Solved Virus wont let me update my anti virus and redirects internet

[Resolved] Virus wont let me update my anti virus and redirects internet

im having the same problem as you except im using Trend Micro, if you get it fixed ill try what u do, if not ill post my own *fingers crossed* this gets fixed!

also do you know if it would be possible for this "virus" to get onto a disk if i was to burn my files to a disk?

 

Ok well, I started getting problems when I got the Autorun.exe virus, how ever I removed that with Autorun eater.

However after this my antivirus software, Trend Micro Internet Security 2008, would not update them this was also the same when I installed and tried to update Malwarebytes and Kaspersky. I tried installing Malwarebytes from a disk with renamed .exe’s and then run a scan however that did not work either. I have just installed Trend Micro Pro 2009, as I have bought it cause my old one expired, and installed that, however that will not update either. I tried a manual update however when that is run it starts up the uninstall program.

When I try to run internet explorer my system will freeze with just a blank white Internet Explorer page open and I have to reboot. It also freezes when I try to run the program Steam. Sometimes when my computer Is being turned on it will come up with the black screen just before the logon screen, however my mouse is visible. I also have problems with my internet being redirected and popups appearing randomly.

Appreciate any help you could give!

Here are the logs requested.

Attach:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 16/11/2008 12:56:51 PM
System Uptime: 18/02/2009 7:35:14 AM (0 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO.,LTD | | MS-7388
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ | CPU 1 | 2400/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 699 GiB total, 634.246 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 149 GiB total, 72.037 GiB free.
F: is FIXED (FAT32) - 233 GiB total, 141.092 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 10/02/2009 5:08:07 PM - Installed Trend Micro Internet Security
RP2: 10/02/2009 5:45:11 PM - Installed Trend Micro Internet Security
RP3: 17/02/2009 4:46:19 PM - System Checkpoint
RP4: 17/02/2009 5:06:15 PM - Installed Trend Micro Internet Security

==== Installed Programs ======================


Acrobat.com
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 9
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Allied Intent Xtended 2.0
ATI - Software Uninstall Utility
Atomic Alarm Clock 5.81
AutoUpdate
Battlefield 2(TM)
Battlefield 2: Special Forces
Battlefield Pirates 2 Release 2
Call of Duty(R) - World at War(TM)
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.2 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
CCleaner (remove only)
Choice Guard
Defraggler (remove only)
DivX Codec
DivX Converter
DivX Player
DivX Version Checker
FarCry 2
Flickr Uploadr 3.0.5
GameArena The Arena
GameSpy Arcade
High Definition Audio Driver Package - KB888111
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
ImagXpress
IrfanView (remove only)
iriver plus 3 (remove only)
Java(TM) 6 Update 11
Java(TM) 6 Update 4
Junk Mail filter update
LimeWire PRO 4.17.0
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MioNet
Monster Trucks Nitro Demo
MSVCRT
MSXML 4.0 SP2 (KB954430)
Mumble and Murmur
neroxml
NVIDIA Drivers
NVIDIA PhysX v8.10.13
PDF Settings
Portal
Project Reality 0856 Core
Project Reality 0856 Levels
PRSP v0.8
PunkBuster Services
Realtek High Definition Audio Driver
Saitek SST Programming Software
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Segoe UI
Skypeâ„¢ 3.8
Steam
Team Fortress 2
TeamSpeak 2 RC2
TeamSpeak Overlay BETA 2 (#63)
TI Connect 1.6
Trend Micro Internet Security Pro
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Vuze
Vuze Toolbar
WebFldrs XP
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
Xfire (remove only)

==== Event Viewer Messages From Past Week ========

11/02/2009 8:02:51 AM, error: Service Control Manager [7001] - The Trend Micro Personal Firewall service depends on the Trend Micro Unauthorized Change Prevention Service service which failed to start because of the following error: The dependency service or group failed to start.
11/02/2009 8:02:51 AM, error: Service Control Manager [7001] - The Trend Micro Unauthorized Change Prevention Service service depends on the tmactmon service which failed to start because of the following error: A device attached to the system is not functioning.
11/02/2009 8:02:51 AM, error: Service Control Manager [7000] - The tmactmon service failed to start due to the following error: A device attached to the system is not functioning.
11/02/2009 8:02:39 AM, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
11/02/2009 8:14:31 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
11/02/2009 8:14:44 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments " " in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/02/2009 8:14:49 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/02/2009 8:14:49 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/02/2009 8:14:49 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/02/2009 8:14:49 AM, error: Service Control Manager [7001] - The ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/02/2009 8:14:49 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/02/2009 8:14:49 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK8 Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip tmtdi
11/02/2009 8:15:12 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments " " in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
12/02/2009 7:26:15 PM, error: Dhcp [1002] - The IP address lease 192.168.1.5 for the Network Card with network address 002185364D25 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
16/02/2009 8:40:53 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume3'. It has stopped monitoring the volume.

==== End Of File ===========================

DDS:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Jordan at 7:56:33.37 on Wed 18/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1488 [GMT 10:00]

AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\ProToolbarUpdate.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TISProToolbar\PlatformDependent\ProToolbarComm.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Jordan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ninemsn.com.au/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: TSToolbarBHO: {43c6d902-a1c5-45c9-91f6-fd9e90337e18} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Trend Micro Toolbar: {ccac5586-44d7-4c43-b64a-f042461a97d2} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
uRun: [SkinClock] c:\program files\atomic alarm clock\AtomicAlarmClock.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [WinSys2] c:\windows\system32\winsys2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [Profiler] c:\program files\saitek\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\saitek\software\SaiMfd.exe
mRun: [MioNet] c:\program files\mionet\MioNetLauncher.exe /p
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe "
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1226818198669
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\trend micro\trendsecure\tisprotoolbar\TSToolbar.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2008-12-11 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2008-12-11 234888]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\trend micro\trendsecure\securityactivitydashboard\tmarsvc.exe [2009-2-17 181584]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-2-17 49680]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-2-17 492888]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-8-15 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-2-17 677128]
R3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [2008-12-11 176640]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-8-15 334352]
S2 MioNet;MioNet;c:\program files\mionet\MioNetManager.exe [2008-6-10 139264]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

=============== Created Last 30 ================

2009-02-17 19:03 722,472 a------- c:\windows\system32\kdfmgr.exe
2009-02-17 19:03 192,512 a------- c:\windows\system32\kdfvmgr.exe
2009-02-17 19:03 77,824 a------- c:\windows\system32\kdfapi.dll
2009-02-17 19:03 53,248 a------- c:\windows\system32\Kdfhok.dll
2009-02-17 19:03 <DIR> --d----- c:\windows\kdefense
2009-02-17 19:03 846,336 a------- c:\windows\system32\kdfinj.dll
2009-02-17 17:09 <DIR> --d----- c:\windows\LocalSSL
2009-02-17 17:08 144,912 a------- c:\windows\system32\drivers\tmcomm.sys
2009-02-17 17:08 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-02-17 17:08 49,680 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-02-17 17:06 <DIR> --d----- c:\program files\Trend Micro
2009-02-13 18:22 <DIR> --d----- c:\docume~1\jordan\applic~1\Mumble
2009-02-13 18:20 <DIR> --d----- c:\program files\Mumble
2009-02-05 16:20 <DIR> --d----- c:\docume~1\jordan\applic~1\Malwarebytes
2009-02-05 16:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-05 15:54 <DIR> --d----- c:\program files\common files\Download Manager
2009-02-04 17:11 49,536 a------- c:\windows\system32\drivers\tiehdusb.sys
2009-02-04 17:11 21,456 a------- c:\windows\system32\drivers\SilvrLnk.sys
2009-02-04 17:10 <DIR> --d----- c:\program files\TI Education
2009-02-04 17:10 <DIR> --d----- c:\program files\common files\TI Shared
2009-02-03 18:07 <DIR> --d----- c:\program files\Atomic Alarm Clock
2009-01-23 09:38 <DIR> --d----- c:\program files\MSXML 4.0
2009-01-23 09:33 8 a------- c:\windows\system32\nvModes.dat
2009-01-22 19:19 <DIR> --d----- c:\windows\Downloaded Installations
2009-01-22 17:02 <DIR> --d----- c:\program files\Nero
2009-01-22 17:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-01-22 16:27 717,296 a------- c:\windows\system32\drivers\sptd.sys

==================== Find3M ====================

2009-02-15 20:36 140,216 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-02-15 20:34 201,352 a------- c:\windows\system32\PnkBstrB.exe
2009-02-11 15:49 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-01-15 15:09 25,280 a------- c:\windows\system32\drivers\hamachi.sys
2008-12-26 10:25 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-12-26 10:11 22,328 a------- c:\docume~1\jordan\applic~1\PnkBstrK.sys
2008-12-25 19:19 682,280 a------- c:\windows\system32\pbsvc.exe
2008-12-13 10:55 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-12 06:37 42,320 a------- c:\windows\system32\xfcodec.dll
2008-12-11 10:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-11 10:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-09 12:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-09 12:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-09 12:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-09 12:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll

============= FINISH: 7:56:49.09 ===============

 

Hi chanvlan

I see you have P2P software ( Limewire, Vuze, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them,

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at WindowsBBS Malware and Virus removal.

