Inactive Internet explorer runs and opens tabs?

Jessiah · 2010/08/20

[Inactive] Internet explorer runs and opens tabs?

I am running a windows vista toshiba satellite. new computer but recently if left idle it executes IE and if left idle longer, opens up tab after tab. help would be excellent. thx

broni · 2010/08/20

Welcome aboard

Please, read this post, then post the requested log(s).

Jessiah · 2010/08/21

will do..thx

Jessiah · 2010/08/21

DDS (Ver_10-03-17.01)

Microsoft® Windows Vistaâ„¢ Enterprise
Boot Device: \Device\HarddiskVolume1
Install Date: 7/16/2010 8:57:46 PM
System Uptime: 8/18/2010 9:34:36 PM (53 hours ago)

Motherboard: TOSHIBA | | Portable PC
Processor: Genuine Intel(R) CPU 585 @ 2.16GHz | CPU | 2161/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 93 GiB total, 51.741 GiB free.
D: is CDROM ()
E: is Removable

==== Disabled Device Manager Items =============

Class GUID:
Description:
Device ID: ACPI\TOS1901\2&DABA3FF&1
Manufacturer:
Name:
PNP Device ID: ACPI\TOS1901\2&DABA3FF&1
Service:

==== System Restore Points ===================

RP44: 8/9/2010 5:02:27 PM - Scheduled Checkpoint
RP45: 8/11/2010 3:00:02 AM - Scheduled Checkpoint
RP46: 8/13/2010 2:59:18 PM - Windows Update
RP47: 8/18/2010 2:28:12 PM - Windows Update

==== Installed Programs ======================

Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.3
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Client Utility
Atheros Driver Installation Program
avast! Free Antivirus
BitZipper 2010
Bonjour
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Disk Doctors Digital Media Recovery
DVD Suite
EliteSwitch
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Graphics Media Accelerator Driver
iTunes
Java Auto Updater
Java(TM) 6 Update 21
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.8)
PowerDVD
PowerProducer
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Realtek High Definition Audio Driver
RuneScape Launcher 1.0.2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
WinSCP 4.2.8

==== Event Viewer Messages From Past Week ========

8/19/2010 8:03:37 PM, Error: Microsoft-Windows-Windows Defender [3006] - Windows Defender Real-Time Protection agent has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:WinNT/Alureon.H&threatid=145930 Scan ID: {75B0404C-EEE1-4EAC-844C-0ED9F78A94E4} User: JESSIAHS-LAPTOP\ToshiaUser Name: Trojan:WinNT/Alureon.H ID: 145930 Severity ID: 5 Category ID: 8 Path: Alert Type: Spyware or other potentially unwanted software Action: Remove Error Code: 0x80508025 Error description: To see how to finish removing spyware and other potentially unwanted software, see this support article on the Microsoft Security website.
8/18/2010 9:35:05 PM, Error: EventLog [6008] - The previous system shutdown at 9:23:34 PM on 8/18/2010 was unexpected.
8/18/2010 4:17:59 PM, Error: Microsoft-Windows-WPD-MTPClassDriver [15300] - MTP WPD Driver has failed to start. Error 0x8007001f.
8/18/2010 2:07:48 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.3.7 for the Network Card with network address 0024D271BDFC has been denied by the DHCP server 192.168.254.254 (The DHCP Server sent a DHCPNACK message).
8/17/2010 3:26:55 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.3.7 for the Network Card with network address 0024D271BDFC has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
8/17/2010 2:45:20 AM, Error: EventLog [6008] - The previous system shutdown at 11:30:34 PM on 8/16/2010 was unexpected.
8/16/2010 1:15:22 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.30.2 for the Network Card with network address 0024D271BDFC has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

