sp60

Hi negster22, Welcome back! The MBRCheck log file is below. As I mentioned before, for some reason, various things are now running more slowly on my system. For example, Winrar seems a lot slower in extracting or compacting files, and when using ImgBrn to back up files onto disk, my burner won't write any faster than about 2x, when it normally can write much faster than that. So I'd appreciate any guidance you might have on how to restore the speed of the system to what it was before the virus hit. MBRCheck, version 1.2.3 © 2010, AD Command-line: Windows Version: Windows XP Home Edition Windows Information: Service Pack 3 (build 2600) Logical Drives Mask: 0x0000001d Kernel Drivers (total 131): 0x804D7000 \WINDOWS\system32\ntoskrnl.exe 0x806EE000 \WINDOWS\system32\hal.dll 0xF8AB6000 \WINDOWS\system32\KDCOM.DLL 0xF89C6000 \WINDOWS\system32\BOOTVID.dll 0xF8567000 ACPI.sys 0xF8AB8000 \WINDOWS\System32\DRIVERS\WMILIB.SYS 0xF8556000 pci.sys 0xF85B6000 isapnp.sys 0xF8ABA000 intelide.sys 0xF8836000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS 0xF85C6000 MountMgr.sys 0xF8537000 ftdisk.sys 0xF883E000 PartMgr.sys 0xF85D6000 VolSnap.sys 0xF851F000 atapi.sys 0xF85E6000 disk.sys 0xF85F6000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS 0xF84FF000 fltmgr.sys 0xF84ED000 sr.sys 0xF8846000 PxHelp20.sys 0xF89CA000 PzWDM.sys 0xF84D6000 KSecDD.sys 0xF8449000 Ntfs.sys 0xF841C000 NDIS.sys 0xF8402000 Mup.sys 0xF8606000 agp440.sys 0xF8736000 \SystemRoot\System32\DRIVERS\intelppm.sys 0xF7AB9000 \SystemRoot\System32\DRIVERS\nv4_mini.sys 0xF7AA5000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS 0xF88FE000 \SystemRoot\System32\DRIVERS\DM9PCI5.SYS 0xF7A0A000 \SystemRoot\system32\DRIVERS\ltmdmnt.sys 0xF8906000 \SystemRoot\System32\Drivers\Modem.SYS 0xF79E7000 \SystemRoot\system32\drivers\tbcspud.sys 0xF8CB2000 \SystemRoot\system32\drivers\tbcos.sys 0xF79C4000 \SystemRoot\system32\drivers\ks.sys 0xF8746000 \SystemRoot\System32\DRIVERS\i8042prt.sys 0xF890E000 \SystemRoot\System32\DRIVERS\mouclass.sys 0xF8916000 \SystemRoot\System32\DRIVERS\kbdclass.sys 0xF891E000 \SystemRoot\System32\DRIVERS\fdc.sys 0xF8756000 \SystemRoot\System32\DRIVERS\serial.sys 0xF7EA9000 \SystemRoot\System32\DRIVERS\serenum.sys 0xF79B0000 \SystemRoot\System32\DRIVERS\parport.sys 0xF8766000 \SystemRoot\system32\DRIVERS\imapi.sys 0xF8776000 \SystemRoot\System32\DRIVERS\cdrom.sys 0xF7C81000 \SystemRoot\System32\DRIVERS\redbook.sys 0xF7EA5000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys 0xF8926000 \SystemRoot\System32\DRIVERS\usbuhci.sys 0xF798C000 \SystemRoot\System32\DRIVERS\USBPORT.SYS 0xF8CBB000 \SystemRoot\System32\DRIVERS\audstub.sys 0xF7C71000 \SystemRoot\System32\DRIVERS\rasl2tp.sys 0xF7E99000 \SystemRoot\System32\DRIVERS\ndistapi.sys 0xF7975000 \SystemRoot\System32\DRIVERS\ndiswan.sys 0xF7C61000 \SystemRoot\System32\DRIVERS\raspppoe.sys 0xF7C51000 \SystemRoot\System32\DRIVERS\raspptp.sys 0xF892E000 \SystemRoot\System32\DRIVERS\TDI.SYS 0xF7964000 \SystemRoot\System32\DRIVERS\psched.sys 0xF7C41000 \SystemRoot\System32\DRIVERS\msgpc.sys 0xF8936000 \SystemRoot\System32\DRIVERS\ptilink.sys 0xF893E000 \SystemRoot\System32\DRIVERS\raspti.sys 0xF7C31000 \SystemRoot\System32\Drivers\Pcouffin.sys 0xF7C21000 \SystemRoot\System32\DRIVERS\termdd.sys 0xF8AFE000 \SystemRoot\System32\DRIVERS\swenum.sys 0xF7906000 \SystemRoot\System32\DRIVERS\update.sys 0xF8A5A000 \SystemRoot\System32\DRIVERS\mssmbios.sys 0xF7C11000 \SystemRoot\System32\DRIVERS\usbhub.sys 0xF8B00000 \SystemRoot\System32\DRIVERS\USBD.SYS 0xF7C01000 \SystemRoot\System32\Drivers\NDProxy.SYS 0xF8A8E000 \SystemRoot\system32\drivers\MODEMCSA.sys 0xF1775000 \SystemRoot\system32\drivers\tbcwdm.sys 0xF09FA000 \SystemRoot\system32\drivers\portcls.sys 0xF8826000 \SystemRoot\system32\drivers\drmk.sys 0xF8AA2000 \SystemRoot\system32\DRIVERS\gameenum.sys 0xF89B6000 \SystemRoot\System32\DRIVERS\flpydisk.sys 0xF8AC2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS 0xF8C05000 \SystemRoot\System32\Drivers\Null.SYS 0xF8AC4000 \SystemRoot\System32\Drivers\Beep.SYS 0xF888E000 \SystemRoot\System32\drivers\vga.sys 0xF8AC6000 \SystemRoot\System32\Drivers\mnmdd.SYS 0xF8AC8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys 0xF8946000 \SystemRoot\System32\Drivers\Msfs.SYS 0xF88A6000 \SystemRoot\System32\Drivers\Npfs.SYS 0xEE941000 \SystemRoot\System32\DRIVERS\rasacd.sys 0xECF80000 \SystemRoot\System32\DRIVERS\ipsec.sys 0xECF27000 \SystemRoot\System32\DRIVERS\tcpip.sys 0xF8726000 \SystemRoot\System32\Drivers\aswTdi.SYS 0xECECE000 \SystemRoot\System32\DRIVERS\netbt.sys 0xEE931000 \SystemRoot\System32\drivers\ws2ifsl.sys 0xECE95000 \SystemRoot\System32\drivers\afd.sys 0xF25EC000 \SystemRoot\System32\DRIVERS\netbios.sys 0xECDFB000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys 0xF896E000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 0xECD3A000 \SystemRoot\System32\DRIVERS\rdbss.sys 0xED9F5000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS 0xECC86000 \SystemRoot\System32\DRIVERS\mrxsmb.sys 0xF86F6000 \SystemRoot\System32\Drivers\Fips.SYS 0xECBC0000 \SystemRoot\System32\DRIVERS\ipnat.sys 0xF255C000 \SystemRoot\System32\DRIVERS\wanarp.sys 0xEBDAD000 \SystemRoot\system32\DRIVERS\usbccgp.sys 0xEC3BB000 \SystemRoot\System32\DRIVERS\hidusb.sys 0xEB98B000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS 0xEF94F000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS 0xEFD48000 \SystemRoot\system32\DRIVERS\usbprint.sys 0xEF6CE000 \SystemRoot\system32\DRIVERS\BrScnUsb.sys 0xEF6CA000 \SystemRoot\System32\Drivers\BrUsbSer.sys 0xEB94B000 \SystemRoot\System32\Drivers\BrSerIf.sys 0xEFE13000 \SystemRoot\System32\Drivers\Cinemsup.SYS 0xEB8F0000 \SystemRoot\System32\Drivers\aswSP.SYS 0xEFE03000 \SystemRoot\System32\Drivers\Aavmker4.SYS 0xEFE63000 \SystemRoot\System32\DRIVERS\mouhid.sys 0xEFEEE000 \SystemRoot\System32\Drivers\Cdfs.SYS 0xBF800000 \SystemRoot\System32\win32k.sys 0xEFD8B000 \SystemRoot\System32\drivers\Dxapi.sys 0xEFDDB000 \SystemRoot\System32\watchdog.sys 0xBF000000 \SystemRoot\System32\drivers\dxg.sys 0xF8C51000 \SystemRoot\System32\drivers\dxgthk.sys 0xBF012000 \SystemRoot\System32\nv4_disp.dll 0xBFFA0000 \SystemRoot\System32\ATMFD.DLL 0xF8A82000 \SystemRoot\System32\Drivers\aswFsBlk.SYS 0xEFD8F000 \SystemRoot\System32\DRIVERS\ndisuio.sys 0xB9D04000 \SystemRoot\System32\Drivers\aswMon2.SYS 0xB93AF000 \SystemRoot\system32\drivers\wdmaud.sys 0xED296000 \SystemRoot\system32\drivers\sysaudio.sys 0xB9214000 \SystemRoot\System32\DRIVERS\mrxdav.sys 0xF8B6C000 \SystemRoot\System32\Drivers\ParVdm.SYS 0xB9241000 \SystemRoot\System32\drivers\aspi32.sys 0xB90CC000 \SystemRoot\System32\DRIVERS\srv.sys 0xB8DBB000 \SystemRoot\System32\Drivers\HTTP.sys 0xED3BD000 \SystemRoot\System32\Drivers\aswRdr.SYS 0xB8782000 \SystemRoot\System32\Drivers\Udfs.SYS 0xB85EC000 \SystemRoot\system32\drivers\kmixer.sys 0x7C900000 \WINDOWS\system32\ntdll.dll Processes (total 44): 0 System Idle Process 4 System 492 C:\WINDOWS\system32\smss.exe 572 csrss.exe 596 C:\WINDOWS\system32\winlogon.exe 640 C:\WINDOWS\system32\services.exe 652 C:\WINDOWS\system32\lsass.exe 804 C:\WINDOWS\system32\svchost.exe 848 svchost.exe 916 C:\WINDOWS\system32\svchost.exe 980 svchost.exe 1056 svchost.exe 1208 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe 1308 C:\WINDOWS\explorer.exe 1420 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe 1428 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe 1436 C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe 1448 C:\Program Files\iTunes\iTunesHelper.exe 1456 C:\WINDOWS\system32\WDBtnMgr.exe 1476 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe 1560 C:\Program Files\Alwil Software\Avast5\AvastUI.exe 1604 C:\Program Files\Common Files\Java\Java Update\jusched.exe 1648 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe 1700 C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe 1716 C:\Program Files\Starfield\starfieldupdate.exe 1728 C:\Program Files\Starfield\wben.exe 1744 C:\WINDOWS\system32\ctfmon.exe 1812 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe 440 C:\WINDOWS\system32\spoolsv.exe 1896 svchost.exe 1808 C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe 544 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe 656 C:\Program Files\Starfield\offSyncService.exe 892 C:\Program Files\iPod Access for Windows\iPAHelper.exe 904 C:\Program Files\Java\jre6\bin\jqs.exe 1008 C:\WINDOWS\system32\nvsvc32.exe 1096 C:\Program Files\Dantz\Retrospect\retrorun.exe 1400 C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe 1496 C:\WINDOWS\system32\svchost.exe 2180 C:\Program Files\iPod\bin\iPodService.exe 2540 alg.exe 2784 C:\Program Files\Internet Explorer\iexplore.exe 3964 C:\Program Files\Internet Explorer\iexplore.exe 3496 C:\Documents and Settings\Bonnie\Desktop\MBRCheck.exe \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS) PhysicalDrive0 Model Number: MAXTOR6L080J4, Rev: A93.0500 Size Device Name MBR Status -------------------------------------------- 74 GB \\.\PhysicalDrive0 Windows XP MBR code detected SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A Done!

GMER will not run (i.e., it hangs) in both safe mode and in normal mode. In safe mode, the place where it hangs is C:\WINDOWS\system32\drivers\intelide.sys In normal mode, I think it was at HTTP.sys

ok, negster22, I have done as you instructed and have included the two logs below. TDSS Killer found no threats (infection not found). The TDSS KIller log appers below, followed by the mbr log file. However, I have noticed my system running more slowly. When I unzip or unrar a file, it takes a lot longer than usual, and I also noticed that copying backup files onto DVD takes longer because the write speed doesn't seem to want to go much more quickly than 2x or 3x. Not sure what got changed, but I did run the latest free version of Advanced System Care 3, and the changes it made (defrag, registry cleanup, etc.) didn't seem to make much difference. 2010/12/04 18:50:14.0187 TDSS rootkit removing tool 2.4.10.1 Dec 2 2010 12:28:01 2010/12/04 18:50:14.0187 ================================================================================ 2010/12/04 18:50:14.0187 SystemInfo: 2010/12/04 18:50:14.0187 2010/12/04 18:50:14.0187 OS Version: 5.1.2600 ServicePack: 3.0 2010/12/04 18:50:14.0187 Product type: Workstation 2010/12/04 18:50:14.0187 ComputerName: PANAMA 2010/12/04 18:50:14.0187 UserName: Bonnie 2010/12/04 18:50:14.0187 Windows directory: C:\WINDOWS 2010/12/04 18:50:14.0187 System windows directory: C:\WINDOWS 2010/12/04 18:50:14.0187 Processor architecture: Intel x86 2010/12/04 18:50:14.0187 Number of processors: 1 2010/12/04 18:50:14.0187 Page size: 0x1000 2010/12/04 18:50:14.0187 Boot type: Normal boot 2010/12/04 18:50:14.0187 ================================================================================ 2010/12/04 18:50:14.0656 Initialize success 2010/12/04 18:50:37.0093 ================================================================================ 2010/12/04 18:50:37.0093 Scan started 2010/12/04 18:50:37.0093 Mode: Manual; 2010/12/04 18:50:37.0093 ================================================================================ 2010/12/04 18:50:39.0109 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys 2010/12/04 18:50:40.0000 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2010/12/04 18:50:40.0406 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2010/12/04 18:50:41.0000 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2010/12/04 18:50:41.0421 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2010/12/04 18:50:41.0750 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys 2010/12/04 18:50:44.0484 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\aspi32.sys 2010/12/04 18:50:44.0781 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys 2010/12/04 18:50:45.0093 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys 2010/12/04 18:50:45.0453 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys 2010/12/04 18:50:45.0781 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys 2010/12/04 18:50:46.0125 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys 2010/12/04 18:50:46.0468 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2010/12/04 18:50:46.0796 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2010/12/04 18:50:47.0421 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2010/12/04 18:50:47.0765 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2010/12/04 18:50:48.0093 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2010/12/04 18:50:48.0453 brfilt (4ba311473e0d8557827e6f2fe33a8095) C:\WINDOWS\system32\Drivers\Brfilt.sys 2010/12/04 18:50:48.0812 brparimg (e05d9eda91c1b2c4c4f6f5a6d5b14b58) C:\WINDOWS\system32\DRIVERS\BrParImg.sys 2010/12/04 18:50:49.0140 BrParWdm (108d5c678411ac5b53d51756177d50a4) C:\WINDOWS\system32\Drivers\BrParwdm.sys 2010/12/04 18:50:49.0484 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys 2010/12/04 18:50:49.0796 BrSerIf (1a5fc78e41840edf79d65ec16eff2787) C:\WINDOWS\system32\Drivers\BrSerIf.sys 2010/12/04 18:50:50.0125 BrSerWDM (8e06cd96e00472c03770a697d04031c0) C:\WINDOWS\system32\Drivers\BrSerWdm.sys 2010/12/04 18:50:50.0500 BrUsbSer (a24c7b39602218f8dbdb2b6704325fc7) C:\WINDOWS\system32\Drivers\BrUsbSer.sys 2010/12/04 18:50:50.0828 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2010/12/04 18:50:51.0468 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2010/12/04 18:50:51.0796 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2010/12/04 18:50:52.0125 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2010/12/04 18:50:52.0890 Cinemsup (f6a0f51706cb4b0d5b8718ff69f831ba) C:\WINDOWS\system32\drivers\Cinemsup.sys 2010/12/04 18:50:54.0812 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2010/12/04 18:50:55.0218 DM9102 (51ef6ca3d57055fed6ab99021d562443) C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS 2010/12/04 18:50:55.0906 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2010/12/04 18:50:56.0531 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2010/12/04 18:50:56.0890 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2010/12/04 18:50:57.0218 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2010/12/04 18:50:57.0812 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2010/12/04 18:50:58.0218 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2010/12/04 18:50:58.0625 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 2010/12/04 18:50:58.0937 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2010/12/04 18:50:59.0281 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 2010/12/04 18:50:59.0640 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2010/12/04 18:51:00.0000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2010/12/04 18:51:00.0359 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2010/12/04 18:51:00.0703 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys 2010/12/04 18:51:01.0031 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys 2010/12/04 18:51:01.0375 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2010/12/04 18:51:01.0750 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2010/12/04 18:51:02.0750 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2010/12/04 18:51:03.0859 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2010/12/04 18:51:04.0250 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2010/12/04 18:51:05.0000 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2010/12/04 18:51:05.0375 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2010/12/04 18:51:05.0765 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2010/12/04 18:51:06.0140 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2010/12/04 18:51:06.0562 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2010/12/04 18:51:06.0968 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2010/12/04 18:51:07.0406 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2010/12/04 18:51:07.0828 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2010/12/04 18:51:08.0187 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2010/12/04 18:51:08.0609 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2010/12/04 18:51:09.0062 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2010/12/04 18:51:09.0500 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2010/12/04 18:51:10.0453 ltmodem5 (829ef680a308c12e2a80e5e0da0d958d) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys 2010/12/04 18:51:11.0031 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys 2010/12/04 18:51:11.0343 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2010/12/04 18:51:11.0687 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2010/12/04 18:51:12.0000 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys 2010/12/04 18:51:12.0296 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2010/12/04 18:51:12.0609 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2010/12/04 18:51:12.0953 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2010/12/04 18:51:13.0625 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2010/12/04 18:51:14.0125 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2010/12/04 18:51:14.0640 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2010/12/04 18:51:14.0937 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2010/12/04 18:51:15.0234 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2010/12/04 18:51:15.0562 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2010/12/04 18:51:15.0890 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2010/12/04 18:51:16.0203 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2010/12/04 18:51:16.0609 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2010/12/04 18:51:16.0984 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2010/12/04 18:51:17.0250 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2010/12/04 18:51:17.0578 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2010/12/04 18:51:17.0906 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys 2010/12/04 18:51:18.0218 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2010/12/04 18:51:18.0546 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2010/12/04 18:51:18.0968 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2010/12/04 18:51:19.0421 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2010/12/04 18:51:19.0937 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2010/12/04 18:51:20.0625 nv (1685a86ce8dc5a70d307dca625fb50e7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 2010/12/04 18:51:21.0578 nv4 (4d31783965b0b7ced7db3f4ee14cf260) C:\WINDOWS\system32\DRIVERS\nv4.sys 2010/12/04 18:51:22.0171 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2010/12/04 18:51:22.0500 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2010/12/04 18:51:22.0875 OMCI (e1e54131462b63efefaf14aca8e4012b) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS 2010/12/04 18:51:23.0265 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2010/12/04 18:51:23.0593 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2010/12/04 18:51:24.0000 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2010/12/04 18:51:24.0312 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2010/12/04 18:51:25.0312 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2010/12/04 18:51:25.0718 Pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\Pcouffin.sys 2010/12/04 18:51:27.0593 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2010/12/04 18:51:27.0937 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys 2010/12/04 18:51:28.0250 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2010/12/04 18:51:28.0562 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2010/12/04 18:51:28.0984 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2010/12/04 18:51:29.0296 PzWDM (36cf3653d367cbc72a38625543f3d4d1) C:\WINDOWS\system32\Drivers\PzWDM.sys 2010/12/04 