMPUS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 12:58 . 2007-12-14 14:03 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-19 12:47 . 2007-11-29 17:07 -------- d-----w- c:\program files\Spyware Doctor
2010-04-13 02:57 . 2010-02-27 02:53 -------- d-----w- c:\program files\CCleaner
2010-04-13 02:52 . 2010-02-17 03:41 -------- d-----w- c:\program files\Juice
2010-03-10 06:15 . 2003-07-16 16:43 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 03:13 . 2007-03-09 17:57 -------- d-----w- c:\program files\SAS
2010-02-27 02:58 . 2010-02-27 02:58 388096 ----a-r- c:\documents and settings\Tim\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-27 02:58 . 2010-02-27 02:58 -------- d-----w- c:\program files\TrendMicro
2010-02-27 02:45 . 2010-02-27 02:44 -------- d-----w- c:\program files\CleanUp!
2010-02-25 06:24 . 2006-06-23 15:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2003-07-16 16:29 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 02:03 . 2010-02-19 02:03 -------- d-----w- c:\documents and settings\Tim\Application Data\iPodder
2010-02-17 14:10 . 2003-07-16 16:33 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2006-05-19 12:15 100864 ------w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2003-07-16 16:41 226880 ------w- c:\windows\system32\drivers\tcpip6.sys
2010-01-21 23:21 . 2010-01-01 00:36 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-21 23:21 . 2010-01-01 00:36 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-21 23:21 . 2010-01-01 00:36 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-01-21 23:21 . 2010-01-01 00:36 767952 ----a-w- c:\windows\BDTSupport.dll
2007-10-16 13:25 . 2007-10-16 13:25 31080448 ------w- c:\program files\SPW10_WebInstall.exe
2006-10-13 17:10 . 2006-10-13 17:09 20323355 ------w- c:\program files\SonicCinePlayerDVDDecoderPackv2[1].31_SDD.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-17_00.23.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-09-27 17:25 . 2010-04-17 00:37 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 23040 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 61440 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 27136 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 11264 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 12288 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2010-04-17 00:40 . 2010-04-17 00:40 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2010-03-11 04:07 . 2010-03-11 04:07 38240 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 4096 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-05-09 10:53 . 2010-03-10 06:15 420352 c:\windows\system32\dllcache\vbscript.dll
- 2008-05-09 10:53 . 2009-03-08 10:33 420352 c:\windows\system32\dllcache\vbscript.dll
+ 2008-06-20 11:08 . 2010-02-11 12:02 226880 c:\windows\system32\dllcache\tcpip6.sys
+ 2008-11-12 12:12 . 2010-02-24 13:11 455680 c:\windows\system32\dllcache\mrxsmb.sys
+ 2010-02-12 04:33 . 2010-02-12 04:33 100864 c:\windows\system32\dllcache\6to4svc.dll
- 2006-09-27 17:25 . 2010-03-11 04:13 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 409600 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 286720 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 249856 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 794624 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-09-27 17:25 . 2010-04-17 00:37 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-09-27 17:25 . 2010-03-11 04:13 135168 c:\windows\Installer\{91CA0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2010-04-17 00:36 . 2009-03-08 10:33 420352 c:\windows\ie8updates\KB981332-IE8\vbscript.dll
+ 2010-04-17 00:36 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB981332-IE8\spuninst\updspapi.dll
+ 2010-04-17 00:36 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB981332-IE8\spuninst\spuninst.exe
+ 2008-11-12 12:12 . 2010-02-24 13:11 455680 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-10-16 12:11 . 2010-02-17 14:10 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2008-10-16 12:11 . 2010-02-16 13:25 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-16 12:11 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-10-16 12:11 . 2010-02-16 14:08 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2010-03-11 17:03 . 2010-03-11 17:03 5524480 c:\windows\Installer\2be7a9.msp
+ 2010-03-12 02:16 . 2010-03-12 02:16 4148224 c:\windows\Installer\2be796.msp
+ 2008-10-16 12:11 . 2010-02-17 14:10 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-16 12:11 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-16 12:11 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-16 12:11 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2006-10-02 21:03 . 2010-04-06 17:52 31971272 c:\windows\system32\MRT.exe
+ 2010-03-22 21:03 . 2010-03-22 21:03 11732992 c:\windows\Installer\2be7b1.msp
+ 2009-04-04 00:46 . 2009-04-04 00:46 17314688 c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6425\MSO.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM2_Monitor "= "c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2009-11-26 95632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2004-10-26 4632576]
"OM2_Monitor "= "c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2009-11-26 54672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-13 19:17 110592 ------w- c:\windows\system32\LgNotify.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=" "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BounceBack Launcher.lnk]
backup=c:\windows\pss\BounceBack Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sonic CinePlayer Quick Launch.lnk]
backup=c:\windows\pss\Sonic CinePlayer Quick Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 01:38 623992 ------w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 05:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Version Cue CS2]
2005-04-04 23:58 856064 ------w- c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ANT Agent]
2008-09-02 18:42 8203352 ----a-w- c:\program files\Garmin\ANT Agent\ANT Agent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 09:59 122880 -c----w- c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 06:04 122933 -c----w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
2008-08-13 20:34 1891416 ----a-w- c:\program files\Garmin\gStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 06:41 49152 ------w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2004-10-26 16:01 4632576 ------w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2004-10-26 16:01 921600 ------w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgr.exe]
2003-12-19 16:49 86016 ------w- c:\program files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-03-21 15:32 282624 ------w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sonic RecordNow!]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-05-02 09:15 75520 ------w- c:\program files\Java\jre1.5.0_12\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ------w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\SAS\\SAS 9.1\\sas.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\WINDOWS\\system32\\spoolsv.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
"c:\\Program Files\\Reference Manager 11\\RM11.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP "= 65533:TCP:Services
"52344:TCP "= 52344:TCP:Services
"8874:TCP "= 8874:TCP:Services
"5187:TCP "= 5187:TCP:Services
"4907:TCP "= 4907:TCP:Services
"8314:TCP "= 8314:TCP:Services
"9588:TCP "= 9588:TCP:Services
"5544:TCP "= 5544:TCP:Services
"5471:TCP "= 5471:TCP:Services
"9442:TCP "= 9442:TCP:Services