Please see if you can run this and post the log.

Download RootRepeal.zip to your Desktop.

• Extract the compressed file to it's own folder.
• Open the folder and doubleclick on RootRepeal.exe to run it.
• Click on the Report tab, and then click on: Scan
• A window opens asking what to include in the scan.
• Check the following boxes then click OK:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• You will then be asked which drive to scan.
• Check C: (or the drive your operating system is installed on, if not C)
• Click OK once again.

The tool will begin scanning and may take a while to complete, so please be patient.

When the scan finishes, click on: Save Report
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

Post the contents of the report in a reply here

Thanks
Geri

 

Thankyou for the quick reply i will uninstall my P2P programs asap, i am aware of the danger that they can be to a system, and am very careful, however if you believe this could be a cause i will do as you say and remove them.

I will post the reply as soon as i have removed those programs.

 

Well it was very difficult but in the end i managed to get it onto here after 3 reboots due to the subsequent freezing from scanning.
Hope it helps!

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/02/18 20:50
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB31AB000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADF8000 Size: 8192 File Visible: No
Status: -

Name: gaopdxbrrnkciq.sys
Image Path: C:\WINDOWS\system32\drivers\gaopdxbrrnkciq.sys
Address: 0xB3440000 Size: 172032 File Visible: -
Status: Hidden from Windows API!

Name: PCI_PNP6500
Image Path: \Driver\PCI_PNP6500
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1358000 Size: 45056 File Visible: No
Status: -

Name: spkx.sys
Image Path: spkx.sys
Address: 0xBA6A7000 Size: 1048576 File Visible: No
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Jordan\ntuser.dat.LOG
Status: Size mismatch (API: 1024, Raw: 397312)

Path: C:\Documents and Settings\NetworkService\ntuser.dat.LOG
Status: Size mismatch (API: 1024, Raw: 40960)

Path: C:\WINDOWS\Prefetch\WMIADAP.EXE-2DF425B2.pf
Status: Size mismatch (API: 46790, Raw: 46834)

Path: C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf
Status: Size mismatch (API: 69336, Raw: 71810)

Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-2CA224A8.pf
Status: Size mismatch (API: 16000, Raw: 15988)

Path: C:\WINDOWS\system32\gaopdxcounter
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gaopdxjcblamtp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gaopdxbrrnkciq.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gaopdxnspnyxmy.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gaopdxrodlrhsq.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gaopdxupxexrbm.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gaopdxurirvkop.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jordan\Local Settings\Temp\Temporary Internet Files\Content.IE5\5YAGBX3P\totype.js,$js$effects.js,$js$swfobject.js,$js$core.js,$js$json.js,$js$swt_message.js,$js$browse.js,$js$browse_resize.js,$js$browse_accordion.js,$js$magnet.js,$js$browser_az[1].js
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Jordan\Local Settings\Temp\Temporary Internet Files\Content.IE5\5YAGBX3P\1LQCAGYATM4CAKBV1DQCABW0E5WCA9RH2XWCAJDURR3CA6TQ9WUCAY2RJOWCAKHL61OCA99X1O7CARFNKP9CA0HPZIBCA5MEY2RCAHP13CFCABW8C4CCAAXFZGOCA8IL3XWCAJP8813CAYAQU5LCA9E9IBCCAI5D3WZCAKZDHVV.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Jordan\Local Settings\Temp\Temporary Internet Files\Content.IE5\5YAGBX3P\4TFCAD94FY3CAOYU4VWCAC7CGRKCAKYH3D7CAWJ8A8GCA33O21ICALN9BCNCA5SXEOPCA715L69CAFZ4EC3CALON6HTCA2S4VYKCAWFHYQMCAC5KG6ECABJFZAQCAHFDAG7CAA07E80CA19MPVSCA8Z7YUUCAZPYNV0CALZKNQU.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Jordan\Local Settings\Temp\Temporary Internet Files\Content.IE5\DL65E2T3\DHGCATRTSS9CADPF2GZCAHM37OBCA8K4R5TCAKV3B8OCA3OJ1B9CA52UH30CANRSWJ9CA19GETACAWRAKITCA6AGAN6CADCA8SPCAKZVKIFCA1X5C72CAU9DCYHCA03THDJCAXMDA1LCAON0C8OCAJ9TNFYCA0T18D2CA9IHYG1.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Jordan\Local Settings\Temp\Temporary Internet Files\Content.IE5\DL65E2T3\FGQCA67LICXCAZLW00ICATMLPVJCAQHA5T7CACMRT8ECA5PSDOOCAY0OOKJCAHFUASRCA4P0IBKCAHAUR4WCASLMKBGCAMCK5ZUCAERWAGDCAT8JZLPCA7YNBBACAMCLLT5CA12PCTVCAPHGMFZCAHUMRTSCA8EFFEMCA0RO050.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Jordan\Local Settings\Temp\Temporary Internet Files\Content.IE5\DL65E2T3\c;kpu=polydor;kr=F;kt=K;ko=p;kpid=6;afc=1;kga=-1;k2=590;k1=rock;kp=1;u=lDGzB82bIZc%7C6;kgg=-1;kcr=au;custp=R6xN1vlXxFWaIsLw-hA_qA;dc_dedup=1;ptile=1;dcopt=ist;ord=4790644[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Jordan\Local Settings\Temp\Temporary Internet Files\Content.IE5\DL65E2T3\otype.js,$js$effects.js,$js$swfobject.js,$js$core.js,$js$json.js,$js$swt_message.js,$js$browse.js,$js$browse_resize.js,$js$browse_accordion.js,$js$magnet.js,$js$browser_az[1].jsz
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Jordan\Local Settings\Temp\Temporary Internet Files\Content.IE5\DL65E2T3\YN1CA20HH1PCAE9S5HVCAWXEXPTCA8O1091CA2GQTBTCAM214NPCAQM0XTSCATOEJT3CAXM1B3MCAKA4NZECA5PEPO3CAH7CHU8CAAM1CGRCAUIA9EWCAK2JZCWCA10LQA5CA2REDRKCA2GFZ12CA0LLKTQCA9HXMK3CANRUE58.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Jordan\Local Settings\Temp\Temporary Internet Files\Content.IE5\U0R61H9D\9K9CAUFH69DCAYG8ZWWCAGB8LKMCAVKW9DLCA3PN6QACAHE5DBYCAMR9RMACADDR2F8CAYI3FFNCA48USUZCAGDN413CAA9T15KCA7NWG8ICAWUAVY3CA8I290MCAYS8WP5CA18KGXQCAMLVJH3CA16YK7DCASGUXQFCALHHE6S.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Jordan\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZTKB8X3O\S8RCAXYSW82CAQG8K59CAIQJ5R2CAY4M2SMCAE61LFCCA35U8XFCAK6Q3QHCACX9UUJCA5U4KMVCADDNMDFCAZ2L1DDCAEEAHD1CAXXPOAKCA70PSSQCA2XTJNCCAQ7WLY7CAS00CLECALJSIQ4CAWIZ0WTCAQ88SH5CAKRO0O5.htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Jordan\Local Settings\Application Data\Microsoft\Messenger\Removed by Mod\SharingMetadata\Removed by Mod\DFSR\Staging\CS{B2808860-A973-0ED2-9E98-59358D715D20}\01\15-{B2808860-A973-0ED2-9E98-59358D715D20}-v1-{18852D50-22F4-428E-BF73-1FCF8C1E9482}-v15-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Jordan\Local Settings\Application Data\Microsoft\Messenger\Removed by Mod\SharingMetadata\Removed by Mod\DFSR\Staging\CS{E9BB34E2-A4F7-7B83-13AC-AC0A49CAA596}\01\86-{E9BB34E2-A4F7-7B83-13AC-AC0A49CAA596}-v1-{18852D50-22F4-428E-BF73-1FCF8C1E9482}-v86-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Jordan\My Documents\Jordan\USB [] Last updated Thursday 28th of AUGUST\Documents\Downloads\Stuff\Internet Explorer\Thinking Games\Meqon Dynamics\DATA\CHAR\ANIMCHAR.XML:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Jordan\My Documents\Jordan\USB [] Last updated Thursday 28th of AUGUST\Documents\Downloads\Stuff\Internet Explorer\Thinking Games\Meqon Dynamics\DATA\CHAR\ANIMCHAR.XML:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x8991dcc0

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x8991d1c0

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x8991d480

#: 050 Function Name: NtCreateSection
Status: Hooked by "<unknown>" at address 0x8991e980

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8991ee60

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x8991e240

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x8991e500

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spkx.sys" at address 0xba6c6ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spkx.sys" at address 0xba6c7030

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x8991f000

#: 119 Function Name: NtOpenKey
Status: Hooked by "spkx.sys" at address 0xba6a80c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x8991d740

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8991eb20

#: 160 Function Name: NtQueryKey
Status: Hooked by "spkx.sys" at address 0xba6c7108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spkx.sys" at address 0xba6c6f88

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x8991df80

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8991da00

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8991ecc0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a5cc1f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x89ae21f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_CLOSE]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_READ]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_WRITE]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_EA]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_CLEANUP]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_POWER]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: nvata, IRP_MJ_PNP]
Process: System Address: 0x8a5cd1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a45a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a45a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a45a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a45a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a45a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a45a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a45a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a45a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a45a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a45a1f8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a45a1f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x89af21f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x89af21f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x89af21f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x89af21f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89af21f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89af21f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x89af21f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89af21f8 Size: -

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x89af21f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x8a50b1f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x8a50b1f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a50b1f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a50b1f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x8a50b1f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a50b1f8 Size: -

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x8a50b1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a5ce1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a5ce1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a5ce1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a5ce1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a5ce1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a5ce1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a5ce1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a5ce1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a5ce1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a5ce1f8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a5ce1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x89b0b1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x89b0b1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b0b1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89b0b1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x89b0b1f8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x89b0b1f8 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a459500 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a459500 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a459500 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a459500 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a459500 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a459500 Size: -

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a459500 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x89afe1f8 Size: -

Object: Hidden Code [Driver: Cdfsȅఐ卆浩Ļ, IRP_MJ_CREATE]
Process: System Address: 0x89aec1f8 Size: -

Object: Hidden Code [Driver: Cdfsȅఐ卆浩Ļ, IRP_MJ_CLOSE]
Process: System Address: 0x89aec1f8 Size: -

Object: Hidden Code [Driver: Cdfsȅఐ卆浩Ļ, IRP_MJ_READ]
Process: System Address: 0x89aec1f8 Size: -

Object: Hidden Code [Driver: Cdfsȅఐ卆浩Ļ, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89aec1f8 Size: -

Object: Hidden Code [Driver: Cdfsȅఐ卆浩Ļ, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89aec1f8 Size: -

Object: Hidden Code [Driver: Cdfsȅఐ卆浩Ļ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89aec1f8 Size: -

Object: Hidden Code [Driver: Cdfsȅఐ卆浩Ļ, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89aec1f8 Size: -

Object: Hidden Code [Driver: Cdfsȅఐ卆浩Ļ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89aec1f8 Size: -

Object: Hidden Code [Driver: Cdfsȅఐ卆浩Ļ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89aec1f8 Size: -

Object: Hidden Code [Driver: Cdfsȅఐ卆浩Ļ, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89aec1f8 Size: -

Object: Hidden Code [Driver: Cdfsȅఐ卆浩Ļ, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89aec1f8 Size: -

Object: Hidden Code [Driver: Cdfsȅఐ卆浩Ļ, IRP_MJ_CLEANUP]
Process: System Address: 0x89aec1f8 Size: -

Object: Hidden Code [Driver: Cdfsȅఐ卆浩Ļ, IRP_MJ_PNP]
Process: System Address: 0x89aec1f8 Size: -

Hidden Services
-------------------
Service Name: gaopdxserv.sys
Image Path: C:\WINDOWS\system32\drivers\gaopdxbrrnkciq.sys

 

also i thought that it might be best to inform you that, my computer cannot be turned off via the start>Turn Off Computer button as it will not bring up the menu to decide how or what you want to do. ie Standby, turn off, restart.

 

Hi
Ok please do the following.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• Vista users right click Combofix.exe and select Run As Administrator.
• When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - Allow ComboFix to update if prompted.

Thanks
Geri

 

Well getting this thing to run as been a journey over the moon and back, but i got it, Heres the log.

Seems something called "gaopdx" was the problem. You probably know more than i do so ill jsut leave you to it.

ComboFix 09-02-18.01 - Jordan 2009-02-20 7:57:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1613 [GMT 10:00]
Running from: c:\documents and settings\Jordan\Desktop\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gaopdxbrrnkciq.sys
c:\windows\system32\drivers\gaopdxnspnyxmy.sys
c:\windows\system32\drivers\gaopdxrodlrhsq.sys
c:\windows\system32\drivers\gaopdxupxexrbm.sys
c:\windows\system32\drivers\gaopdxurirvkop.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxjcblamtp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-19 to 2009-02-19 )))))))))))))))))))))))))))))))
.