Jessiah · 2010/08/21

DDS (Ver_10-03-17.01) - NTFSx86
Run by ToshiaUser at 2:45:25.45 on Sat 08/21/2010
Internet Explorer: 7.0.6000.16982 BrowserJavaVersion: 1.6.0_21
Microsoft® Windows Vistaâ„¢ Enterprise 6.0.6000.0.1252.1.1033.18.2939.907 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! Antivirus *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\javaw.exe
C:\Users\TOSHIA~1\AppData\Local\Temp\Qvz.exe
C:\Users\TOSHIA~1\AppData\Local\Temp\Qv0.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Windows\System32\mobsync.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\ToshiaUser\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [ZE18MW23GY] c:\users\toshia~1\appdata\local\temp\Qv0.exe
uRun: [googletalk] c:\users\toshiauser\appdata\roaming\google talk\googletalk.exe /autostart
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe "
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe "
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.164.80,93.188.166.230
TCP: {39584254-1931-485E-84F9-15F7609FA80D} = 93.188.164.80,93.188.166.230
TCP: {EA4AF254-14D3-4EB7-BDA7-D79B6BFD376A} = 93.188.164.80,93.188.166.230
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~1\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\toshia~1\appdata\roaming\mozilla\firefox\profiles\6vr4n9t5.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-20 165456]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [2010-8-19 22312]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-20 17744]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-8-20 50256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-20 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-20 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-20 40384]
S1 xnjrcogv;xnjrcogv;c:\windows\system32\drivers\xnjrcogv.sys [2010-8-19 30784]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2010-4-19 18432]

=============== Created Last 30 ================

2010-08-21 04:07:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-21 04:07:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-21 04:07:21 0 d-----w- c:\programdata\Malwarebytes
2010-08-21 04:07:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-21 02:20:23 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-08-21 02:19:18 38848 ----a-w- c:\windows\avastSS.scr
2010-08-21 02:18:44 0 d-----w- c:\programdata\Alwil Software
2010-08-20 00:15:27 0 d-----w- c:\users\toshia~1\appdata\roaming\Google Talk
2010-08-20 00:03:37 30784 ----a-w- c:\windows\system32\drivers\xnjrcogv.sys
2010-08-19 23:22:30 22312 ----a-w- c:\windows\system32\drivers\dddsk.sys
2010-08-19 23:22:27 0 d-----w- c:\program files\Disk Doctors Digital Media Recovery (Demo)
2010-08-19 23:21:13 0 d-----w- c:\users\toshia~1\appdata\roaming\GetRightToGo
2010-08-19 23:17:35 0 d-----w- c:\users\toshia~1\appdata\roaming\Blitware
2010-08-16 17:25:04 0 d-----w- c:\program files\Covey Inc
2010-08-07 19:30:05 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01009.Wdf
2010-08-07 19:30:01 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-08-07 19:29:41 8218 ----a-w- c:\windows\system32\wbem\Wdf01000.mof
2010-08-07 19:29:41 445008 ----a-w- c:\windows\system32\drivers\Wdf01000.sys
2010-08-07 19:29:41 38480 ----a-w- c:\windows\system32\drivers\WdfLdr.sys
2010-08-07 19:29:41 3 ----a-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Inbox_Critical.Wdf
2010-08-07 19:29:41 112 ----a-w- c:\windows\system32\wbem\Wdf01000Uninstall.mof
2010-08-06 22:33:10 0 d-----w- c:\program files\WinSCP
2010-08-05 21:15:27 0 d-----w- c:\windows\system32\appmgmt
2010-08-05 10:03:26 0 d-----w- c:\users\toshia~1\appdata\roaming\iPodtoComputer
2010-08-05 10:03:15 6144 ----a-w- c:\windows\system32\ff_acm.acm
2010-08-05 10:03:15 60273 ----a-w- c:\windows\system32\pthreadGC2.dll
2010-08-05 10:03:15 57344 ----a-w- c:\windows\system32\ff_vfw.dll
2010-08-05 10:03:15 547 ----a-w- c:\windows\system32\ff_vfw.dll.manifest
2010-08-05 10:03:15 258352 ----a-w- c:\windows\system32\unicows.dll
2010-08-05 10:03:14 98304 ----a-w- c:\windows\system32\L3CODECX.AX
2010-08-05 10:03:13 1060864 ----a-w- c:\windows\system32\MFC71.DLL
2010-08-05 10:03:13 0 d-----w- c:\program files\Cucusoft
2010-07-23 18:11:31 0 d-----w- c:\users\toshia~1\appdata\roaming\EurekaLog