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [5/8/2009 16:08 207792]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [12/31/2009 19:36 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [12/31/2009 19:36 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [5/8/2009 16:08 233136]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [12/31/2009 19:36 112592]
R2 portD;CMS PortIO Service;c:\windows\system32\drivers\portd2k.sys [8/22/2008 10:10 14976]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [5/8/2009 16:07 70408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/8/2009 16:06 359624]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [12/31/2009 19:36 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-04-19 c:\windows\Tasks\User_Feed_Synchronization-{46C9470C-F119-4D10-A03C-80DAD27D564F}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nature.com/index.html
uInternet Settings,ProxyServer = proxy.msu.edu:8080
uInternet Settings,ProxyOverride = <local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\3x5is5de.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msutriathlon.com/messageboard/
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-19 08:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83245FC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf889af28
\Driver\ACPI -> ACPI.sys @ 0xf87cdcb8
\Driver\atapi -> atapi.sys @ 0xf8767852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615
ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> 0x82988670
PacketIndicateHandler -> NDIS.sys @ 0xf8614a0d
SendHandler -> NDIS.sys @ 0xf8628b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\System32\LgNotify.dll

- - - - - - - > 'lsass.exe'(752)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2010-04-19 08:20:16
ComboFix-quarantined-files.txt 2010-04-19 13:20
ComboFix2.txt 2010-04-19 00:11
ComboFix3.txt 2010-04-17 14:09
ComboFix4.txt 2010-04-17 00:29
ComboFix5.txt 2010-04-19 12:53

Pre-Run: 29,994,004,480 bytes free
Post-Run: 30,231,412,736 bytes free

- - End Of File - - F653C18EDD3A92491EF1A17DF25ED349

broni · 2010/04/19

We need to get GMER running. Something is still lurking there.
Delete your GMER file.

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

timbob18 · 2010/04/19

Ran it once and it made it through but was unable to save the log (computer could not access any programs or files). Second time after running to the end the error was "Power Meter: Explorer.EXE - Application Error. The instruction at "0x74af2133" referenced memory at "0x74af2133 ". The required data was not placed into memory because of an I/O error status of "0xc000009a ".

I chose to terminate the program, which brought up the error "spoolsv.exe - application error. The instruction at "0x1001b70a" referenced memory at "0x1001b70a ". The required data was not placed into memory because of an I/O error status of "0xc000009a ".

I chose to terminate the program again, which brought up the error "windows - application error. The application failed to initialize properly (0xc0000017). I chose "ok ".

At which point the computer froze up so I forced a shut down. While shutting down I got a blue screen stating "a problem has been detected and windows has been shut down to prevent damages...the problem is caused by the following file: rdbss.sys. the driver was unloaded without canceling pending operations.... "

I'll run it with "drivers" unchecked in regular mode tonight and see how it goes. If it still fails I'll go to safe mode with "drivers" unchecked.

Thanks for your continued help

broni · 2010/04/19

Please do.
"Devices ", not "Drivers"

Log in or Sign up

Solved CPU extremely slow and redirects ebay login to phishing site

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved CPU extremely slow and redirects ebay login to phishing site

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

timbob18 Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches