TQIS Makes Websites

TDSKiller did the job! Here is the log: 2011/08/11 18:53:05.0421 2172 TDSS rootkit removing tool 2.5.15.0 Aug 11 2011 16:32:13 2011/08/11 18:53:05.0781 2172 ================================================================================ 2011/08/11 18:53:05.0781 2172 SystemInfo: 2011/08/11 18:53:05.0781 2172 2011/08/11 18:53:05.0781 2172 OS Version: 5.1.2600 ServicePack: 2.0 2011/08/11 18:53:05.0781 2172 Product type: Workstation 2011/08/11 18:53:05.0781 2172 ComputerName: SUNNY-JIM 2011/08/11 18:53:05.0781 2172 UserName: Jim 2011/08/11 18:53:05.0781 2172 Windows directory: C:\WINDOWS 2011/08/11 18:53:05.0781 2172 System windows directory: C:\WINDOWS 2011/08/11 18:53:05.0781 2172 Processor architecture: Intel x86 2011/08/11 18:53:05.0781 2172 Number of processors: 2 2011/08/11 18:53:05.0781 2172 Page size: 0x1000 2011/08/11 18:53:05.0781 2172 Boot type: Normal boot 2011/08/11 18:53:05.0781 2172 ================================================================================ 2011/08/11 18:53:06.0765 2172 Initialize success 2011/08/11 18:53:12.0015 2052 ================================================================================ 2011/08/11 18:53:12.0015 2052 Scan started 2011/08/11 18:53:12.0015 2052 Mode: Manual; 2011/08/11 18:53:12.0015 2052 ================================================================================ 2011/08/11 18:53:12.0984 2052 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/08/11 18:53:13.0000 2052 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys 2011/08/11 18:53:13.0046 2052 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys 2011/08/11 18:53:13.0093 2052 AegisP (15e655baa989444f56787ef558823643) C:\WINDOWS\system32\DRIVERS\AegisP.sys 2011/08/11 18:53:13.0140 2052 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys 2011/08/11 18:53:13.0281 2052 Andbus (45039ad240754b3bd789668c2c986ea7) C:\WINDOWS\system32\DRIVERS\lgandbus.sys 2011/08/11 18:53:13.0296 2052 AndDiag (f7ec18db02c9fb26aed52e0e1bb98960) C:\WINDOWS\system32\DRIVERS\lganddiag.sys 2011/08/11 18:53:13.0328 2052 AndGps (6d79f0c7f33dd85f50d69c7d7efec9e0) C:\WINDOWS\system32\DRIVERS\lgandgps.sys 2011/08/11 18:53:13.0343 2052 ANDModem (881837e816b948f7a94098add21afd7c) C:\WINDOWS\system32\DRIVERS\lgandmodem.sys 2011/08/11 18:53:13.0375 2052 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2011/08/11 18:53:13.0453 2052 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys 2011/08/11 18:53:13.0484 2052 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/08/11 18:53:13.0515 2052 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/08/11 18:53:13.0562 2052 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/08/11 18:53:13.0593 2052 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/08/11 18:53:13.0687 2052 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys 2011/08/11 18:53:13.0703 2052 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys 2011/08/11 18:53:13.0734 2052 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys 2011/08/11 18:53:13.0765 2052 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/08/11 18:53:13.0875 2052 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/08/11 18:53:13.0921 2052 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/08/11 18:53:13.0937 2052 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/08/11 18:53:13.0953 2052 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/08/11 18:53:14.0000 2052 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys 2011/08/11 18:53:14.0031 2052 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys 2011/08/11 18:53:14.0125 2052 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/08/11 18:53:14.0171 2052 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys 2011/08/11 18:53:14.0218 2052 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys 2011/08/11 18:53:14.0234 2052 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/08/11 18:53:14.0265 2052 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys 2011/08/11 18:53:14.0296 2052 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/08/11 18:53:14.0343 2052 EMSCR (66029e6c4b19223c24d8710eed3aaeab) C:\WINDOWS\system32\DRIVERS\EMS7SK.sys 2011/08/11 18:53:14.0359 2052 ESDCR (9f0fa60836e1d1148cc0c1b6e67aa6f7) C:\WINDOWS\system32\DRIVERS\ESD7SK.sys 2011/08/11 18:53:14.0390 2052 ESMCR (d9da881be71b74b328471ccf28b5f0a9) C:\WINDOWS\system32\DRIVERS\ESM7SK.sys 2011/08/11 18:53:14.0421 2052 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/08/11 18:53:14.0453 2052 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys 2011/08/11 18:53:14.0515 2052 FdRedir (3314f3134ac59771a133a0cd3d343fff) C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys 2011/08/11 18:53:14.0546 2052 FileDisk2 (7b33f094a7a42a0225c344f5b25b1b05) C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys 2011/08/11 18:53:14.0562 2052 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys 2011/08/11 18:53:14.0578 2052 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys 2011/08/11 18:53:14.0609 2052 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys 2011/08/11 18:53:14.0640 2052 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/08/11 18:53:14.0656 2052 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/08/11 18:53:14.0671 2052 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/08/11 18:53:14.0703 2052 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2011/08/11 18:53:14.0765 2052 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/08/11 18:53:14.0828 2052 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2011/08/11 18:53:14.0906 2052 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 2011/08/11 18:53:14.0937 2052 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/08/11 18:53:15.0109 2052 IntcAzAudAddService (7385944d4f025bd8c498bfd97981e336) C:\WINDOWS\system32\drivers\RtkHDAud.sys 2011/08/11 18:53:15.0187 2052 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2011/08/11 18:53:15.0203 2052 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys 2011/08/11 18:53:15.0234 2052 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2011/08/11 18:53:15.0250 2052 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/08/11 18:53:15.0281 2052 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/08/11 18:53:15.0296 2052 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/08/11 18:53:15.0328 2052 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/08/11 18:53:15.0359 2052 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/08/11 18:53:15.0375 2052 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys 2011/08/11 18:53:15.0406 2052 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/08/11 18:53:15.0421 2052 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys 2011/08/11 18:53:15.0453 2052 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/08/11 18:53:15.0515 2052 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2011/08/11 18:53:15.0546 2052 meiudf (7efac183a25b30fb5d64cc9d484b1eb6) C:\WINDOWS\system32\Drivers\meiudf.sys 2011/08/11 18:53:15.0578 2052 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys 2011/08/11 18:53:15.0625 2052 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/08/11 18:53:15.0671 2052 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys 2011/08/11 18:53:15.0687 2052 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/08/11 18:53:15.0703 2052 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/08/11 18:53:15.0750 2052 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/08/11 18:53:15.0796 2052 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/08/11 18:53:15.0843 2052 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys 2011/08/11 18:53:15.0875 2052 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/08/11 18:53:15.0890 2052 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/08/11 18:53:15.0906 2052 