==================== Find3M ====================

2010-08-21 03:38:12 99 ----a-w- c:\users\toshiauser\jagex_runescape_preferences2.dat
2010-08-21 03:31:39 46 ----a-w- c:\users\toshiauser\jagex_runescape_preferences.dat
2010-07-20 10:28:59 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-20 10:28:53 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-07-20 10:28:53 86016 ----a-w- c:\windows\inf\infstor.dat
2010-07-20 10:28:53 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-07-20 10:13:19 378368 ----a-w- c:\windows\system32\winhttp.dll
2010-07-20 10:11:52 268800 ----a-w- c:\windows\system32\es.dll
2010-07-20 10:09:27 1585664 ----a-w- c:\windows\system32\setupapi.dll
2010-07-20 10:05:30 2031104 ----a-w- c:\windows\system32\win32k.sys
2010-07-20 10:04:03 14848 ----a-w- c:\windows\system32\wshrm.dll
2010-07-20 10:04:03 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2010-07-20 10:03:19 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2010-07-20 10:02:12 523776 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-07-20 10:02:12 515584 ----a-w- c:\windows\system32\RMActivate.exe
2010-07-20 10:02:12 473088 ----a-w- c:\windows\system32\secproc_isv.dll
2010-07-20 10:02:12 472576 ----a-w- c:\windows\system32\secproc.dll
2010-07-20 10:02:12 435712 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-07-20 10:02:12 431104 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-07-20 10:02:12 312320 ----a-w- c:\windows\system32\msdrm.dll
2010-07-20 10:02:12 154624 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-07-20 10:02:12 154112 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-07-20 10:01:07 11776 ----a-w- c:\windows\system32\sbunattend.exe
2010-07-19 05:20:56 83968 ----a-w- c:\windows\system32\dnsrslvr.dll
2010-07-19 05:20:56 24576 ----a-w- c:\windows\system32\dnscacheugc.exe
2010-07-19 05:17:12 97800 ----a-w- c:\windows\system32\infocardapi.dll
2010-07-19 05:17:12 622080 ----a-w- c:\windows\system32\icardagt.exe
2010-07-19 05:17:12 11264 ----a-w- c:\windows\system32\icardres.dll
2010-07-19 05:17:08 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2010-07-19 05:17:07 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2010-07-19 05:17:07 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-07-19 05:17:07 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2010-07-18 12:54:41 174 --sha-w- c:\program files\desktop.ini
2010-07-18 12:30:09 156672 ----a-w- c:\windows\system32\t2embed.dll
2010-07-18 12:30:08 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-07-18 12:30:08 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-07-18 12:30:08 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-07-18 12:30:08 24064 ----a-w- c:\windows\system32\lpk.dll
2010-07-18 12:30:08 10240 ----a-w- c:\windows\system32\dciman32.dll
2010-07-18 12:27:55 72704 ----a-w- c:\windows\system32\admparse.dll
2010-07-18 12:27:53 832512 ----a-w- c:\windows\system32\wininet.dll
2010-07-18 12:27:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-07-18 12:27:49 48128 ----a-w- c:\windows\system32\mshtmler.dll
2010-07-18 12:27:44 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-07-18 12:27:42 56320 ----a-w- c:\windows\system32\iesetup.dll
2010-07-18 12:23:54 61440 ----a-w- c:\windows\system32\winipsec.dll
2010-07-18 12:23:54 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2010-07-18 12:23:53 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2010-07-18 12:23:53 272896 ----a-w- c:\windows\system32\polstore.dll
2010-07-18 12:20:50 84992 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-07-18 12:20:50 306688 ----a-w- c:\windows\system32\drivers\srv.sys