2009-02-17 19:03 . 2009-02-17 19:03 <DIR> d-------- c:\windows\kdefense
2009-02-17 19:03 . 2009-02-17 19:03 846,336 --a------ c:\windows\system32\kdfinj.dll
2009-02-17 19:03 . 2009-02-20 07:45 722,472 --a------ c:\windows\system32\kdfmgr.exe
2009-02-17 19:03 . 2009-02-20 07:45 192,512 --a------ c:\windows\system32\kdfvmgr.exe
2009-02-17 19:03 . 2009-02-20 07:45 77,824 --a------ c:\windows\system32\kdfapi.dll
2009-02-17 19:03 . 2009-02-20 07:45 53,248 --a------ c:\windows\system32\Kdfhok.dll
2009-02-17 17:09 . 2009-02-17 17:09 <DIR> d-------- c:\windows\LocalSSL
2009-02-17 17:08 . 2008-08-15 08:23 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-02-17 17:08 . 2008-08-15 08:23 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-02-17 17:08 . 2008-08-15 08:23 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-02-17 17:06 . 2009-02-17 17:09 <DIR> d-------- c:\program files\Trend Micro
2009-02-13 18:22 . 2009-02-13 18:56 <DIR> d-------- c:\documents and settings\Jordan\Application Data\Mumble
2009-02-13 18:20 . 2009-02-13 18:38 <DIR> d-------- c:\program files\Mumble
2009-02-05 16:20 . 2009-02-05 16:20 <DIR> d-------- c:\documents and settings\Jordan\Application Data\Malwarebytes
2009-02-05 16:20 . 2009-02-05 16:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-05 15:54 . 2009-02-05 15:54 <DIR> d-------- c:\program files\Common Files\Download Manager
2009-02-04 17:11 . 2004-02-04 10:27 49,536 --a------ c:\windows\system32\drivers\tiehdusb.sys
2009-02-04 17:11 . 2004-01-28 15:03 21,456 --a------ c:\windows\system32\drivers\SilvrLnk.sys
2009-02-04 17:10 . 2009-02-04 17:11 <DIR> d-------- c:\program files\TI Education
2009-02-04 17:10 . 2009-02-04 17:10 <DIR> d-------- c:\program files\Common Files\TI Shared
2009-02-03 18:07 . 2009-02-03 18:07 <DIR> d-------- c:\program files\Atomic Alarm Clock
2009-01-23 09:38 . 2009-01-23 09:38 <DIR> d-------- c:\program files\MSXML 4.0
2009-01-23 09:33 . 2009-01-23 09:34 8 --a------ c:\windows\system32\nvModes.dat
2009-01-23 09:32 . 2009-01-23 09:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\nView_Profiles
2009-01-22 19:19 . 2009-01-22 19:19 <DIR> d-------- c:\windows\Downloaded Installations
2009-01-22 18:54 . 2009-01-22 18:54 <DIR> d-------- c:\documents and settings\Jordan\Application Data\Nero
2009-01-22 17:02 . 2009-01-23 12:19 <DIR> d-------- c:\program files\Nero
2009-01-22 17:01 . 2009-01-23 12:33 <DIR> d-------- c:\program files\Common Files\Nero
2009-01-22 17:01 . 2009-01-23 12:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-01-22 16:27 . 2009-01-22 16:27 717,296 --a------ c:\windows\system32\drivers\sptd.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-19 21:48 --------- d-----w c:\program files\MioNet
2009-02-19 11:57 --------- d-----w c:\documents and settings\Jordan\Application Data\MioNet
2009-02-17 10:24 --------- d-----w c:\program files\Steam
2009-02-17 10:08 --------- d-----w c:\program files\Messenger Plus! Live
2009-02-17 09:01 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-15 10:36 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-02-15 10:34 201,352 ----a-w c:\windows\system32\PnkBstrB.exe
2009-02-15 10:33 --------- d-----w c:\documents and settings\Jordan\Application Data\Skype
2009-02-15 10:02 --------- d-----w c:\documents and settings\Jordan\Application Data\skypePM
2009-02-11 05:49 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-02-06 14:37 --------- d-----w c:\documents and settings\Jordan\Application Data\Azureus
2009-02-05 05:57 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-04 07:10 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-01 07:36 --------- d-----w c:\documents and settings\Jordan\Application Data\LimeWire
2009-01-23 02:17 --------- d-----w c:\program files\DivX
2009-01-17 13:00 --------- d-----w c:\program files\Skype
2009-01-17 13:00 --------- d-----w c:\program files\Common Files\Skype
2009-01-17 13:00 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-01-17 11:29 --------- d-----w c:\program files\Common Files\logishrd
2009-01-16 05:43 --------- d-----w c:\documents and settings\Jordan\Application Data\teamspeak2
2009-01-15 05:17 --------- d-----w c:\program files\CCleaner
2009-01-15 05:09 25,280 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-01-15 04:57 --------- d-----w c:\program files\GameSpy Arcade
2009-01-14 10:19 --------- d-----w c:\program files\Windows Live SkyDrive
2009-01-14 10:19 --------- d-----w c:\program files\Microsoft
2008-12-26 00:40 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-26 00:25 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-12-26 00:11 22,328 ----a-w c:\documents and settings\Jordan\Application Data\PnkBstrK.sys
2008-12-26 00:01 --------- d-----w c:\program files\Activision
2008-12-25 09:19 682,280 ----a-w c:\windows\system32\pbsvc.exe
2008-12-23 03:18 --------- d-----w c:\program files\TSO
2008-12-20 06:23 --------- d-----w c:\program files\Flickr Uploadr
2008-12-19 12:01 --------- d-----w c:\program files\Xfire
2008-12-19 11:48 --------- d-----w c:\documents and settings\Jordan\Application Data\Xfire
2008-12-13 00:55 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-11 20:37 42,320 ----a-w c:\windows\system32\xfcodec.dll
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-09 02:28 593,920 ----a-w c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 57,344 ----a-w c:\windows\system32\dpv11.dll
2008-12-09 02:28 344,064 ----a-w c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 ----a-w c:\windows\system32\dpu11.dll
2008-12-02 12:37 49,480 ----a-w c:\windows\system32\sirenacm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-24 20:25 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-24 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98} "= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-24 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkinClock "= "c:\program files\Atomic Alarm Clock\AtomicAlarmClock.exe" [2008-09-18 529408]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"OE "= "c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-15 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"WinSys2 "= "c:\windows\system32\winsys2.exe" [2008-03-04 208896]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-12-13 136600]
"Profiler "= "c:\program files\Saitek\Software\ProfilerU.exe" [2005-10-18 163840]
"SaiMfd "= "c:\program files\Saitek\Software\SaiMfd.exe" [2005-11-03 126976]
"MioNet "= "c:\program files\MioNet\MioNetLauncher.exe" [2008-06-10 32768]
"UfSeAgnt.exe "= "c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-08-15 970808]
"nwiz "= "nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]
"RTHDCPL "= "RTHDCPL.EXE" [2008-04-10 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"OE "= "c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-08-15 497008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1 "= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\MioNet\\MioNetManager.exe "=
"c:\\Program Files\\MioNet\\jvm\\bin\\MioNet.exe "=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe "=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe "=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Steam\\SteamApps\\common\\far cry 2\\bin\\FarCry2.exe "=
"c:\\Program Files\\Steam\\SteamApps\\common\\far cry 2\\bin\\FC2Editor.exe "=
"c:\\Program Files\\Steam\\SteamApps\\common\\far cry 2\\bin\\FC2BenchmarkTool.exe "=
"c:\\Program Files\\Steam\\SteamApps\\common\\far cry 2\\bin\\FC2ServerLauncher.exe "=
"c:\\Program Files\\Steam\\SteamApps\\common\\monster trucks nitro demo\\MonsterTrucksNitro.exe "=
"c:\\Program Files\\Steam\\SteamApps\\chanvlan_fmj\\team fortress 2\\hl2.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP "= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP "= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP "= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP "= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP "= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP "= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP "= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP "= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP "= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP "= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP "= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP "= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP "= 5432:UDP:MioNet Storage Device Discovery

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2008-12-11 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2008-12-11 234888]
R2 MioNet;MioNet;c:\program files\MioNet\MioNetManager.exe [2008-06-10 139264]
R2 Security Activity Dashboard Service;Security Activity Dashboard Service;c:\program files\Trend Micro\TrendSecure\SecurityActivityDashboard\tmarsvc.exe [2009-02-17 181584]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-02-17 49680]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-02-17 492888]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-08-15 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-02-17 677128]
R3 SaiH075C;SaiH075C;c:\windows\system32\drivers\SaiH075C.sys [2008-12-11 176640]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-08-15 334352]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - NDISRD

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ninemsn.com.au/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi
Handler: tmtb - {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - c:\program files\Trend Micro\TrendSecure\TISProToolbar\TSToolbar.dll
DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://liveupdate.msi.com.tw/autobios/LOnline/install.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 08:01:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1708537768-725345543-1004\Software\SecuROM\License information*]
"datasecu "=hex:3e,44,84,95,cc,d5,cb,3a,00,4f,23,9a,f7,d2,d8,3b,ef,8f,03,1c,4b,
4c,74,11,56,27,ee,11,4d,b5,3f,96,59,68,c1,71,d5,62,ae,75,42,9a,a2,79,df,18,\
"rkeysecu "=hex:86,e4,cb,04,ba,e9,19,3d,e7,1a,9b,bc,9e,97,7d,49
.
Completion time: 2009-02-20 8:02:04
ComboFix-quarantined-files.txt 2009-02-19 22:02:00

Pre-Run: 685,798,141,952 bytes free
Post-Run: 685,898,571,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

237 --- E O F --- 2009-01-22 23:38:11

 

omg . . . running combofix seems to have solved the problem! My trend micro is updating now =D

Geri ur a legend!

Ill wait till you have read the combofix logs to be sure and if you want any other logs after that, then ill be happy to do so.

Hope its not just toying with me.

Thanks again geri!

 

Hi
Please do this.

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time
  
  • c:\windows\system32\winsys2.exe
• Click on the submit button
  
• Please post the results in your next reply.

Thanks
Geri

 

is that the only one you want posted?

"c:\windows\system32\winsys2.exe "

File: winsys2.exe
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 27949ccd505a6be082d15547b1dff90d
Packers detected: -

Scan taken on 20 Feb 2009 07:58:14 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

 

Hi
Do you know what these are in your trusted zone?
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi

Lets get a on line scan.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now the scan.

Please do an online scan with Kaspersky WebScanner

It's best to disable real time protection applications as they sometimes interfere with the scan.
Check this link for any applicable programs you may have.

Click on “Accept” If your pop –up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

• The program will launch and then begin downloading the latest definition files:
• Under Scan on the left side.Click on My Computer
• This will start the program and scan your system.
• Click the “Scan Report” On the left side.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
• Save the text file to your desktop.
• Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

 

Report

I had to stop this scan as i needed to use my computer, i will run a full scan overnight and post back again in the morning.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, February 24, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, February 24, 2009 06:02:43
Records in database: 1837072
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 82337
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:55:43


File name / Threat name / Threats count
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0004002.dll Infected: Rootkit.Win32.TDSS.gxu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gaopdxnspnyxmy.sys.vir Infected: Trojan.Win32.Tdss.ppz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\gaopdxupxexrbm.sys.vir Infected: Trojan.Win32.Tdss.ppz 1

The scan was stopped by the user.

 

Hi
OK.
Do you know what these are in your trusted zone?
Trusted Zone: com.tw\asia.msi
Trusted Zone: com.tw\global.msi
Trusted Zone: com.tw\www.msi

 

um i believe they are for my MSI motherboard?

i dont know what else they could be.

also i ran that scan. but unfortunatly my graphics card failed over night somehow and when i awoke in the morning, the image no longer displayed. Took it to my comp shop today and i now have a tempory card whil;e the other is fixed (under wareenty). pity cause i only just fixed this blasted thing 10 weeks ago replacing everything!

so i couldnt save the log. and i dont feel like leaving it on overnight again to run. I assume it would have gotten the viruses.

 

Hi
OK please do this.

Click Start > Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing any infected files there as well.
Please check and verify that C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file. If they weren't please delete them manually.

Delete DDS from your desktop.

Run ATF Cleaner and then run a scan with your Anti Virus program.

Let me know what if anything it finds.

Thanks
Geri

 

Ok i did a scan after running ATF, and it found nothing but a few cookies. Seems my problems are solved.

One last question. I am trying to remove the windows recovery console and i can only delete the cmldr file, however the cmdcons file keeps saying that it is currently in use. I tried deleting everything in it one by one but that didnt work either.

 

Hi

Not a good idea, This could be the way to repair your computer if anything bad ever happens.
I strongly recommend that you don't remove it.

Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Malware and Virus Removal Forums.
http://www.windowsbbs.com/showthread.php?t=67958

If all seems OK I'll mark this one resolved.

Let me Know.

Thanks
Geri

 

yeh all seems good, thankyou so much for your help.