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/08/11 18:53:15.0937 2052 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/08/11 18:53:15.0953 2052 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys 2011/08/11 18:53:16.0000 2052 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys 2011/08/11 18:53:16.0015 2052 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/08/11 18:53:16.0031 2052 Ndisuio (eefa1ce63805d2145978621be5c6d955) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/08/11 18:53:16.0046 2052 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/08/11 18:53:16.0062 2052 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/08/11 18:53:16.0078 2052 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/08/11 18:53:16.0109 2052 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/08/11 18:53:16.0218 2052 NETw3x32 (f886500c285af271fdd33bf8ba7b32ef) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys 2011/08/11 18:53:16.0265 2052 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2011/08/11 18:53:16.0281 2052 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys 2011/08/11 18:53:16.0328 2052 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/08/11 18:53:16.0359 2052 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/08/11 18:53:16.0390 2052 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/08/11 18:53:16.0406 2052 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/08/11 18:53:16.0421 2052 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2011/08/11 18:53:16.0468 2052 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys 2011/08/11 18:53:16.0484 2052 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/08/11 18:53:16.0500 2052 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/08/11 18:53:16.0515 2052 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/08/11 18:53:16.0562 2052 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/08/11 18:53:16.0593 2052 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys 2011/08/11 18:53:16.0718 2052 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys 2011/08/11 18:53:16.0750 2052 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/08/11 18:53:16.0765 2052 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/08/11 18:53:16.0796 2052 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/08/11 18:53:16.0812 2052 PxHelp20 (183ef96bcc2ec3d5294cb2c2c0ecbcd1) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2011/08/11 18:53:16.0906 2052 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/08/11 18:53:16.0937 2052 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/08/11 18:53:16.0953 2052 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/08/11 18:53:16.0968 2052 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/08/11 18:53:17.0000 2052 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/08/11 18:53:17.0031 2052 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/08/11 18:53:17.0046 2052 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2011/08/11 18:53:17.0093 2052 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/08/11 18:53:17.0109 2052 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/08/11 18:53:17.0171 2052 RTLE8023xp (0e74171ee80a8640de564b72dbbb397b) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 2011/08/11 18:53:17.0218 2052 s24trans (d4661148e44816b6501be8f4466d65b0) C:\WINDOWS\system32\DRIVERS\s24trans.sys 2011/08/11 18:53:17.0250 2052 sdbus (a1ab8355ecf5ace3f2d5a47fc8a231e9) C:\WINDOWS\system32\DRIVERS\sdbus.sys 2011/08/11 18:53:17.0281 2052 Secdrv (f376a1580204e47f37a721e1cbc5582a) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/08/11 18:53:17.0328 2052 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys 2011/08/11 18:53:17.0359 2052 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys 2011/08/11 18:53:17.0437 2052 smihlp (94eede27fd7d46707be49127922695a7) C:\Program Files\Protector Suite QL\smihlp.sys 2011/08/11 18:53:17.0484 2052 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys 2011/08/11 18:53:17.0515 2052 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys 2011/08/11 18:53:17.0578 2052 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/08/11 18:53:17.0625 2052 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 2011/08/11 18:53:17.0671 2052 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/08/11 18:53:17.0718 2052 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys 2011/08/11 18:53:17.0812 2052 SynTP (a6cc8c28d5aad4179ef32f05bed55e91) C:\WINDOWS\system32\DRIVERS\SynTP.sys 2011/08/11 18:53:17.0843 2052 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/08/11 18:53:17.0875 2052 tbiosdrv (7147b0575bcc93a6ab7d5c90f47c0b9f) C:\WINDOWS\system32\DRIVERS\tbiosdrv.sys 2011/08/11 18:53:17.0921 2052 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/08/11 18:53:17.0968 2052 TcUsb (fc6fe02f400308606a911640e72326b5) C:\WINDOWS\system32\Drivers\tcusb.sys 2011/08/11 18:53:17.0984 2052 tdcmdpst (cc1d7bc6a3632c55ee6d8877e9b936f3) C:\WINDOWS\system32\DRIVERS\tdcmdpst.sys 2011/08/11 18:53:18.0015 2052 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/08/11 18:53:18.0031 2052 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/08/11 18:53:18.0062 2052 tdudf (09aa3cf863793f92276b39e74878c386) C:\WINDOWS\system32\DRIVERS\tdudf.sys 2011/08/11 18:53:18.0078 2052 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/08/11 18:53:18.0140 2052 tosrfec (cc069342ee0eae55b32a0ae99cf6185c) C:\WINDOWS\system32\DRIVERS\tosrfec.sys 2011/08/11 18:53:18.0171 2052 TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\WINDOWS\system32\DRIVERS\NBSMI.sys 2011/08/11 18:53:18.0187 2052 Tvs (546dfba6486569120d33f7ad6e94efdd) C:\WINDOWS\system32\DRIVERS\Tvs.sys 2011/08/11 18:53:18.0203 2052 Udfs (7cef3e36843bf5dd55120fcce88800ce) C:\WINDOWS\system32\drivers\Udfs.sys 2011/08/11 18:53:18.0250 2052 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys 2011/08/11 18:53:18.0296 2052 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/08/11 18:53:18.0312 2052 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/08/11 18:53:18.0359 2052 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2011/08/11 18:53:18.0390 2052 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2011/08/11 18:53:18.0421 2052 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/08/11 18:53:18.0437 2052 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/08/11 18:53:18.0453 2052 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys 2011/08/11 18:53:18.0484 2052 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/08/11 18:53:18.0531 2052 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/08/11 18:53:18.0562 2052 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys 2011/08/11 18:53:18.0625 2052 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/08/11 18:53:18.0718 2052 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2011/08/11 18:53:18.0750 2052 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 2011/08/11 18:53:18.0781 2052 MBR (0x1B8) (464f726ab218b795952c4bedb6be8acd) \Device\Harddisk0\DR0 2011/08/11 18:53:18.0781 2052 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0) 2011/08/11 18:53:18.0781 2052 Boot (0x1200) (3392d8b611f61b8402c72ddf1372815f) \Device\Harddisk0\DR0\Partition0 2011/08/11 18:53:18.0796 2052 ================================================================================ 2011/08/11 18:53:18.0796 2052 Scan finished 2011/08/11 18:53:18.0796 2052 ================================================================================ 2011/08/11 18:53:18.0812 3332 Detected object count: 1 2011/08/11 18:53:18.0812 3332 Actual detected object count: 1 2011/08/11 18:53:32.0812 3332 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot 2011/08/11 18:53:32.0812 3332 \Device\Harddisk0\DR0 - ok 2011/08/11 18:53:32.0812 3332 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure 2011/08/11 18:53:36.0781 2920 Deinitialize success

Thanks for clarifying things. I just killed another spinning svchost.exe process, and when I launch FireFox, a 2nd tab automatically opens displaying ads. These two indications of an infection remain consistent after a couple weeks. I ran ESET. It reported a couple issues. But I cannot determine if/where any logs are. When I ran ESET a second time, it reported clean results. Here are the results of your SecurityCheck scan: Results of screen317's Security Check version 0.99.18 Windows XP Service Pack 2 Out of date service pack!! Internet Explorer 6 Out of date! `````````````````````````````` Antivirus/Firewall Check: Windows Security Center service is not running! This report may not be accurate! Avira AntiVir Personal - Free Antivirus ESET Online Scanner v3 Antivirus up to date! ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 25 Java SE Development Kit 6 Update 25 Java DB 10.6.2.1 Out of date Java installed! Adobe Flash Player 10.3.181.26 Mozilla Firefox (x86 en-US..) ```````````````````````````````` Process Check: objlist.exe by Laurent Avira Antivir avgnt.exe Avira Antivir avguard.exe ``````````End of Log````````````

I find your request a little confusing. How do I post a log without attaching a log? Is there somewhere else on the MBAM website to post files without attaching them to forum messages? Your original request also requested that I post the MBAM log separate from my reply. Please let me know if I am somehow not following your instructions correctly. -Jim combofixlog.txt

The 3 requested attachments follows. Thanks! -Jim mbam-log-2011-07-29 (13-47-14).txt attach.txt dds.txt

Hello. In the attached log, mbam reports a registry value infection that seems consistent with this rogue svchost.exe process. mbam now runs clean, but I still have a big problem on my Windows XP. The Task Manager shown in the attached screenshot highlights a svchost.exe process spinning out of control. At some point, the machine will start to swap paged memory, ignore interrupts and user input, and force me to reboot. My work-around is to constantly monitor the task manager; kill the spinning process; and use Administrative Tools/Services to restart a few networking essentials. Sorry if the attached screenshot is excessive. The console window shows the results of the following command: tasklist /SVC /FI "IMAGENAME EQ SVCHOST.EXE" Can anyone recommend a next step? Thanks! Jim mbam-log-2009-05-29 (14-26-30).txt

Thanks for your help and your reply. Unfortunately, I was ultimately persuaded to reload the system. Time constraints were part of that calculus. Just trying to make the decision about whether to remove or reload is getting too complicated! Thanks again! -Jim

fixmbr did not work. However, it displays an interesting message: "This computer appears to have a non-standard or invalid master boot record" When I run fixmbr repeatedly, why do I always get this same message? Are these utilities no-ops? More information: Before the BSOD, a page says: "We apologize for the inconvenience, but Windows did not start successfully blah blah blah". It gives several options for booting, eg "Safe Mode" & "Last Known Good Configuration". Doesn't that screen get created by the MBR? The boot process fails at Mup.sys- which indicates failure or corruption of a local driver. So under the circumstances, fixmbr stikes me as an unlikely solution. This is a fundamental bootstrap (the origin of the term "boot") problem: All the utilities for repairing a driver require an operating system (and I can't load the OS because of a driver failure). There's no obvious utility on the recovery disk that resolves this dilemma. Developing a linux based utility that can be booted from a CD seems like an obvious solution. Even if a virus caused this problem, it seems like driver repair- that is booting- should be my first priority. DrWeb Live CD doesn't seem to accomplish this objective: It took 10 hours to scan and doesn't really help even if it has removed any viruses. And I still can't boot. Your suggestions so far have been inappropriate (my wife thinks "pointless" is too provocative). At this point, I need more relevant recommendations. If this is the wrong forum, perhaps someone can recommend another.

Avira AntiVir doesn't seem to work: The video driver is not compatible with a Lenovo T60 laptop The link to the DrWeb User Manual doesn't work either. We will try to run this app blind. It takes about an hour to download each of these 5 iso images. Of the remaining 3, do any have a better chance of a successful outcome?

In the process of running MBAM, the machine reboots. After this last reboot, my machine now dumps a BSOD. I have been unable to restart the machine in either safe mode or "last good configuration". The machine restarts as soon as the BSOD appears. So it took several attempts to establish that the stop code is 0000007B. Using the recovery disk, I was able to launch a command prompt. chkdsk /r ran clean. There is a file in the root directory called bootex.log. Is that file created by MBAM? I can't read it (it's not an ascii log file). Is it significant? Any ideas?

Well, WinDisk is still installed on my desktop, but it no longer pops up every time I turn the computer on/log onto my server space. To me, that would appear be a good thing, but I don't know if it really is.

Sorry it took me so long to get this up; our internet connection has been down for the past day, and is finally back up. Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5681 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 2/4/2011 11:12:42 PM mbam-log-2011-02-04 (23-12-42).txt Scan type: Quick scan Objects scanned: 149474 Time elapsed: 4 minute(s), 34 second(s) Memory Processes Infected: 1 Memory Modules Infected: 1 Registry Keys Infected: 0 Registry Values Infected: 3 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: c:\documents and settings\all users\application data\mo7jnmwjh3rvqs.exe (Rogue.WindowsDisk) -> 2576 -> Unloaded process successfully. Memory Modules Infected: c:\WINDOWS\ecefayoqevi.dll (Trojan.Agent) -> Delete on reboot. Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adetudosayer (Trojan.Agent) -> Value: Adetudosayer -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mo7JnMwjh3rVqS (Rogue.WindowsDisk) -> Value: Mo7JnMwjh3rVqS -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QbyEjDmJqwk.exe (Rogue.Agent) -> Value: QbyEjDmJqwk.exe -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\ecefayoqevi.dll (Trojan.Agent) -> Delete on reboot. c:\documents and settings\all users\application data\mo7jnmwjh3rvqs.exe (Rogue.WindowsDisk) -> Quarantined and deleted successfully.

Well, it's good to know that the virus on my computer is being put to good use, and that I'm helping other people around the world with an issue like my own OTL logfile created on: 2/3/2011 3:33:41 PM - Run 1 OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\Owner\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1,014.00 Mb Total Physical Memory | 644.00 Mb Available Physical Memory | 64.00% Memory free 2.00 Gb Paging File | 1.00 Gb Available in Paging File | 83.00% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 55.88 Gb Total Space | 42.83 Gb Free Space | 76.64% Space Free | Partition Type: NTFS Computer Name: OWNER-2BCD14D57 | User Name: Owner | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools) PRC - C:\Documents and Settings\All Users\Application Data\Mo7JnMwjh3rVqS.exe () PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) PRC - c:\Program Files\Lenovo\System Update\SUService.exe (Lenovo Group Limited) PRC - C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe () PRC - C:\WINDOWS\system32\ibmpmsvc.exe (Lenovo) PRC - C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation) PRC - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (Intel® Corporation) PRC - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation) PRC - C:\Program Files\OpenOffice.org 3\program\soffice.bin (OpenOffice.org) PRC - C:\Program Files\OpenOffice.org 3\program\soffice.exe (OpenOffice.org) PRC - C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.) PRC - C:\Program Files\CDBurnerXP\NMSAccessU.exe () PRC - C:\Program Files\Lenovo\Client Security Solution\cssauth.exe (Lenovo Group Limited) PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) PRC - C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (Lenovo Group Limited) PRC - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe (Lenovo Group Limited) PRC - C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.) ========== Modules (SafeList) ========== MOD - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools) MOD - C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll (Microsoft Corporation) MOD - C:\WINDOWS\ecefayoqevi.dll () ========== Win32 Services (All) ========== SRV - (HidServ) -- File not found SRV - (iPod Service) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.) SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.) SRV - (Bonjour Service) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.) SRV - (lanmanserver) -- C:\WINDOWS\system32\srvsvc.dll (Microsoft Corporation) SRV - (Spooler) -- C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation) SRV - (SUService) -- c:\Program Files\Lenovo\System Update\SUService.exe (Lenovo Group Limited) SRV - (lanmanworkstation) -- C:\WINDOWS\system32\wkssvc.dll (Microsoft Corporation) SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.) SRV - (IBMPMSVC) -- C:\WINDOWS\system32\ibmpmsvc.exe (Lenovo) SRV - (EvtEng) Intel® -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation) SRV - (S24EventMonitor) Intel® -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (Intel® Corporation) SRV - (RegSrvc) Intel® -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation) SRV - (Wmi) -- C:\WINDOWS\system32\advapi32.dll (Microsoft Corporation) SRV - (RpcSs) Remote Procedure Call (RPC) -- C:\WINDOWS\system32\rpcss.dll (Microsoft Corporation) SRV - (DcomLaunch) -- C:\WINDOWS\system32\rpcss.dll (Microsoft Corporation) SRV - (PlugPlay) -- C:\WINDOWS\system32\services.exe (Microsoft Corporation) SRV - (Eventlog) -- C:\WINDOWS\system32\services.exe (Microsoft Corporation) SRV - (FontCache3.0.0.0) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation) SRV - (idsvc) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation) SRV - (NetTcpPortSharing) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation) SRV - (clr_optimization_v2.0.50727_32) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation) SRV - (aspnet_state) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation) SRV - (EventSystem) -- C:\WINDOWS\system32\es.dll (Microsoft Corporation) SRV - (Nla) Network Location Awareness (NLA) -- C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation) SRV - (NMSAccessU) -- C:\Program Files\CDBurnerXP\NMSAccessU.exe () SRV - (ThinkVantage Registry Monitor Service) -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe (Lenovo Group Limited) SRV - (WmiApSrv) -- C:\WINDOWS\system32\wbem\wmiapsrv.exe (Microsoft Corporation) SRV - (VSS) -- C:\WINDOWS\system32\vssvc.exe (Microsoft Corporation) SRV - (TlntSvr) -- C:\WINDOWS\system32\tlntsvr.exe (Microsoft Corporation) SRV - (UPS) -- C:\WINDOWS\system32\ups.exe (Microsoft Corporation) SRV - (SysmonLog) -- C:\WINDOWS\system32\smlogsvc.exe (Microsoft Corporation) SRV - (RDSessMgr) -- C:\WINDOWS\system32\sessmgr.exe (Microsoft Corporation) SRV - (SCardSvr) -- C:\WINDOWS\system32\scardsvr.exe (Microsoft Corporation) SRV - (NetDDEdsdm) -- C:\WINDOWS\system32\netdde.exe (Microsoft Corporation) SRV - (NetDDE) -- C:\WINDOWS\system32\netdde.exe (Microsoft Corporation) SRV - (MSIServer) -- C:\WINDOWS\System32\msiexec.exe (Microsoft Corporation) SRV - (MSDTC) -- C:\WINDOWS\system32\msdtc.exe (Microsoft Corporation) SRV - (mnmsrvc) -- C:\WINDOWS\system32\mnmsrvc.exe (Microsoft Corporation) SRV - (RpcLocator) Remote Procedure Call (RPC) -- C:\WINDOWS\system32\locator.exe (Microsoft Corporation) SRV - (SamSs) -- C:\WINDOWS\system32\lsass.exe (Microsoft Corporation) SRV - (ProtectedStorage) -- C:\WINDOWS\system32\lsass.exe (Microsoft Corporation) SRV - (PolicyAgent) -- C:\WINDOWS\system32\lsass.exe (Microsoft Corporation) SRV - (NtLmSsp) -- C:\WINDOWS\system32\lsass.exe (Microsoft Corporation) SRV - (Netlogon) -- C:\WINDOWS\system32\lsass.exe (Microsoft Corporation) SRV - (ImapiService) -- C:\WINDOWS\system32\imapi.exe (Microsoft Corporation) SRV - (dmadmin) -- C:\WINDOWS\System32\dmadmin.exe (Microsoft Corp., Veritas Software) SRV - (SwPrv) -- C:\WINDOWS\System32\dllhost.exe (Microsoft Corporation) SRV - (COMSysApp) -- C:\WINDOWS\System32\dllhost.exe (Microsoft Corporation) SRV - (ClipSrv) -- C:\WINDOWS\system32\clipsrv.exe (Microsoft Corporation) SRV - (CiSvc) -- C:\WINDOWS\system32\cisvc.exe (Microsoft Corporation) SRV - (ALG) -- C:\WINDOWS\system32\alg.exe (Microsoft Corporation) SRV - (WZCSVC) -- C:\WINDOWS\system32\wzcsvc.dll (Microsoft Corporation) SRV - (xmlprov) -- C:\WINDOWS\system32\xmlprov.dll (Microsoft Corporation) SRV - (wuauserv) -- C:\WINDOWS\system32\wuauserv.dll (Microsoft Corporation) SRV - (wscsvc) -- C:\WINDOWS\system32\wscsvc.dll (Microsoft Corporation) SRV - (winmgmt) -- C:\WINDOWS\system32\wbem\wmisvc.dll (Microsoft Corporation) SRV - (stisvc) Windows Image Acquisition (WIA) -- C:\WINDOWS\system32\wiaservc.dll (Microsoft Corporation) SRV - (upnphost) -- C:\WINDOWS\system32\upnphost.dll (Microsoft Corporation) SRV - (W32Time) -- C:\WINDOWS\system32\w32time.dll (Microsoft Corporation) SRV - (WebClient) -- C:\WINDOWS\system32\webclnt.dll (Microsoft Corporation) SRV - (HTTPFilter) -- C:\WINDOWS\system32\w3ssl.dll (Microsoft Corporation) SRV - (TermService) -- C:\WINDOWS\system32\termsrv.dll (Microsoft Corporation) SRV - (TapiSrv) -- C:\WINDOWS\system32\tapisrv.dll (Microsoft Corporation) SRV - (srservice) -- C:\WINDOWS\system32\srsvc.dll (Microsoft Corporation) SRV - (TrkWks) -- C:\WINDOWS\system32\trkwks.dll (Microsoft Corporation) SRV - (SSDPSRV) -- C:\WINDOWS\system32\ssdpsrv.dll (Microsoft Corporation) SRV - (Schedule) -- C:\WINDOWS\system32\schedsvc.dll (Microsoft Corporation) SRV - (Themes) -- C:\WINDOWS\system32\shsvcs.dll (Microsoft Corporation) SRV - (ShellHWDetection) -- C:\WINDOWS\system32\shsvcs.dll (Microsoft Corporation) SRV - (FastUserSwitchingCompatibility) -- C:\WINDOWS\system32\shsvcs.dll (Microsoft Corporation) SRV - (SENS) -- C:\WINDOWS\system32\sens.dll (Microsoft Corporation) SRV - (seclogon) -- C:\WINDOWS\system32\seclogon.dll (Microsoft Corporation) SRV - (RemoteRegistry) -- C:\WINDOWS\system32\regsvc.dll (Microsoft Corporation) SRV - (BITS) -- C:\WINDOWS\system32\qmgr.dll (Microsoft Corporation) SRV - (napagent) -- C:\WINDOWS\system32\qagentrt.dll (Microsoft Corporation) SRV - (RasMan) -- C:\WINDOWS\system32\rasmans.dll (Microsoft Corporation) SRV - (RasAuto) -- C:\WINDOWS\system32\rasauto.dll (Microsoft Corporation) SRV - (NtmsSvc) -- C:\WINDOWS\system32\ntmssvc.dll (Microsoft Corporation) SRV - (helpsvc) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll (Microsoft Corporation) SRV - (Netman) -- C:\WINDOWS\system32\netman.dll (Microsoft Corporation) SRV - (Messenger) -- C:\WINDOWS\system32\msgsvc.dll (Microsoft Corporation) SRV - (RemoteAccess) -- C:\WINDOWS\system32\mprdim.dll (Microsoft Corporation) SRV - (hkmsvc) -- C:\WINDOWS\system32\kmsvc.dll (Microsoft Corporation) SRV - (LmHosts) -- C:\WINDOWS\system32\lmhsvc.dll (Microsoft Corporation) SRV - (SharedAccess) Windows Firewall/Internet Connection Sharing (ICS) -- C:\WINDOWS\system32\ipnathlp.dll (Microsoft Corporation) SRV - (Irmon) -- C:\WINDOWS\system32\irmon.dll (Microsoft Corporation) SRV - (ERSvc) -- C:\WINDOWS\system32\ersvc.dll (Microsoft Corporation) SRV - (Dot3svc) -- C:\WINDOWS\system32\dot3svc.dll (Microsoft Corporation) SRV - (Dnscache) -- C:\WINDOWS\system32\dnsrslvr.dll (Microsoft Corporation) SRV - (EapHost) -- C:\WINDOWS\system32\eapsvc.dll (Microsoft Corporation) SRV - (dmserver) -- C:\WINDOWS\system32\dmserver.dll (Microsoft Corp.) SRV - (Dhcp) -- C:\WINDOWS\system32\dhcpcsvc.dll (Microsoft Corporation) SRV - (CryptSvc) -- C:\WINDOWS\system32\cryptsvc.dll (Microsoft Corporation) SRV - (Browser) -- C:\WINDOWS\system32\browser.dll (Microsoft Corporation) SRV - (AudioSrv) -- C:\WINDOWS\system32\audiosrv.dll (Microsoft Corporation) SRV - (AppMgmt) -- C:\WINDOWS\system32\appmgmts.dll (Microsoft Corporation) SRV - (Alerter) -- C:\WINDOWS\system32\alrsvc.dll (Microsoft Corporation) SRV - (TVT Scheduler) -- C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe (Lenovo Group Limited) SRV - (Ati HotKey Poller) -- C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc.) SRV - (WmdmPmSN) -- C:\WINDOWS\system32\mspmsnsv.dll (Microsoft Corporation) SRV - (WMPNetworkSvc) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation) SRV - (WudfSvc) -- C:\WINDOWS\system32\WudfSvc.dll (Microsoft Corporation) SRV - (RSVP) -- C:\WINDOWS\system32\rsvp.exe (Microsoft Corporation) ========== Driver Services (SafeList) ========== DRV - (IBMPMDRV) -- C:\WINDOWS\system32\drivers\ibmpmdrv.sys (Lenovo.) DRV - (e1express) Intel® -- C:\WINDOWS\system32\drivers\e1e5132.sys (Intel Corporation) DRV - (NETw5x32) Intel® -- C:\WINDOWS\system32\drivers\NETw5x32.sys (Intel Corporation) DRV - (psadd) -- C:\WINDOWS\system32\drivers\psadd.sys (Lenovo (United States) Inc.) DRV - (TcUsb) -- C:\WINDOWS\system32\drivers\tcusb.sys (UPEK Inc.) DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation) DRV - (SynTP) -- C:\WINDOWS\system32\drivers\SynTP.sys (Synaptics, Inc.) DRV - (NSCIRDA) -- C:\WINDOWS\system32\drivers\nscirda.sys (National Semiconductor Corporation) DRV - (VolSnap) -- C:\WINDOWS\System32\drivers\volsnap.sys () DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider) DRV - (TVTI2C) -- C:\WINDOWS\system32\drivers\tvti2c.sys (Lenovo (United States) Inc.) DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.) DRV - (NETw4x32) Intel® -- C:\WINDOWS\system32\drivers\NETw4x32.sys (Intel Corporation) DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation) DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.) DRV - (HSFHWAZL) -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys (Conexant Systems, Inc.) DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.) DRV - (ADIHdAudAddService) -- C:\WINDOWS\system32\drivers\ADIHdAud.sys (Analog Devices, Inc.) DRV - (atmeltpm) -- C:\WINDOWS\system32\drivers\atmeltpm.sys (Atmel, Inc.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> ========== FireFox ========== FF - prefs.js..browser.startup.homepage: "affordablecomputers.com" FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0 FF - prefs.js..extensions.enabledItems: {12791F80-68F5-4D4B-9968-D1B8423C6D94}:1.9.1 FF - HKLM\software\mozilla\Firefox\extensions\\{12791F80-68F5-4D4B-9968-D1B8423C6D94}: C:\Documents and Settings\Owner\Local Settings\Application Data\{12791F80-68F5-4D4B-9968-D1B8423C6D94} [2011/02/01 20:26:54 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/02/03 15:16:05 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/02/03 15:16:05 | 000,000,000 | ---D | M] [2009/01/16 16:48:40 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions [2011/02/02 17:41:41 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\765xrej7.default\extensions [2010/12/27 21:18:45 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\765xrej7.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2011/02/02 17:41:41 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2011/02/01 20:26:54 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\APPLICATION DATA\{12791F80-68F5-4D4B-9968-D1B8423C6D94} [2009/06/05 12:35:03 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF O1 HOSTS File: ([2004/08/04 07:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (IePasswordManagerHelper Class) - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited) O4 - HKLM..\Run: [Adetudosayer] C:\WINDOWS\ecefayoqevi.dll () O4 - HKLM..\Run: [cssauth] C:\Program Files\Lenovo\Client Security Solution\cssauth.exe (Lenovo Group Limited) O4 - HKLM..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe () O4 - HKLM..\Run: [soundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe (Analog Devices, Inc.) O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.) O4 - HKLM..\Run: [TP4EX] C:\WINDOWS\System32\TP4EX.exe (Lenovo Group Limited) O4 - HKLM..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe (Lenovo Group Limited) O4 - HKCU..\Run: [ibucesufiy] File not found O4 - HKCU..\Run: [Mo7JnMwjh3rVqS] C:\Documents and Settings\All Users\Application Data\Mo7JnMwjh3rVqS.exe () O4 - HKCU..\Run: [QbyEjDmJqwk.exe] File not found O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O9 - Extra 'Tools' menuitem : Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll (Lenovo Group Limited) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07) O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.) O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation) O24 - Desktop WallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O24 - Desktop BackupWallPaper: C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2009/01/13 16:47:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 30 Days ========== [2011/02/03 15:28:37 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe [2011/02/03 15:28:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Downloads [2011/02/02 18:18:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Folder of Tears [2011/02/02 09:34:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Win Disk [2011/02/01 20:26:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\{12791F80-68F5-4D4B-9968-D1B8423C6D94} [2011/01/11 18:37:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple [2011/01/08 22:30:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Malwarebytes [2011/01/08 22:13:27 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC [2011/01/08 16:56:13 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2011/01/08 16:56:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware [2011/01/08 16:56:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes [2011/01/08 16:56:10 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2011/01/08 16:56:10 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2011/01/05 21:22:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\Sun [2011/01/04 18:22:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\Camera! [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files - Modified Within 30 Days ========== [2011/02/03 15:28:10 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe [2011/02/03 15:16:00 | 000,000,272 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~Mo7JnMwjh3rVqS [2011/02/03 15:16:00 | 000,000,152 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\~Mo7JnMwjh3rVqSr [2011/02/03 15:15:45 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Iridulufujufuxuz.dat [2011/02/03 15:15:45 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Bjerunevifohahur.bin [2011/02/03 15:15:36 | 000,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl [2011/02/03 15:13:32 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat [2011/02/02 13:00:10 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Owner\defogger_reenable [2011/02/02 09:34:15 | 000,000,827 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Win Disk.lnk [2011/02/01 20:28:56 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Mo7JnMwjh3rVqS [2011/02/01 20:25:47 | 000,377,344 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\Mo7JnMwjh3rVqS.exe [2011/02/01 18:37:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job [2011/01/28 10:49:33 | 000,011,264 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2011/01/23 20:31:21 | 000,524,673 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\shapeimage_1.png [2011/01/22 13:47:18 | 000,028,957 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Azula.odt [2011/01/08 16:56:13 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ] [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ] ========== Files Created - No Company Name ========== [2011/02/02 13:00:10 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Owner\defogger_reenable [2011/02/02 09:34:15 | 000,000,827 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Win Disk.lnk [2011/02/02 00:14:54 | 000,000,272 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~Mo7JnMwjh3rVqS [2011/02/02 00:14:54 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\~Mo7JnMwjh3rVqSr [2011/02/01 20:28:55 | 000,000,336 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Mo7JnMwjh3rVqS [2011/02/01 20:26:56 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Iridulufujufuxuz.dat [2011/02/01 20:26:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Bjerunevifohahur.bin [2011/02/01 20:25:47 | 000,377,344 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\Mo7JnMwjh3rVqS.exe [2011/01/23 20:31:11 | 000,524,673 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\shapeimage_1.png [2011/01/08 16:56:13 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk [2010/12/25 10:58:12 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009/10/14 10:52:45 | 000,178,176 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll [2009/01/16 14:35:13 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\FPCALL.dll [2009/01/13 09:58:26 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI [2007/08/09 16:43:16 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4860.dll [2004/08/04 07:00:00 | 000,266,240 | ---- | C] () -- C:\WINDOWS\ecefayoqevi.dll [2004/08/04 07:00:00 | 000,052,352 | ---- | C] () -- C:\WINDOWS\System32\drivers\volsnap.sys ========== LOP Check ========== [2009/07/10 15:45:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lenovo [2009/07/10 16:09:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UIB [2010/12/25 12:44:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} [2009/07/10 15:45:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Downloaded Installations [2009/01/16 14:49:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Lenovo [2011/01/01 16:56:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\OpenOffice.org ========== Purity Check ========== < End of report > OTL Extras logfile created on: 2/3/2011 3:33:41 PM - Run 1 OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\Owner\Desktop Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18702) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1,014.00 Mb Total Physical Memory | 644.00 Mb Available Physical Memory | 64.00% Memory free 2.00 Gb Paging File | 1.00 Gb Available in Paging File | 83.00% Paging File free Paging file location(s): C:\pagefile.sys 768 1536 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files Drive C: | 55.88 Gb Total Space | 42.83 Gb Free Space | 76.64% Space Free | Partition Type: NTFS Computer Name: OWNER-2BCD14D57 | User Name: Owner | Logged in as Administrator. Boot Mode: Normal | Scan Mode: Current user Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* .url [@ = InternetShortcut] -- rundll32.exe shdocvw.dll,OpenURL %l [HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* exefile [open] -- "%1" %* htmlfile [edit] -- Reg Error: Key error. InternetShortcut [open] -- rundll32.exe shdocvw.dll,OpenURL %l piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "FirstRunDisabled" = 1 "AntiVirusDisableNotify" = 0 "FirewallDisableNotify" = 0 "UpdatesDisableNotify" = 0 "AntiVirusOverride" = 0 "FirewallOverride" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr] "Start" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService] "Start" = 2 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.) ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe "{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java 6 Update 13 "{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour "{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java 6 Update 7 "{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP "{44E9D4C2-946C-4378-9354-558803C47A68}" = Client Security - Password Manager "{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime "{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP "{8675339C-128C-44DD-83BF-0A5D6ABD8297}" = System Update "{881F5DE8-9367-4B81-A325-E91BBC6472F9}" = iTunes "{986F64DC-FF15-449D-998F-EE3BCEC6666A}" = Help Center "{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2 "{AEB9948B-4FF2-47C9-990E-47014492A0FE}" = MSXML 6.0 Parser "{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2 "{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{EA664480-3844-11D5-8C25-444553540000}" = TrackPoint Accessibility Features "{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support "{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX "{F22FD942-651D-4EE8-BD6F-7E0AF5E17625}" = Intel® PROSet/Wireless WiFi Software "{F44DA61E-720D-4E79-871F-F6E628B33242}" = OpenOffice.org 3.0 "{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe "{FD331A3B-F7A5-4C31-B8D4-DF413C85AF7A}" = Message Center Plus "Adobe Flash Player Plugin" = Adobe Flash Player Plugin "ATI Display Driver" = ATI Display Driver "CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_10140588" = ThinkPad Modem "HDMI" = Intel® Graphics Media Accelerator Driver "IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs "ie7" = Windows Internet Explorer 7 "ie8" = Windows Internet Explorer 8 "KLiteCodecPack_is1" = K-Lite Codec Pack 5.1.0 (Standard) "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13) "MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP "NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs "Power Management Driver" = ThinkPad Power Management Driver "ProInst" = Intel PROSet Wireless "PROSet" = Intel® Network Connections Drivers "SynTPDeinstKey" = ThinkPad UltraNav Driver "The KMPlayer" = The KMPlayer (remove only) "Windows Media Format Runtime" = Windows Media Format 11 runtime "Windows Media Player" = Windows Media Player 11 "Windows XP Service Pack" = Windows XP Service Pack 3 "WMFDist11" = Windows Media Format 11 runtime "wmp11" = Windows Media Player 11 "Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0 ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 2/2/2011 1:17:33 AM | Computer Name = OWNER-2BCD14D57 | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally Error - 2/2/2011 1:17:34 AM | Computer Name = OWNER-2BCD14D57 | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist. Error - 2/2/2011 1:27:22 AM | Computer Name = OWNER-2BCD14D57 | Source = Application Error | ID = 1000 Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845. Error - 2/2/2011 1:28:06 AM | Computer Name = OWNER-2BCD14D57 | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally Error - 2/2/2011 1:28:07 AM | Computer Name = OWNER-2BCD14D57 | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist. Error - 2/2/2011 10:36:29 AM | Computer Name = OWNER-2BCD14D57 | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally Error - 2/2/2011 10:36:29 AM | Computer Name = OWNER-2BCD14D57 | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist. Error - 2/2/2011 10:44:55 AM | Computer Name = OWNER-2BCD14D57 | Source = Application Error | ID = 1000 Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting module ntdll.dll, version 5.1.2600.5755, fault address 0x00023845. Error - 2/2/2011 11:36:19 AM | Computer Name = OWNER-2BCD14D57 | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The connection with the server was terminated abnormally Error - 2/2/2011 11:36:21 AM | Computer Name = OWNER-2BCD14D57 | Source = crypt32 | ID = 131080 Description = Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist. [ Lenovo-Message Center Plus/Admin Events ] Error - 1/12/2011 9:16:00 PM | Computer Name = OWNER-2BCD14D57 | Source = Lenovo-Message Center Plus/Admin | ID = 2 Description = Object reference not set to an instance of an object. -> Exception message: Object reference not set to an instance of an object. Error - 1/14/2011 11:30:05 AM | Computer Name = OWNER-2BCD14D57 | Source = Lenovo-Message Center Plus/Admin | ID = 2 Description = Object reference not set to an instance of an object. -> Exception message: Object reference not set to an instance of an object. Error - 1/15/2011 9:12:32 PM | Computer Name = OWNER-2BCD14D57 | Source = Lenovo-Message Center Plus/Admin | ID = 2 Description = Object reference not set to an instance of an object. -> Exception message: Object reference not set to an instance of an object. Error - 2/2/2011 2:44:39 AM | Computer Name = OWNER-2BCD14D57 | Source = Lenovo-Message Center Plus/Admin | ID = 2 Description = Unable to retrieve machine model -> Exception message: The service did not respond to the start or control request in a timely fashion. (Exception from HRESULT: 0x8007041D) Error - 2/2/2011 2:44:39 AM | Computer Name = OWNER-2BCD14D57 | Source = Lenovo-Message Center Plus/Admin | ID = 4 Description = Retrieved null machine type model Error - 2/2/2011 2:45:09 AM | Computer Name = OWNER-2BCD14D57 | Source = Lenovo-Message Center Plus/Admin | ID = 2 Description = Unable to retrieve machine model -> Exception message: The service did not respond to the start or control request in a timely fashion. (Exception from HRESULT: 0x8007041D) Error - 2/2/2011 2:45:09 AM | Computer Name = OWNER-2BCD14D57 | Source = Lenovo-Message Center Plus/Admin | ID = 4 Description = Retrieved null machine type model Error - 2/2/2011 6:46:36 AM | Computer Name = OWNER-2BCD14D57 | Source = Lenovo-Message Center Plus/Admin | ID = 2 Description = Unable to retrieve machine model -> Exception message: The service did not respond to the start or control request in a timely fashion. (Exception from HRESULT: 0x8007041D) Error - 2/2/2011 6:46:36 AM | Computer Name = OWNER-2BCD14D57 | Source = Lenovo-Message Center Plus/Admin | ID = 4 Description = Retrieved null machine type model Error - 2/2/2011 6:47:06 AM | Computer Name = OWNER-2BCD14D57 | Source = Lenovo-Message Center Plus/Admin | ID = 2 Description = Unable to retrieve machine model -> Exception message: The service did not respond to the start or control request in a timely fashion. (Exception from HRESULT: 0x8007041D) [ System Events ] Error - 2/2/2011 6:35:11 AM | Computer Name = OWNER-2BCD14D57 | Source = DCOM | ID = 10005 Description = DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820} Error - 2/2/2011 6:46:36 AM | Computer Name = OWNER-2BCD14D57 | Source = DCOM | ID = 10005 Description = DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820} Error - 2/2/2011 6:47:06 AM | Computer Name = OWNER-2BCD14D57 | Source = DCOM | ID = 10005 Description = DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820} Error - 2/2/2011 8:34:41 AM | Computer Name = OWNER-2BCD14D57 | Source = DCOM | ID = 10005 Description = DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820} Error - 2/2/2011 10:20:11 AM | Computer Name = OWNER-2BCD14D57 | Source = DCOM | ID = 10005 Description = DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820} Error - 2/2/2011 10:27:35 AM | Computer Name = OWNER-2BCD14D57 | Source = DCOM | ID = 10005 Description = DCOM got error "%1053" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334} Error - 2/2/2011 10:31:03 AM | Computer Name = OWNER-2BCD14D57 | Source = DCOM | ID = 10005 Description = DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} Error - 2/2/2011 1:47:31 PM | Computer Name = OWNER-2BCD14D57 | Source = atapi | ID = 262153 Description = The device, \Device\Ide\IdePort0, did not respond within the timeout period. Error - 2/2/2011 2:04:44 PM | Computer Name = OWNER-2BCD14D57 | Source = atapi | ID = 262153 Description = The device, \Device\Ide\IdePort0, did not respond within the timeout period. Error - 2/2/2011 11:08:50 PM | Computer Name = OWNER-2BCD14D57 | Source = PlugPlayManager | ID = 12 Description = The device 'Intel® PRO/1000 PL Network Connection' (PCI\VEN_8086&DEV_109A&SUBSYS_200117AA&REV_00\4&192ac53f&0&00E0) disappeared from the system without first being prepared for removal. < End of report >

Interestingly, the MalwareBytes forum rejected my CAB file. I zipped it instead. Here is the new thread: http://forums.malwarebytes.org/index.php?showtopic=74417 Eva Hattie Schueler

Hopefully I did this right. After running Malwarebytes, it said that it had detected no malicious items. Thank you for all your help so far! Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5661 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 2/2/2011 2:48:16 PM mbam-log-2011-02-02 (14-48-16).txt Scan type: Quick scan Objects scanned: 149090 Time elapsed: 4 minute(s), 15 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) mbam_log_2011_02_02__14_48_16_.txt DDS.txt

Hello, and thank you for helping me out! 2011/02/02 14:16:16.0078 2704 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03 2011/02/02 14:16:16.0234 2704 ================================================================================ 2011/02/02 14:16:16.0234 2704 SystemInfo: 2011/02/02 14:16:16.0234 2704 2011/02/02 14:16:16.0234 2704 OS Version: 5.1.2600 ServicePack: 3.0 2011/02/02 14:16:16.0234 2704 Product type: Workstation 2011/02/02 14:16:16.0234 2704 ComputerName: OWNER-2BCD14D57 2011/02/02 14:16:16.0234 2704 UserName: Owner 2011/02/02 14:16:16.0234 2704 Windows directory: C:\WINDOWS 2011/02/02 14:16:16.0234 2704 System windows directory: C:\WINDOWS 2011/02/02 14:16:16.0234 2704 Processor architecture: Intel x86 2011/02/02 14:16:16.0234 2704 Number of processors: 2 2011/02/02 14:16:16.0234 2704 Page size: 0x1000 2011/02/02 14:16:16.0234 2704 Boot type: Normal boot 2011/02/02 14:16:16.0234 2704 ================================================================================ 2011/02/02 14:16:16.0390 2704 Initialize success TDSSKiller.2.4.16.0_02.02.2011_14.11.51_log.txt DDS.txt