2010-07-18 12:19:22 95232 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2010-07-18 12:19:22 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2010-07-18 12:19:22 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2010-07-18 12:17:58 87040 ----a-w- c:\windows\system32\msoert2.dll
2010-07-18 12:17:58 39424 ----a-w- c:\windows\system32\ACCTRES.dll
2010-07-18 12:17:58 205824 ----a-w- c:\windows\system32\msoeacct.dll
2010-07-18 12:16:02 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2010-07-18 12:16:02 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2010-07-18 12:16:02 15360 ----a-w- c:\windows\system32\netevent.dll
2010-07-18 12:16:02 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2010-07-18 12:16:01 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2010-07-18 12:16:01 19968 ----a-w- c:\windows\system32\ARP.EXE
2010-07-18 12:16:01 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2010-07-18 12:16:01 103936 ----a-w- c:\windows\system32\netiohlp.dll
2010-07-18 12:16:01 10240 ----a-w- c:\windows\system32\finger.exe
2010-07-18 12:13:14 704000 ----a-w- c:\windows\system32\PhotoScreensaver.scr
2010-07-18 12:13:14 356352 ----a-w- c:\windows\system32\wbem\wbemcomn.dll
2010-07-18 12:13:13 24064 ----a-w- c:\windows\system32\wtsapi32.dll
2010-07-18 12:13:13 20920 ----a-w- c:\windows\system32\drivers\compbatt.sys
2010-07-18 12:13:12 28344 ----a-w- c:\windows\system32\drivers\battc.sys
2010-07-18 12:13:12 258232 ----a-w- c:\windows\system32\drivers\acpi.sys
2010-07-18 12:13:12 14208 ----a-w- c:\windows\system32\drivers\CmBatt.sys
2010-07-18 12:13:11 542720 ----a-w- c:\windows\system32\sysmain.dll
2010-07-18 12:11:39 194560 ----a-w- c:\windows\system32\WebClnt.dll
2010-07-18 12:11:39 110080 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2010-07-18 12:10:25 123904 ----a-w- c:\windows\system32\L2SecHC.dll
2010-07-18 12:10:24 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2010-07-18 12:10:24 502272 ----a-w- c:\windows\system32\wlansvc.dll
2010-07-18 12:10:24 47104 ----a-w- c:\windows\system32\wlanapi.dll
2010-07-18 12:10:24 297984 ----a-w- c:\windows\system32\wlansec.dll
2010-07-18 12:10:24 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2010-07-18 12:08:55 2048 ----a-w- c:\windows\system32\msxml6r.dll
2010-07-18 12:08:55 2048 ----a-w- c:\windows\system32\msxml3r.dll
2010-07-18 12:08:55 1406464 ----a-w- c:\windows\system32\msxml6.dll
2010-07-18 12:08:55 1260032 ----a-w- c:\windows\system32\msxml3.dll
2010-07-18 12:07:26 216576 ----a-w- c:\windows\system32\msv1_0.dll
2010-07-18 12:06:04 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-07-18 12:06:04 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-07-18 12:06:04 102400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-07-18 12:04:52 49664 ----a-w- c:\windows\system32\csrsrv.dll
2010-07-18 12:04:52 376320 ----a-w- c:\windows\system32\winsrv.dll
2010-07-18 12:03:40 98816 ----a-w- c:\windows\system32\mfps.dll
2010-07-18 12:03:40 2855424 ----a-w- c:\windows\system32\mf.dll
2010-07-18 12:03:39 52736 ----a-w- c:\windows\system32\rrinstaller.exe
2010-07-18 12:03:39 24576 ----a-w- c:\windows\system32\mfpmp.exe
2010-07-18 12:03:39 2048 ----a-w- c:\windows\system32\mferror.dll
2010-07-18 12:02:10 3502480 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-07-18 12:02:10 3468168 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-07-18 11:57:15 434176 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 2:47:40.84 ===============

broni · 2010/08/21

STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

STEP 3. Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Jessiah · 2010/08/21

had to rename binary mbam.exe in order to launch. put an x in front of name. started fine. will post log asap. thx for help 8)

Jessiah · 2010/08/21

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6000
Internet Explorer 7.0.6000.16982

8/21/2010 3:34:37 PM
mbam-log-2010-08-21 (15-34-37).txt

Scan type: Quick scan
Objects scanned: 117656
Time elapsed: 6 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Jessiah · 2010/08/21

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-21 16:22:03
Windows 6.0.6000
Running: l1r5nu7r.exe; Driver: C:\Users\TOSHIA~1\AppData\Local\Temp\awldruod.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x8E68C764]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0x8E68C6A4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x8E68C708]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8E699B9C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8E6999C0]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8E699AFA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 81D9852A 7 Bytes JMP 8E699AFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 81DD7893 1 Byte [E9]
PAGE ntkrnlpa.exe!NtCreateSection 81DD7893 7 Bytes JMP 8E6999C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 81DF1ADB 5 Bytes JMP 8E6955B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 81DF75F6 5 Bytes JMP 8E696F6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 81E12645 7 Bytes JMP 8E699BA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
.rsrc C:\Windows\System32\drivers\ecache.sys entry point in ".rsrc" section [0x89BFD014]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1848] ntdll.dll!LdrLoadDll 7780EB00 5 Bytes JMP 00D313F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3068] USER32.dll!TrackPopupMenu 779ACFF8 5 Bytes JMP 682D721D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 84A64ECC

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\drivers\ecache.sys suspicious modification
File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Jessiah · 2010/08/21

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Enterprise Edition
Windows Information: (build 6000), 32-bit
Base Board Manufacturer: TOSHIBA
BIOS Manufacturer: INSYDE
System Manufacturer: TOSHIBA
System Product Name: Satellite L355
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 148):
0x81C00000 \SystemRoot\system32\ntkrnlpa.exe
0x81FA1000 \SystemRoot\system32\hal.dll
0x802C6000 \SystemRoot\system32\kdcom.dll
0x80266000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8025D000 \SystemRoot\system32\PSHED.dll
0x80255000 \SystemRoot\system32\BOOTVID.dll
0x8021A000 \SystemRoot\system32\CLFS.SYS
0x8051F000 \SystemRoot\system32\CI.dll
0x804AE000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8020C000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x8046B000 \SystemRoot\system32\drivers\acpi.sys
0x80203000 \SystemRoot\system32\drivers\WMILIB.SYS
0x80463000 \SystemRoot\system32\drivers\msisadrv.sys
0x8043E000 \SystemRoot\system32\drivers\pci.sys
0x8042F000 \SystemRoot\system32\drivers\volmgr.sys
0x80200000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80425000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x80415000 \SystemRoot\System32\drivers\mountmgr.sys
0x807B6000 \SystemRoot\System32\drivers\volmgrx.sys
0x8040D000 \SystemRoot\system32\drivers\atapi.sys
0x80798000 \SystemRoot\system32\drivers\ataport.SYS
0x80404000 \SystemRoot\system32\drivers\msahci.sys
0x8078A000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x80759000 \SystemRoot\system32\drivers\fltmgr.sys
0x80749000 \SystemRoot\system32\drivers\fileinfo.sys
0x80645000 \SystemRoot\system32\drivers\ndis.sys
0x8061A000 \SystemRoot\system32\drivers\msrpc.sys
0x899C7000 \SystemRoot\system32\drivers\NETIO.SYS
0x898BF000 \SystemRoot\System32\Drivers\Ntfs.sys
0x89855000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8981F000 \SystemRoot\system32\drivers\volsnap.sys
0x80615000 \SystemRoot\system32\DRIVERS\TVALZ_O.SYS
0x8060D000 \SystemRoot\System32\Drivers\spldr.sys
0x89810000 \SystemRoot\System32\drivers\partmgr.sys
0x89801000 \SystemRoot\System32\Drivers\mup.sys
0x89BDB000 \SystemRoot\System32\drivers\ecache.sys
0x89BB8000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x89BA7000 \SystemRoot\system32\drivers\disk.sys
0x89B86000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x80604000 \SystemRoot\system32\drivers\crcdisk.sys
0x8A80C000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8C979000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8C8C2000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8C8EC000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8D326000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x8C825000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8C818000 \SystemRoot\System32\drivers\watchdog.sys
0x8C80D000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8D2E9000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8D2DB000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8CF9E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8CF7D000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x8CE65000 \SystemRoot\system32\DRIVERS\athr.sys
0x8CE52000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8C802000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8CE47000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8CE2F000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8C910000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x8CE04000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8D29B000 \SystemRoot\system32\DRIVERS\storport.sys
0x8CFF5000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8D284000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8CFEA000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8D261000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x89A3E000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8D24E000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8DF79000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0x8D232000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8A893000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8D208000 \SystemRoot\system32\DRIVERS\ks.sys
0x8A838000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8D241000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8E1CC000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8A51B000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8E201000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8E12F000 \SystemRoot\system32\drivers\portcls.sys
0x8E10A000 \SystemRoot\system32\drivers\drmk.sys
0x8E00F000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x89A00000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8DE09000 \SystemRoot\system32\drivers\modem.sys
0x8C99D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8E171000 \SystemRoot\System32\Drivers\Null.SYS
0x8E178000 \SystemRoot\System32\Drivers\Beep.SYS
0x8E003000 \SystemRoot\System32\drivers\vga.sys
0x8E59F000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8A925000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8A92D000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8E574000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8E566000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8C9A6000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8E491000 \SystemRoot\System32\drivers\tcpip.sys
0x8E478000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8E463000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8DED9000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x8E443000 \SystemRoot\system32\DRIVERS\smb.sys
0x8E7B9000 \SystemRoot\system32\drivers\afd.sys
0x8CFD8000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x8E411000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8E7A3000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8E403000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8E790000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8E755000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8DEE3000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8E715000 \??\C:\Windows\system32\drivers\dddsk.sys
0x8E6C2000 \SystemRoot\system32\drivers\csc.sys
0x8E6AB000 \SystemRoot\System32\Drivers\dfsc.sys
0x8E684000 \SystemRoot\System32\Drivers\aswSP.SYS
0x8DE16000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8A842000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8C9EE000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x8A827000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x8E612000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x8C9AF000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8A4CB000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8E15C000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8A8E5000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x94200000 \SystemRoot\System32\win32k.sys
0x8DEED000 \SystemRoot\System32\drivers\Dxapi.sys
0x8E829000 \SystemRoot\system32\DRIVERS\monitor.sys
0xA4C00000 \SystemRoot\System32\TSDDD.dll
0xA4C10000 \SystemRoot\System32\cdd.dll
0xA4805000 \SystemRoot\system32\drivers\luafv.sys
0xA54B7000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x8A885000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xA6CF2000 \SystemRoot\system32\drivers\spsys.sys
0x8A4BB000 \SystemRoot\system32\DRIVERS\lltdio.sys
0xA6C87000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x8DF15000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA5402000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x8C9E5000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xAA269000 \SystemRoot\system32\drivers\HTTP.sys
0xA8657000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xAA210000 \SystemRoot\system32\DRIVERS\bowser.sys
0xAAB0C000 \SystemRoot\System32\drivers\mpsdrv.sys
0xAAAEC000 \SystemRoot\system32\drivers\mrxdav.sys
0xAAACE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAAA95000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xAAA83000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xAAA5F000 \SystemRoot\System32\DRIVERS\srv2.sys
0xAB76F000 \SystemRoot\System32\DRIVERS\srv.sys
0xAB876000 \SystemRoot\system32\drivers\peauth.sys
0x8DF33000 \SystemRoot\System32\Drivers\secdrv.SYS
0x8E95B000 \SystemRoot\System32\drivers\tcpipreg.sys
0xAAA4A000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0xAAA38000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0xA552A000 \SystemRoot\system32\DRIVERS\cdfs.sys
0xA685F000 \??\C:\Users\TOSHIA~1\AppData\Local\Temp\awldruod.sys
0x777E0000 \Windows\System32\ntdll.dll