18:51:31.0000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2010/12/04 18:51:31.0328 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2010/12/04 18:51:31.0718 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2010/12/04 18:51:32.0015 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2010/12/04 18:51:32.0359 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2010/12/04 18:51:32.0750 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2010/12/04 18:51:33.0125 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2010/12/04 18:51:33.0484 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2010/12/04 18:51:33.0718 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 2010/12/04 18:51:33.0859 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS 2010/12/04 18:51:33.0953 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys 2010/12/04 18:51:34.0343 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2010/12/04 18:51:34.0687 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2010/12/04 18:51:35.0000 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 2010/12/04 18:51:35.0328 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2010/12/04 18:51:36.0203 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2010/12/04 18:51:36.0531 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2010/12/04 18:51:36.0984 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys 2010/12/04 18:51:37.0437 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2010/12/04 18:51:37.0765 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2010/12/04 18:51:39.0218 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2010/12/04 18:51:39.0593 tbcspud (4e296e262ae499e3b1697798a9084451) C:\WINDOWS\system32\drivers\tbcspud.sys 2010/12/04 18:51:40.0125 tbcwdm (fc855b65379f621a34c4309c31f754eb) C:\WINDOWS\system32\drivers\tbcwdm.sys 2010/12/04 18:51:40.0750 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2010/12/04 18:51:41.0156 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2010/12/04 18:51:41.0484 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2010/12/04 18:51:41.0828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2010/12/04 18:51:42.0484 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2010/12/04 18:51:43.0203 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2010/12/04 18:51:43.0671 USBAAPL (f340199e8cb097e1acd58a967c665919) C:\WINDOWS\system32\Drivers\usbaapl.sys 2010/12/04 18:51:44.0078 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2010/12/04 18:51:44.0390 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2010/12/04 18:51:44.0703 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2010/12/04 18:51:45.0046 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2010/12/04 18:51:45.0437 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2010/12/04 18:51:45.0781 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2010/12/04 18:51:46.0406 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2010/12/04 18:51:46.0765 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2010/12/04 18:51:47.0343 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2010/12/04 18:51:47.0812 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys 2010/12/04 18:51:48.0140 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2010/12/04 18:51:48.0500 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 2010/12/04 18:51:48.0828 ================================================================================ 2010/12/04 18:51:48.0828 Scan finished 2010/12/04 18:51:48.0843 ================================================================================ Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: MAXTOR_6L080J4 rev.A93.0500 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 device: opened successfully user: MBR read successfully Disk trace: called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys 1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82FA1AB8] 3 CLASSPNP[0xF85F6FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000057[0x82F78F18] 5 ACPI[0xF856D620] -> nt!IofCallDriver[0x804E37D5] -> \Device\Ide\IdeDeviceP0T0L0-3[0x82F66940] kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; } user & kernel MBR OK

ok, negster22, I did all you instructed, and the resulting ComboFix log is below. I did scan all 8 of those files through Virustotal, and none of them resulted in any virus flags appearing. The ark.txt file I got originally was included in the Attach.zip file of my original post, but I pasted it here again following the ComboFix log. If you want me to generate another one now, please let me know. Thanks again! ComboFix 10-12-03.01 - Bonnie 12/03/2010 22:20:37.5.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.187 [GMT -5:00] Running from: c:\documents and settings\Bonnie\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Bonnie\Desktop\CFScript.txt AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} file zipped: c:\windows\system32\%APPDATA%\WhiteSmokeSetup\config.txt file zipped: c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.cab file zipped: c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.hdr file zipped: c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data2.cab file zipped: c:\windows\system32\%APPDATA%\WhiteSmokeSetup\layout.bin file zipped: c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.inx file zipped: c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.log . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\abl c:\windows\system32\%APPDATA%\WhiteSmokeSetup\config.txt c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.cab c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.hdr c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data2.cab c:\windows\system32\%APPDATA%\WhiteSmokeSetup\layout.bin c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.inx c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.log . ((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 ))))))))))))))))))))))))))))))) . 2010-12-04 02:23 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys 2010-12-04 02:23 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys 2010-12-04 02:23 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys 2010-12-04 02:23 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys 2010-12-04 02:23 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys 2010-12-04 02:23 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys 2010-12-04 02:23 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys 2010-12-04 02:23 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr 2010-12-04 02:23 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe 2010-12-03 06:40 . 2010-12-03 06:40 -------- d-----w- c:\program files\IObit 2010-12-03 06:40 . 2010-12-03 06:40 -------- d-----w- c:\documents and settings\Bonnie\Application Data\IObit 2010-12-01 17:03 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-01 17:03 . 2010-12-01 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-01 17:03 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-01 07:57 . 2010-12-01 07:57 -------- d-----w- c:\windows\system32\wbem\Repository 2010-12-01 05:05 . 2010-12-01 05:05 -------- d-sh--w- c:\documents and settings\Administrator.PANAMA\PrivacIE 2010-12-01 05:04 . 2010-12-01 05:05 -------- d-----w- c:\documents and settings\Administrator.PANAMA\Local Settings\Application Data\Adobe 2010-12-01 04:53 . 2010-12-01 07:56 -------- d-----w- c:\documents and settings\Bonnie\Local Settings\Application Data\{F0187684-22BB-4EB6-BC86-A62A71B058FB} 2010-12-01 04:53 . 2010-12-01 04:53 -------- d-----w- c:\documents and settings\NetworkService\PrivacIE 2010-12-01 04:51 . 2010-12-01 04:51 -------- d-----w- c:\windows\system32\%APPDATA% 2010-12-01 04:28 . 2010-12-01 04:28 -------- d-sh--w- c:\documents and settings\Administrator.PANAMA\IETldCache 2010-12-01 03:05 . 2010-12-01 03:05 -------- d-----w- c:\documents and settings\LocalService\IETldCache 2010-12-01 02:38 . 2010-12-01 02:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-11-20 21:49 . 2010-11-20 21:49 -------- d-sh--w- c:\documents and settings\Bonnie\IECompatCache 2010-11-20 21:47 . 2010-11-20 21:47 -------- d-sh--w- c:\documents and settings\Bonnie\PrivacIE 2010-11-20 21:44 . 2010-11-20 21:44 -------- d-sh--w- c:\documents and settings\Bonnie\IETldCache 2010-11-20 20:15 . 2010-11-20 20:17 -------- dc-h--w- c:\windows\ie8 2010-11-20 20:11 . 2010-08-26 11:08 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll 2010-11-20 20:10 . 2010-09-10 05:58 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll 2010-11-20 20:10 . 2010-09-10 05:58 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll 2010-11-20 20:10 . 2010-09-10 05:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2010-11-20 20:10 . 2010-09-10 05:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll 2010-11-20 20:10 . 2010-09-10 05:58 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll 2010-11-20 20:10 . 2010-09-10 05:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2010-11-20 20:10 . 2010-09-10 05:58 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll 2010-11-20 20:09 . 2010-11-20 20:09 -------- d-----w- C:\8f1bc57f4eae3148477baeb92d48e899 2010-11-20 18:23 . 2010-11-20 18:23 -------- d-----w- c:\documents and settings\Bonnie\Local Settings\Application Data\offsync 2010-11-20 18:19 . 2010-11-20 18:20 -------- d-----w- c:\program files\Starfield 2010-11-20 18:19 . 2010-11-20 18:19 -------- d-----w- c:\documents and settings\Bonnie\Local Settings\Application Data\Starfield 2010-11-20 06:26 . 2010-11-20 06:26 -------- d-----w- c:\documents and settings\Bonnie\Application Data\ScanSoft 2010-11-19 16:38 . 2010-11-19 16:38 -------- d-----w- c:\documents and settings\Bonnie\Local Settings\Application Data\MagicSoftware . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-18 16:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2001-08-18 12:00 974848 --sha-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-15 08:50 . 2010-05-18 05:25 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-15 06:29 . 2010-05-18 05:25 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-09-10 05:58 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2001-08-18 12:00 43520 ------w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2001-08-18 12:00 94784 --sh--w- c:\windows\twain.dll 2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll 2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll 2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll 2008-04-14 00:12 551936 --sh--w- c:\windows\system32\oleaut32.dll 2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PxDotNetLoader"="c:\program files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2010-02-01 42392] "Starfield Updater"="c:\program files\Starfield\StarfieldUpdate.exe" [2010-11-20 32960] "wben"="c:\program files\Starfield\wben.exe" [2010-11-08 1074384] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768] "WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576] "Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752] "QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2008-03-29 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "WD Button Manager"="WDBtnMgr.exe" [2009-11-24 335872] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368] "PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824] "avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912] c:\documents and settings\Bonnie\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664] ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2005-4-28 25214] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Media Player Classic\\mplayerc.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [5/15/2006 9:51 AM 15172] R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/3/2010 9:23 PM 165584] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 1:50 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 1:50 PM 67656] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/3/2010 9:23 PM 17744] R2 File Backup;File Backup Service;c:\program files\Starfield\offSyncService.exe [7/16/2010 1:47 PM 1310960] R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [12/27/2004 11:01 PM 142336] R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [12/27/2004 11:01 PM 524288] S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/25/2004 10:02 AM 2944] S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [12/25/2004 10:02 AM 3168] S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [12/25/2004 10:02 AM 39552] S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/25/2004 10:02 AM 60416] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 1:50 PM 12872] . Contents of the 'Scheduled Tasks' folder 2010-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = <local> uInternet Settings,ProxyServer = http=127.0.0.1:5577 IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: news-antique.com\www Trusted Zone: turbotax.com DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-03 22:43 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version] "Version"=hex:b0,e6,01,12,c3,e7,26,8a,6e,3c,bd,57,64,39,50,7a,31,e4,26,5f,55, c9,a9,d5,6a,23,84,f3,9c,c9,27,25,bd,57,b1,e4,02,a7,0a,39,27,73,e9,c6,54,88,\ [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}] @DACL=(02 0000) @="Microsoft Disk Quota" "NoMachinePolicy"=dword:00000000 "NoUserPolicy"=dword:00000001 "NoSlowLink"=dword:00000001 "NoBackgroundPolicy"=dword:00000001 "NoGPOListChanges"=dword:00000001 "PerUserLocalSettings"=dword:00000000 "RequiresSuccessfulRegistry"=dword:00000001 "EnableAsynchronousProcessing"=dword:00000000 "DllName"=expand:"dskquota.dll" "ProcessGroupPolicy"="ProcessGroupPolicy" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}] @DACL=(02 0000) @="Internet Explorer Zonemapping" "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll" "ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap" "NoGPOListChanges"=dword:00000001 "RequiresSucessfulRegistry"=dword:00000001 "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051" "RequiresSuccessfulRegistry"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}] @DACL=(02 0000) @="Internet Explorer User Accelerators" "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051" "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll" "NoGPOListChanges"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyForActivities" "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx" "RequiresSuccessfulRegistry"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}] @DACL=(02 0000) "ProcessGroupPolicy"="SceProcessSecurityPolicyGPO" "GenerateGroupPolicy"="SceGenerateGroupPolicy" "ExtensionRsopPlanningDebugLevel"=dword:00000001 "ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx" "ExtensionDebugLevel"=dword:00000001 "DllName"=expand:"scecli.dll" @="Security" "NoUserPolicy"=dword:00000001 "NoGPOListChanges"=dword:00000001 "EnableAsynchronousProcessing"=dword:00000001 "MaxNoGPOListChangesInterval"=dword:000003c0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}] @DACL=(02 0000) "ProcessGroupPolicyEx"="ProcessGroupPolicyEx" "GenerateGroupPolicy"="GenerateGroupPolicy" "ProcessGroupPolicy"="ProcessGroupPolicy" "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll" @="Internet Explorer Branding" "NoSlowLink"=dword:00000001 "NoBackgroundPolicy"=dword:00000000 "NoGPOListChanges"=dword:00000001 "NoMachinePolicy"=dword:00000001 "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}] @DACL=(02 0000) "ProcessGroupPolicy"="SceProcessEFSRecoveryGPO" "DllName"=expand:"scecli.dll" @="EFS recovery" "NoUserPolicy"=dword:00000001 "NoGPOListChanges"=dword:00000001 "RequiresSuccessfulRegistry"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}] @DACL=(02 0000) @="802.3 Group Policy" "DisplayName"=expand:"@dot3gpclnt.dll,-100" "ProcessGroupPolicyEx"="ProcessLANPolicyEx" "GenerateGroupPolicy"="GenerateLANPolicy" "DllName"=expand:"dot3gpclnt.dll" "NoUserPolicy"=dword:00000001 "NoGPOListChanges"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}] @DACL=(02 0000) @="Microsoft Offline Files" "DllName"=expand:"%SystemRoot%\\System32\\cscui.dll" "EnableAsynchronousProcessing"=dword:00000000 "NoBackgroundPolicy"=dword:00000000 "NoGPOListChanges"=dword:00000000 "NoMachinePolicy"=dword:00000000 "NoSlowLink"=dword:00000000 "NoUserPolicy"=dword:00000001 "PerUserLocalSettings"=dword:00000000 "ProcessGroupPolicy"="ProcessGroupPolicy" "RequiresSuccessfulRegistry"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}] @DACL=(02 0000) @="Software Installation" "DllName"=expand:"appmgmts.dll" "ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx" "GenerateGroupPolicy"="GenerateGroupPolicy" "NoBackgroundPolicy"=dword:00000000 "RequiresSucessfulRegistry"=dword:00000000 "NoSlowLink"=dword:00000001 "PerUserLocalSettings"=dword:00000001 "EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}] @DACL=(02 0000) @="Internet Explorer Machine Accelerators" "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051" "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll" "NoGPOListChanges"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyForActivities" "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx" "RequiresSuccessfulRegistry"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon] @DACL=(02 0000) "DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL" "Logon"="SABWINLOLogon" "Logoff"="SABWINLOLogoff" "Startup"="SABWINLOStartup" "Shutdown"="SABWINLOShutdown" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] @DACL=(02 0000) "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=expand:"crypt32.dll" "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] @DACL=(02 0000) "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=expand:"cryptnet.dll" "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] @DACL=(02 0000) "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy] @DACL=(02 0000) "Asynchronous"=dword:00000001 "DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll" "Startup"="WlDimsStartup" "Shutdown"="WlDimsShutdown" "Logon"="WlDimsLogon" "Logoff"="WlDimsLogoff" "StartShell"="WlDimsStartShell" "Lock"="WlDimsLock" "Unlock"="WlDimsUnlock" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] @DACL=(02 0000) "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] @DACL=(02 0000) "Asynchronous"=dword:00000000 "DllName"=expand:"wlnotify.dll" "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] @DACL=(02 0000) "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=expand:"sclgntfy.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] @DACL=(02 0000) "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] @DACL=(02 0000) "Asynchronous"=dword:00000000 "DllName"=expand:"wlnotify.dll" "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] @DACL=(02 0000) "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList] @DACL=(02 0000) "HelpAssistant"=dword:00000000 "TsInternetUser"=dword:00000000 "SQLAgentCmdExec"=dword:00000000 "NetShowServices"=dword:00000000 "IWAM_"=dword:00010000 "IUSR_"=dword:00010000 "VUSR_"=dword:00010000 [HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version] "Version"=hex:b0,e6,01,12,c3,e7,26,8a,6e,3c,bd,57,64,39,50,7a,31,e4,26,5f,55, c9,a9,d5,6a,23,84,f3,9c,c9,27,25,bd,57,b1,e4,02,a7,0a,39,27,73,e9,c6,54,88,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3864) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Alwil Software\Avast5\AvastSvc.exe c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe c:\windows\system32\WDBtnMgr.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\iPod Access for Windows\iPAHelper.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Brother\ControlCenter3\brccMCtl.exe c:\windows\system32\nvsvc32.exe c:\program files\Brother\Brmfcmon\BrMfcmon.exe c:\program files\Dantz\Retrospect\retrorun.exe c:\progra~1\Dantz\RETROS~1\wdsvc.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************** . Completion time: 2010-12-03 22:58:21 - machine was rebooted ComboFix-quarantined-files.txt 2010-12-04 03:58 ComboFix2.txt 2010-12-04 01:35 ComboFix3.txt 2008-12-24 15:39 Pre-Run: 9,651,920,896 bytes free Post-Run: 9,891,487,744 bytes free - - End Of File - - 54D08A5AA538171B1AD0907B453670DB GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2010-12-01 18:07:34 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 MAXTOR_6L080J4 rev.A93.0500 Running: ztufz8jc.exe; Driver: C:\DOCUME~1\ADMINI~1.PAN\LOCALS~1\Temp\awtdapow.sys ---- Kernel code sections - GMER 1.0.15 ---- init C:\WINDOWS\system32\drivers\PzWDM.sys entry point in "init" section [0xF89CE30E] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\svchost.exe[804] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CC000A .text C:\WINDOWS\System32\svchost.exe[804] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CD000A .text C:\WINDOWS\System32\svchost.exe[804] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CB000C .text C:\WINDOWS\System32\svchost.exe[804] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00FA000A .text C:\WINDOWS\Explorer.EXE[1316] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE000A .text C:\WINDOWS\Explorer.EXE[1316] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A .text C:\WINDOWS\Explorer.EXE[1316] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CD000C ---- Devices - GMER 1.0.15 ---- Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 82F1F3B2 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82F1F3B2 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 82F1F3B2 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 82F1F3B2 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMAXTOR_6L080J4__________________________A93.0500#363632343131313330 3535322020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\InprocHandler32@ ole32.dll Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\LocalServer32@ C:\PROGRA~1\MICROS~2\OFFICE11\WINWORD.EXE /Automation Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\LocalServer32@LocalServer32 ']gAVn-}f(ZXfeAR6.jiWORDFiles>P`os,1@SW=P7v6GPl]Xh /Automation? Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\ProgID@ Word.Application.11 Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\VersionIndependentProgID@ Word.Application Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0xB0 0xE6 0x01 0x12 ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!! Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sectors 156355328 (+255): rootkit-like behavior; ---- EOF - GMER 1.0.15 ----

Hi negster22, Thanks once again!! In the past couple of days, everything seems to be running fairly normally. I ran SUperAntivirus again and it found only one problem item in addition to the usual tracking cookies, called malware.trace, shich I deleted. But in general, things seem to be running fairly ok. I ran Combofix again as you instructed, and here is the log. I ran it originally in safe mode with networking, and then when it rebooted, I allowed it to come up in normal mode. Anyway, here is the latest ComboFix log. I see that it does mention WhiteSmoke in there, which probably means some traces of that thing perhaps still remain on my system: ComboFix 10-12-01.01 - Administrator 12/03/2010 20:13:03.4.1 - x86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.372 [GMT -5:00] Running from: c:\documents and settings\Administrator.PANAMA\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator.PANAMA\Desktop\CFScript.txt FILE :: "c:\windows\Jmoqanoj.bin" "c:\windows\system32\PavSRK.sys" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Jmoqanoj.bin . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_PAVSRK.SYS -------\Service_PavSRK.sys ((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 ))))))))))))))))))))))))))))))) . 2010-12-03 06:40 . 2010-12-03 06:40 -------- d-----w- c:\program files\IObit 2010-12-01 17:03 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-01 17:03 . 2010-12-01 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-01 17:03 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-01 07:57 . 2010-12-01 07:57 -------- d-----w- c:\windows\system32\wbem\Repository 2010-12-01 05:05 . 2010-12-01 05:05 -------- d-sh--w- c:\documents and settings\Administrator.PANAMA\PrivacIE 2010-12-01 05:04 . 2010-12-01 05:05 -------- d-----w- c:\documents and settings\Administrator.PANAMA\Local Settings\Application Data\Adobe 2010-12-01 04:53 . 2010-12-01 04:53 -------- d-----w- c:\documents and settings\NetworkService\PrivacIE 2010-12-01 04:51 . 2010-12-01 04:51 -------- d-----w- c:\windows\system32\%APPDATA% 2010-12-01 04:28 . 2010-12-01 04:28 -------- d-sh--w- c:\documents and settings\Administrator.PANAMA\IETldCache 2010-12-01 03:05 . 2010-12-01 03:05 -------- d-----w- c:\documents and settings\LocalService\IETldCache 2010-12-01 02:38 . 2010-12-01 02:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-11-20 21:49 . 2010-11-20 21:49 -------- d-sh--w- c:\documents and settings\Bonnie\IECompatCache 2010-11-20 21:47 . 2010-11-20 21:47 -------- d-sh--w- c:\documents and settings\Bonnie\PrivacIE 2010-11-20 21:44 . 2010-11-20 21:44 -------- d-sh--w- c:\documents and settings\Bonnie\IETldCache 2010-11-20 20:15 . 2010-11-20 20:17 -------- dc-h--w- c:\windows\ie8 2010-11-20 20:11 . 2010-08-26 11:08 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll 2010-11-20 20:10 . 2010-09-10 05:58 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll 2010-11-20 20:10 . 2010-09-10 05:58 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll 2010-11-20 20:10 . 2010-09-10 05:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2010-11-20 20:10 . 2010-09-10 05:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll 2010-11-20 20:10 . 2010-09-10 05:58 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll 2010-11-20 20:10 . 2010-09-10 05:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2010-11-20 20:10 . 2010-09-10 05:58 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll 2010-11-20 20:09 . 2010-11-20 20:09 -------- d-----w- C:\8f1bc57f4eae3148477baeb92d48e899 2010-11-20 18:19 . 2010-11-20 18:20 -------- d-----w- c:\program files\Starfield . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-18 16:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2001-08-18 12:00 974848 --sha-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-15 08:50 . 2010-05-18 05:25 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-15 06:29 . 2010-05-18 05:25 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-09-10 05:58 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2001-08-18 12:00 43520 ------w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2001-08-18 12:00 94784 --sh--w- c:\windows\twain.dll 2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll 2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll 2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll 2008-04-14 00:12 551936 --sh--w- c:\windows\system32\oleaut32.dll 2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of C:\8f1bc57f4eae3148477baeb92d48e899 ---- 2009-03-08 19:22 . 2009-03-08 19:22 36864 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iedvtool.dll.mui 2009-03-08 19:22 . 2009-03-08 19:22 12288 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mshtml.dll.mui 2009-03-08 19:22 . 2009-03-08 19:22 1241088 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieframe.dll.mui 2009-03-08 19:22 . 2009-03-08 19:22 3584 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\inseng.dll.mui 2009-03-08 19:22 . 2009-03-08 19:22 5120 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iernonce.dll.mui 2009-03-08 19:22 . 2009-03-08 19:22 2560 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsdebuggeride.dll.mui 2009-03-08 19:22 . 2009-03-08 19:22 7168 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieakeng.dll.mui 2009-03-08 19:22 . 2009-03-08 19:22 49152 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msrating.dll.mui 2009-03-08 19:22 . 2009-03-08 19:22 2560 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iertutil.dll.mui 2009-03-08 19:22 . 2009-03-08 19:22 11264 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\vbscript.dll.mui 2009-03-08 19:22 . 2009-03-08 19:22 2560 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsprofilercore.dll.mui 2009-03-08 19:22 . 2009-03-08 19:22 40960 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\webcheck.dll.mui 2009-03-08 19:22 . 2009-03-08 19:22 6144 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\winfxdocobj.exe.mui 2009-03-08 19:22 . 2009-03-08 19:22 3584 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieui.dll.mui 2009-03-08 19:22 . 2009-03-08 19:22 2560 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mshta.exe.mui 2009-03-08 19:22 . 2009-03-08 19:22 20480 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsdbgui.dll.mui 2009-03-08 19:22 . 2009-03-08 19:22 12288 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\hmmapi.dll.mui 2009-03-08 19:22 . 2009-03-08 19:22 77824 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iesetup.dll.mui 2009-03-08 19:22 . 2009-03-08 19:22 122880 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\inetcpl.cpl.mui 2009-03-08 19:22 . 2009-03-08 19:22 3584 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\admparse.dll.mui 2009-03-08 19:21 . 2009-03-08 19:21 53248 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\wininet.dll.mui 2009-03-08 19:21 . 2009-03-08 19:21 12288 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iexplore.exe.mui 2009-03-08 19:21 . 2009-03-08 19:21 20480 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\occache.dll.mui 2009-03-08 19:21 . 2009-03-08 19:21 57344 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mshtmler.dll.mui 2009-03-08 19:21 . 2009-03-08 19:21 4608 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iepeers.dll.mui 2009-03-08 19:21 . 2009-03-08 19:21 2771706 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\inetres.adm 2009-03-08 19:21 . 2009-03-08 19:21 40960 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\urlmon.dll.mui 2009-03-08 19:21 . 2009-03-08 19:21 13460 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\inetcorp.iem 2009-03-08 19:21 . 2009-03-08 19:21 40960 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieaksie.dll.mui 2009-03-08 19:21 . 2009-03-08 19:21 2560 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msfeedsbs.dll.mui 2009-03-08 19:21 . 2009-03-08 19:21 4096 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\licmgr10.dll.mui 2009-03-08 19:21 . 2009-03-08 19:21 10240 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\advpack.dll.mui 2009-03-08 19:21 . 2009-03-08 19:21 4096 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ie4uinit.exe.mui 2009-03-08 19:21 . 2009-03-08 19:21 118784 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieakui.dll.mui 2009-03-08 19:21 . 2009-03-08 19:21 13312 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jscript.dll.mui 2009-03-08 19:21 . 2009-03-08 19:21 37836 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\inetset.iem 2009-03-08 19:20 . 2009-03-08 19:20 8704 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\icardie.dll.mui 2009-03-08 19:20 . 2009-03-08 19:20 81920 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iedkcs32.dll.mui 2009-03-08 19:20 . 2009-03-08 19:20 16384 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsprofilerui.dll.mui 2009-03-08 19:20 . 2009-03-08 19:20 10752 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\html.iec.mui 2009-03-08 19:09 . 2009-03-08 19:09 391536 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iedkcs32.dll 2009-03-08 19:09 . 2009-03-08 19:09 638816 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iexplore.exe 2009-03-08 09:41 . 2009-03-08 09:41 5937152 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mshtml.dll 2009-03-08 09:39 . 2009-03-08 09:39 11063808 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieframe.dll 2009-03-08 09:35 . 2009-03-08 09:35 742912 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iedvtool.dll 2009-03-08 09:35 . 2009-03-08 09:35 233984 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsprofilerui.dll 2009-03-08 09:35 . 2009-03-08 09:35 385024 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\html.iec 2009-03-08 09:35 . 2009-03-08 09:35 144384 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\extexport.exe 2009-03-08 09:35 . 2009-03-08 09:35 2048 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iecompat.dll 2009-03-08 09:35 . 2009-03-08 09:35 118272 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsprofilercore.dll 2009-03-08 09:35 . 2009-03-08 09:35 521216 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsdbgui.dll 2009-03-08 09:35 . 2009-03-08 09:35 121344 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsdebuggeride.dll 2009-03-08 09:34 . 2009-03-08 09:34 914944 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\wininet.dll 2009-03-08 09:34 . 2009-03-08 09:34 1206784 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\urlmon.dll 2009-03-08 09:34 . 2009-03-08 09:34 1469440 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\inetcpl.cpl 2009-03-08 09:34 . 2009-03-08 09:34 236544 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\webcheck.dll 2009-03-08 09:34 . 2009-03-08 09:34 208384 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\winfxdocobj.exe 2009-03-08 09:34 . 2009-03-08 09:34 43008 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\licmgr10.dll 2009-03-08 09:34 . 2009-03-08 09:34 105984 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\url.dll 2009-03-08 09:34 . 2009-03-08 09:34 193536 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msrating.dll 2009-03-08 09:34 . 2009-03-08 09:34 109568 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\occache.dll 2009-03-08 09:33 . 2009-03-08 09:33 246784 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieproxy.dll 2009-03-08 09:33 . 2009-03-08 09:33 759296 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\vgx.dll 2009-03-08 09:33 . 2009-03-08 09:33 18944 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\corpol.dll 2009-03-08 09:33 . 2009-03-08 09:33 25600 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsproxy.dll 2009-03-08 09:33 . 2009-03-08 09:33 12288 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\xpshims.dll 2009-03-08 09:33 . 2009-03-08 09:33 726528 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jscript.dll 2009-03-08 09:33 . 2009-03-08 09:33 229376 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieaksie.dll 2009-03-08 09:33 . 2009-03-08 09:33 420352 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\vbscript.dll 2009-03-08 09:33 . 2009-03-08 09:33 125952 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieakeng.dll 2009-03-08 09:32 . 2009-03-08 09:32 72704 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\admparse.dll 2009-03-08 09:32 . 2009-03-08 09:32 173056 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ie4uinit.exe 2009-03-08 09:32 . 2009-03-08 09:32 163840 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieakui.dll 2009-03-08 09:32 . 2009-03-08 09:32 36864 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieudinit.exe 2009-03-08 09:32 . 2009-03-08 09:32 55808 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iernonce.dll 2009-03-08 09:32 . 2009-03-08 09:32 71680 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iesetup.dll 2009-03-08 09:32 . 2009-03-08 09:32 3072 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieudinit.exe.mui 2009-03-08 09:32 . 2009-03-08 09:32 128512 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\advpack.dll 2009-03-08 09:32 . 2009-03-08 09:32 94720 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\inseng.dll 2009-03-08 09:32 . 2009-03-08 09:32 594432 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msfeeds.dll 2009-03-08 09:32 . 2009-03-08 09:32 1985024 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iertutil.dll 2009-03-08 09:32 . 2009-03-08 09:32 611840 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mstime.dll 2009-03-08 09:31 . 2009-03-08 09:31 183808 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iepeers.dll 2009-03-08 09:31 . 2009-03-08 09:31 13312 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msfeedssync.exe 2009-03-08 09:31 . 2009-03-08 09:31 59904 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\icardie.dll 2009-03-08 09:31 . 2009-03-08 09:31 55296 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msfeedsbs.dll 2009-03-08 09:31 . 2009-03-08 09:31 348160 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\dxtmsft.dll 2009-03-08 09:31 . 2009-03-08 09:31 216064 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\dxtrans.dll 2009-03-08 09:31 . 2009-03-08 09:31 34816 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\imgutil.dll 2009-03-08 09:31 . 2009-03-08 09:31 46592 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\pngfilt.dll 2009-03-08 09:31 . 2009-03-08 09:31 66560 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mshtmled.dll 2009-03-08 09:31 . 2009-03-08 09:31 48128 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mshtmler.dll 2009-03-08 09:31 . 2009-03-08 09:31 45568 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mshta.exe 2009-03-08 09:31 . 2009-03-08 09:31 1638912 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mshtml.tlb 2009-03-08 09:30 . 2009-03-08 09:30 66560 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\tdc.ocx 2009-03-08 09:24 . 2009-03-08 09:24 68608 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\hmmapi.dll 2009-03-08 09:22 . 2009-03-08 09:22 164352 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieui.dll 2009-03-08 09:22 . 2009-03-08 09:22 156160 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msls31.dll 2009-03-08 09:15 . 2009-03-08 09:15 57667 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieuinit.inf 2009-03-08 09:11 . 2009-03-08 09:11 445952 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieapfltr.dll 2009-03-08 08:45 . 2009-03-08 08:45 460 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\install.ins 2009-02-21 06:21 . 2009-02-21 06:21 529818 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iexplore.chm 2009-02-07 02:07 . 2009-02-07 02:07 3698584 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieapfltr.dat 2009-01-12 02:05 . 2009-01-12 02:05 2649 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ie8props.propdesc 2009-01-12 02:05 . 2009-01-12 02:05 12593 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieeula.chm 2009-01-12 02:05 . 2009-01-12 02:05 13874 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iesupp.chm 2009-01-07 23:21 . 2009-01-07 23:21 1876 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msfeeds.mof 2009-01-07 23:21 . 2009-01-07 23:21 1938 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msfeedsbs.mof 2009-01-07 23:21 . 2009-01-07 23:21 26144 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\spupdsvc.exe 2009-01-07 23:20 . 2009-01-07 23:20 16928 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\spmsg.dll 2009-01-07 23:20 . 2009-01-07 23:20 231456 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\spuninst.exe 2009-01-07 23:20 . 2009-01-07 23:20 134144 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\sqmapi.dll 2009-01-07 23:20 . 2009-01-07 23:20 1022976 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\browseui.dll 2009-01-07 23:20 . 2009-01-07 23:20 1497088 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\shdocvw.dll 2009-01-07 23:20 . 2009-01-07 23:20 474112 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\shlwapi.dll 2009-01-07 23:20 . 2009-01-07 23:20 19884 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\feeddisc.wav 2009-01-07 23:20 . 2009-01-07 23:20 23308 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\infobar.wav 2009-01-07 23:20 . 2009-01-07 23:20 11340 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\navstart.wav 2009-01-07 23:20 . 2009-01-07 23:20 85548 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\popupblk.wav 2009-01-07 23:20 . 2009-01-07 23:20 8798 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\icrav03.rat 2009-01-07 23:20 . 2009-01-07 23:20 65 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\occache.ini 2009-01-07 23:20 . 2009-01-07 23:20 1988 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ticrf.rat 2009-01-07 23:20 . 2009-01-07 23:20 65 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\webcheck.ini 2009-01-07 23:20 . 2009-01-07 23:20 54279 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieakmmc.chm 2009-01-07 23:20 . 2009-01-07 23:20 265720 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msdbg2.dll 2009-01-07 23:20 . 2009-01-07 23:20 355832 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\pdm.dll ---- Directory of C:\abl ---- ---- Directory of c:\windows\system32\%APPDATA% ---- 2010-12-01 04:51 . 2010-12-01 04:52 86 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.log 2010-12-01 04:51 . 2010-07-07 09:44 234304 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.inx 2010-12-01 04:51 . 2010-07-07 09:45 31743 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.hdr 2010-12-01 04:51 . 2010-06-14 15:32 152 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\config.txt 2010-12-01 04:51 . 2010-07-07 09:45 473 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\layout.bin 2010-12-01 04:51 . 2010-07-07 09:45 3525401 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data2.cab 2010-12-01 04:51 . 2010-07-07 09:45 567840 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.cab ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "PxDotNetLoader"="c:\program files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2010-02-01 42392] "Starfield Updater"="c:\program files\Starfield\StarfieldUpdate.exe" [2010-11-20 32960] "wben"="c:\program files\Starfield\wben.exe" [2010-11-08 1074384] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472] "nwiz"="nwiz.exe" [2003-07-28 323584] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768] "WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576] "Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830] "Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738] "Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752] "QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2008-03-29 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048] "WD Button Manager"="WDBtnMgr.exe" [2009-11-24 335872] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368] "PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992] "BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472] "ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2005-4-28 25214] Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "c:\\WINDOWS\\system32\\sessmgr.exe"= "c:\\Program Files\\Media Player Classic\\mplayerc.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [5/15/2006 9:51 AM 15172] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 1:50 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 1:50 PM 67656] R2 File Backup;File Backup Service;c:\program files\Starfield\offSyncService.exe [7/16/2010 1:47 PM 1310960] R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [12/27/2004 11:01 PM 142336] R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [12/27/2004 11:01 PM 524288] S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/25/2004 10:02 AM 2944] S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [12/25/2004 10:02 AM 3168] S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [12/25/2004 10:02 AM 39552] S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/25/2004 10:02 AM 60416] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 1:50 PM 12872] . Contents of the 'Scheduled Tasks' folder 2010-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Settings,ProxyOverride = <local> uInternet Settings,ProxyServer = http=127.0.0.1:5577 IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: news-antique.com\www Trusted Zone: turbotax.com DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-12-03 20:27 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version] "Version"=hex:b0,e6,01,12,c3,e7,26,8a,6e,3c,bd,57,64,39,50,7a,31,e4,26,5f,55, c9,a9,d5,6a,23,84,f3,9c,c9,27,25,bd,57,b1,e4,02,a7,0a,39,27,73,e9,c6,54,88,\ [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL] @DACL=(02 0000) "Installed"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI] @DACL=(02 0000) "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS] @DACL=(02 0000) "Installed"="1" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}] @DACL=(02 0000) @="Microsoft Disk Quota" "NoMachinePolicy"=dword:00000000 "NoUserPolicy"=dword:00000001 "NoSlowLink"=dword:00000001 "NoBackgroundPolicy"=dword:00000001 "NoGPOListChanges"=dword:00000001 "PerUserLocalSettings"=dword:00000000 "RequiresSuccessfulRegistry"=dword:00000001 "EnableAsynchronousProcessing"=dword:00000000 "DllName"=expand:"dskquota.dll" "ProcessGroupPolicy"="ProcessGroupPolicy" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}] @DACL=(02 0000) @="Internet Explorer Zonemapping" "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll" "ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap" "NoGPOListChanges"=dword:00000001 "RequiresSucessfulRegistry"=dword:00000001 "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051" "RequiresSuccessfulRegistry"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}] @DACL=(02 0000) @="Internet Explorer User Accelerators" "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051" "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll" "NoGPOListChanges"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyForActivities" "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx" "RequiresSuccessfulRegistry"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}] @DACL=(02 0000) "ProcessGroupPolicy"="SceProcessSecurityPolicyGPO" "GenerateGroupPolicy"="SceGenerateGroupPolicy" "ExtensionRsopPlanningDebugLevel"=dword:00000001 "ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx" "ExtensionDebugLevel"=dword:00000001 "DllName"=expand:"scecli.dll" @="Security" "NoUserPolicy"=dword:00000001 "NoGPOListChanges"=dword:00000001 "EnableAsynchronousProcessing"=dword:00000001 "MaxNoGPOListChangesInterval"=dword:000003c0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}] @DACL=(02 0000) "ProcessGroupPolicyEx"="ProcessGroupPolicyEx" "GenerateGroupPolicy"="GenerateGroupPolicy" "ProcessGroupPolicy"="ProcessGroupPolicy" "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll" @="Internet Explorer Branding" "NoSlowLink"=dword:00000001 "NoBackgroundPolicy"=dword:00000000 "NoGPOListChanges"=dword:00000001 "NoMachinePolicy"=dword:00000001 "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}] @DACL=(02 0000) "ProcessGroupPolicy"="SceProcessEFSRecoveryGPO" "DllName"=expand:"scecli.dll" @="EFS recovery" "NoUserPolicy"=dword:00000001 "NoGPOListChanges"=dword:00000001 "RequiresSuccessfulRegistry"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}] @DACL=(02 0000) @="802.3 Group Policy" "DisplayName"=expand:"@dot3gpclnt.dll,-100" "ProcessGroupPolicyEx"="ProcessLANPolicyEx" "GenerateGroupPolicy"="GenerateLANPolicy" "DllName"=expand:"dot3gpclnt.dll" "NoUserPolicy"=dword:00000001 "NoGPOListChanges"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}] @DACL=(02 0000) @="Microsoft Offline Files" "DllName"=expand:"%SystemRoot%\\System32\\cscui.dll" "EnableAsynchronousProcessing"=dword:00000000 "NoBackgroundPolicy"=dword:00000000 "NoGPOListChanges"=dword:00000000 "NoMachinePolicy"=dword:00000000 "NoSlowLink"=dword:00000000 "NoUserPolicy"=dword:00000001 "PerUserLocalSettings"=dword:00000000 "ProcessGroupPolicy"="ProcessGroupPolicy" "RequiresSuccessfulRegistry"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}] @DACL=(02 0000) @="Software Installation" "DllName"=expand:"appmgmts.dll" "ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx" "GenerateGroupPolicy"="GenerateGroupPolicy" "NoBackgroundPolicy"=dword:00000000 "RequiresSucessfulRegistry"=dword:00000000 "NoSlowLink"=dword:00000001 "PerUserLocalSettings"=dword:00000001 "EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}] @DACL=(02 0000) @="Internet Explorer Machine Accelerators" "DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051" "DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll" "NoGPOListChanges"=dword:00000001 "ProcessGroupPolicy"="ProcessGroupPolicyForActivities" "ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx" "RequiresSuccessfulRegistry"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon] @DACL=(02 0000) "DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL" "Logon"="SABWINLOLogon" "Logoff"="SABWINLOLogoff" "Startup"="SABWINLOStartup" "Shutdown"="SABWINLOShutdown" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] @DACL=(02 0000) "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=expand:"crypt32.dll" "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] @DACL=(02 0000) "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=expand:"cryptnet.dll" "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] @DACL=(02 0000) "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy] @DACL=(02 0000) "Asynchronous"=dword:00000001 "DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll" "Startup"="WlDimsStartup" "Shutdown"="WlDimsShutdown" "Logon"="WlDimsLogon" "Logoff"="WlDimsLogoff" "StartShell"="WlDimsStartShell" "Lock"="WlDimsLock" "Unlock"="WlDimsUnlock" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] @DACL=(02 0000) "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] @DACL=(02 0000) "Asynchronous"=dword:00000000 "DllName"=expand:"wlnotify.dll" "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] @DACL=(02 0000) "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=expand:"sclgntfy.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] @DACL=(02 0000) "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] @DACL=(02 0000) "Asynchronous"=dword:00000000 "DllName"=expand:"wlnotify.dll" "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] @DACL=(02 0000) "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList] @DACL=(02 0000) "HelpAssistant"=dword:00000000 "TsInternetUser"=dword:00000000 "SQLAgentCmdExec"=dword:00000000 "NetShowServices"=dword:00000000 "IWAM_"=dword:00010000 "IUSR_"=dword:00010000 "VUSR_"=dword:00010000 [HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version] "Version"=hex:b0,e6,01,12,c3,e7,26,8a,6e,3c,bd,57,64,39,50,7a,31,e4,26,5f,55, c9,a9,d5,6a,23,84,f3,9c,c9,27,25,bd,57,b1,e4,02,a7,0a,39,27,73,e9,c6,54,88,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(3832) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\iPod Access for Windows\iPAHelper.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\program files\Dantz\Retrospect\retrorun.exe c:\progra~1\Dantz\RETROS~1\wdsvc.exe c:\windows\system32\WDBtnMgr.exe c:\program files\Brother\ControlCenter3\brccMCtl.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Brother\Brmfcmon\BrMfcmon.exe . ************************************************************************** . Completion time: 2010-12-03 20:35:21 - machine was rebooted ComboFix-quarantined-files.txt 2010-12-04 01:35 ComboFix2.txt 2008-12-24 15:39 Pre-Run: 11,454,832,640 bytes free Post-Run: 10,870,611,968 bytes free - - End Of File - - 8B37A9629B17C20E90B9084353700916

Thanks, negster22, I have done as you have instructed and have attached the TDSS Killer log and the Combofix log to this message. TDSSKiller.2.4.10.0_01.12.2010_23.01.00_log.txt ComboFix.txt

I'm not sure how this got onto my system - probably by simply visiting an infected website. It installed the WhiteSmoke program and then blocked Malwarebytes from running (I don't recall the exact error message that it produced, but it was MBAM_...<something>...(5, 0)). Then it started running some "antivirus" scan. I was able to go into safe mode with networking and uninstall Malwarebytes, reinstall it, update it, and then remove all the things it found. I also deleted the WhiteSmoke program via the control panel. I also was able to update and run SuperAntivirus, which found a few more things I removed, but again the problem was not solved, as when I rebooted in normal mode, I got a message that the file leng2c.dll was not found, and then Malwarebytes again became disabled. However, it did give a different error message when I tried to run it: MBAM_ERROR_ENUMERATE_UNINSTALLLANGUAGES (2, 0). Once again, in safe mode, I managed to uninstall and then reinstall the latest version of Malwarebytes and remove the things it found as a result of the scan. I have attached a copy of the log Malwarebytes produced at the end of that session. The virus made my Avast software expire, and so it was disabled, however, there was a short period of time during which I was able to reactivate Avast by typing in a name and email address. I think this virus also tried to reassign my default search engine to Bing. In any case, I would appreciate any help from anyone who could help get rid of this thing. I am posting this now from safe mode with networking, so I am able to access the web and download and run things like DDS, and finally GMER. Here is DDS.txt. The GMER txt result and Attach files are zipped and attached to this message. DDS (Ver_10-11-27.01) - NTFSx86 NETWORK Run by Administrator at 13:19:28.60 on Wed 12/01/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.370 [GMT -5:00] AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Administrator.PANAMA\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll TB: &Save Flash: {4064ea35-578d-4073-a834-c96d82cbcf40} - c:\program files\save flash\SaveFlash.dll EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe" mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe" mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe" mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [<NO NAME>] mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u mRun: [WD Button Manager] WDBtnMgr.exe mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe" mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe" mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini" mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.vectorvest.com/install/vvonlineus/setup.exe DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_19-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab Handler: x-atng - {7e8717b0-d862-11d5-8c9e-00010304f989} - c:\program files\fidelity investments\fidelity active trader\system\atngprot.dll Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ============= SERVICES / DRIVERS =============== R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2006-5-15 15172] S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-14 165584] S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 12872] S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 67656] S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-14 17744] S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-25 40384] S2 File Backup;File Backup Service;c:\program files\starfield\offSyncService.exe [2010-7-16 1310960] S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-25 40384] S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-25 40384] S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2004-12-25 2944] S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2004-12-25 3168] S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2004-12-25 39552] S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2004-12-25 60416] S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?] S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 12872] S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2004-12-27 142336] S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2004-12-27 524288] =============== Created Last 30 ================ 2010-12-01 17:03:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-12-01 17:03:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-12-01 17:03:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-12-01 07:57:24 -------- d-----w- c:\windows\system32\wbem\repository\FS 2010-12-01 07:57:24 -------- d-----w- c:\windows\system32\wbem\Repository 2010-12-01 05:27:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2) 2010-12-01 05:05:18 -------- d-sh--w- c:\documents and settings\administrator.panama\PrivacIE 2010-12-01 05:04:42 -------- d-----w- c:\docume~1\admini~1.pan\locals~1\applic~1\Adobe 2010-12-01 04:53:50 0 ----a-w- c:\windows\Jmoqanoj.bin 2010-12-01 04:51:27 -------- d-----w- c:\windows\system32\%APPDATA% 2010-12-01 04:28:21 -------- d-sh--w- c:\documents and settings\administrator.panama\IETldCache 2010-11-20 20:20:00 -------- d-----w- c:\windows\ie8updates 2010-11-20 20:15:10 -------- dc-h--w- c:\windows\ie8 2010-11-20 20:11:01 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll 2010-11-20 20:10:56 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll 2010-11-20 20:10:56 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll 2010-11-20 20:10:55 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll 2010-11-20 20:10:54 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll 2010-11-20 20:10:53 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll 2010-11-20 20:10:53 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll 2010-11-20 20:10:49 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll 2010-11-20 20:09:31 -------- d-----w- C:\8f1bc57f4eae3148477baeb92d48e899 2010-11-20 18:19:44 -------- d-----w- c:\program files\Starfield 2010-11-02 01:22:03 -------- d-----w- C:\abl ==================== Find3M ==================== 2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53:25 974848 --sha-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-15 08:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-09-15 06:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58:06 43520 ------w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr 2001-08-18 12:00:00 94784 --sh--w- c:\windows\twain.dll 2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll 2008-04-14 00:12:01 57344 --sh--w- c:\windows\system32\msvcirt.dll 2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll 2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll 2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll 2008-04-14 00:12:02 84992 --sh--w- c:\windows\system32\olepro32.dll 2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe =================== ROOTKIT ==================== Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: MAXTOR_6L080J4 rev.A93.0500 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3 device: opened successfully user: MBR read successfully Disk trace: called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F2E566]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82f34624]; MOV EAX, [0x82f346a0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82FA0AB8] 3 CLASSPNP[0xF8606FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000059[0x82F823B8] 5 ACPI[0xF856D620] -> nt!IofCallDriver[0x804E37D5] -> [0x82FAAD98] \Driver\atapi[0x82FA0818] -> IRP_MJ_CREATE -> 0x82F2E566 kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [bP+0x0], CL; INC BP; } detected disk devices: \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMAXTOR_6L080J4__________________________A93.0500#363632343131313330 3535322020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found detected hooks: \Driver\atapi DriverStartIo -> 0x82F2E3B2 user != kernel MBR !!! sectors 156355582 (+255): user != kernel Warning: possible TDL4 rootkit infection ! TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix. ============= FINISH: 13:21:45.23 =============== Attach.zip mbam_log_2010_12_01__13_13_43_.txt