Processes (total 54):
0 System Idle Process
4 System
428 C:\Windows\System32\smss.exe
496 csrss.exe
540 C:\Windows\System32\wininit.exe
548 csrss.exe
580 C:\Windows\System32\winlogon.exe
628 C:\Windows\System32\services.exe
640 C:\Windows\System32\lsass.exe
648 C:\Windows\System32\lsm.exe
804 C:\Windows\System32\svchost.exe
860 C:\Windows\System32\svchost.exe
900 C:\Windows\System32\svchost.exe
1028 C:\Windows\System32\svchost.exe
1064 C:\Windows\System32\svchost.exe
1104 C:\Windows\System32\svchost.exe
1160 C:\Windows\System32\audiodg.exe
1200 C:\Windows\System32\SLsvc.exe
1296 C:\Windows\System32\svchost.exe
1412 C:\Windows\System32\svchost.exe
1520 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1528 C:\Windows\System32\wlanext.exe
1840 C:\Windows\System32\dwm.exe
356 C:\Windows\System32\spoolsv.exe
456 C:\Windows\System32\svchost.exe
1280 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
1812 C:\Program Files\Bonjour\mDNSResponder.exe
1384 C:\Windows\System32\svchost.exe
2080 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
2100 C:\Windows\System32\svchost.exe
2160 C:\Windows\System32\svchost.exe
2208 C:\Windows\System32\SearchIndexer.exe
2264 WUDFHost.exe
2552 C:\Windows\System32\taskeng.exe
2776 C:\Windows\System32\taskeng.exe
2992 C:\Program Files\Windows Defender\MSASCui.exe
3004 C:\Windows\System32\igfxsrvc.exe
3072 C:\Windows\RtHDVCpl.exe
3108 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
3152 C:\Windows\System32\igfxtray.exe
3160 C:\Windows\System32\hkcmd.exe
3168 C:\Windows\System32\igfxpers.exe
3176 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
3184 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3232 C:\Program Files\iTunes\iTunesHelper.exe
3428 C:\Windows\System32\wbem\unsecapp.exe
3504 WmiPrvSE.exe
2508 C:\Program Files\iPod\bin\iPodService.exe
2432 C:\Windows\explorer.exe
1848 C:\Program Files\Mozilla Firefox\firefox.exe
3068 C:\Program Files\Mozilla Firefox\plugin-container.exe
3420 C:\Windows\System32\mobsync.exe
3596 C:\Program Files\Windows Media Player\wmplayer.exe
1612 C:\Users\ToshiaUser\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK1032GSX, Rev: AS021G

Size Device Name MBR Status
--------------------------------------------
93 GB \\.\PhysicalDrive0 Windows 2008 MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979

Done!

broni · 2010/08/21

Download TDSSKiller and save it to your desktop.

Extract (unzip) its contents to your desktop.

Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

Jessiah · 2010/08/23

caused error when rebooted system.

broni · 2010/08/23

Happens.
Re-run it, please.

Log in or Sign up

Inactive Internet explorer runs and opens tabs?

Jessiah Inactive Thread Starter

broni Moderator Malware Analyst

Jessiah Inactive Thread Starter

Jessiah Inactive Thread Starter

Jessiah Inactive Thread Starter

broni Moderator Malware Analyst

Jessiah Inactive Thread Starter

Jessiah Inactive Thread Starter

Jessiah Inactive Thread Starter

Jessiah Inactive Thread Starter

broni Moderator Malware Analyst

Jessiah Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive Internet explorer runs and opens tabs?

Jessiah Inactive Thread Starter

broni Moderator Malware Analyst

Jessiah Inactive Thread Starter

Jessiah Inactive Thread Starter

Jessiah Inactive Thread Starter

broni Moderator Malware Analyst

Jessiah Inactive Thread Starter

Jessiah Inactive Thread Starter

Jessiah Inactive Thread Starter

Jessiah Inactive Thread Starter

broni Moderator Malware Analyst

Jessiah Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches